A system uses a multi-level encryption and tokenization mechanism to allow for fields of a larger object to be individually tokenized and encrypted. Protected data is encrypted using an encryption key and a generated token is displayed in its place. The encryption key is then encrypted using a secondary key. To dereference a token, a requesting application provides the token and associated context to a token service, which searches a token store for a record having both the token and the context. If such a record is located, the token service generates a secondary key and decrypts the encryption key. The decrypted encryption key then decrypts the protected data and transmits the data to the requesting application.

A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.

According to one embodiment, a broadcast request is received from a host that hosts an application that initiated a broadcast message to be broadcast to one or more DP accelerators of a plurality of DP accelerators coupled to the host, where the broadcast request includes one or more DP accelerator identifiers (IDs) identifying the one or more DP accelerators. A broadcast session key for a broadcast communication session to broadcast the broadcast message is received from the host. For each of the one or more DP accelerator IDs, a public key of a security key pair corresponding to the DP accelerator ID is identified. The broadcast message is encrypted using the broadcast session key. The broadcast session key is encrypted using the public key. The encrypted broadcast message and the encrypted broadcast session key are transmitted to a DP accelerator identified by the DP accelerator ID.

A computer in an untrusted cloud network functions as a cloud-based enterprise application store via which a client computer (client) establishes a connection to an enterprise application in a trusted enterprise network. User authentications are performed in both a login phase and subsequent application launch phase, each authentication receiving from the client and transmitting to the enterprise network an encrypted password and encrypted key, the encrypted password being a user password encrypted under a first one-use symmetric key, the encrypted key being the first symmetric key encrypted under a public key of a private/public key pair of the enterprise network. The enterprise network decrypts the encrypted key and encrypted password to obtain the user password for authenticating the user. The launch-phase authentication includes use of a login ticket including a second one-use symmetric key under which the user password is encrypted and stored in encrypted form in the enterprise network.

A system and method for securely encrypting and booting a headless appliance. A computerized method is disclosed that includes: providing the network appliance with content encrypted with a secret key; launching the network appliance in a fallback configuration that provides limited operational capabilities; forwarding a request for the secret key to an online service that independently utilizes an identity provider to establish trust with an appliance administrator; receiving the secret key from the online service upon establishment of trust with the appliance administrator; decrypting the content with the secret key received from the online service; and utilizing the content to launch the network appliance in a full configuration.

One example method includes logging into websites through devices including insecure devices. A logon device may store credentials. The logon device is configured to connect with an insecure device and then communicate with a website for authentication purposes without exposing a user's credentials to the insecure device. After the user is authenticated, the session is transferred to the insecure device.

Embodiments are directed to managing cryptographic keys in a multi-tenant cloud based system. Embodiments receive from a client a request for a wrapped data encryption key (“DEK”). Embodiments generate a random key and fetch encryption context that corresponds to the client. Embodiments generate the wrapped DEK including the random key and the encryption context encoded in the wrapped DEK. Embodiments then return the wrapped DEK to the client.

A method including receiving, at a first computing system from a second computing system, a first key and encrypted online interaction data, receiving, at the first computing system from a third computing system, a second key and encrypted offline action data encoding data indicating one or more offline actions, receiving, at the first computing system from the third computing system, executable code comprising a third key, and executing, by the first computing system, the executable code. The executable code causing the first computing system to decrypt the encrypted online interaction data and the encrypted offline action data using the first key, the second key, and the third key, correlate one or more of the offline actions in the offline action data to one or more online interactions in the online interaction data, and generate aggregate data indicating a number of offline actions correlated to the online interactions.

Embodiments of the present invention provide systems and techniques for changing cryptographic keys in high-frequency transaction environments to mitigate service disruptions or loss of transactions associated with key maintenance. In various embodiments, a server device can employ a working key encrypted with a first master key to decrypt messages being communicated from a client device, whereby each message is encrypted with a first cryptogram that was generated based on the working key encrypted with the first master key. While the working key encrypted with the first master key is being employed, the server device can generate a notification including a second cryptogram generated based on the working key encrypted with a second master key for transmission to the client device. The transmitted notification can cause the client device to encrypt the messages being communicated with the second cryptogram. The server device can concurrently employ the working key encrypted with one of the first and second master keys to decrypt messages received from the client device, whether encrypted with the first cryptogram or the second cryptogram.

Systems and methods are described for establishing trust between two devices for secure peer-to-peer communication. In an example, a first and a second device can each possess a digital signature issued by the same certificate authority and a hash function issued by the same trusted entity. The devices can exchange public keys that include their respective digital signatures. The second device can verify the first device's digital signature, encrypt an encryption key with the second device's public key, hash the encryption key using its hash function, and encrypt the hash using its private key. The second device can send the encrypted hash and encryption key to the first device. The first device can verify the second device's digital signature, decrypt the encryption key, and decrypt the encrypted hash. The first device can hash the encryption key using its hashing function and compare the two hashes to verify the second device.