According to an example aspect of the present invention, there is provided a method, comprising receiving from a source entity a workflow description for network based media processing (200), determining encryption requirements on the basis of an encryption descriptor in the workflow description, the encryption descriptor comprising information indicative of one or more encryption methods and at least one prioritized encryption method (210), and selecting, on the basis of the encryption descriptor, an encryption method for protecting data for at least one task of a media processing workflow generated on the basis of the workflow description (220).

A method for combining different partial data includes providing a secure connection between a connection unit in a first network and an analysis unit a second network, separating original data into at least two items of partial data comprised of analysis data and personal data as first and second partial data that can be assigned to each other by way of assigning information, pseudonymizing the second partial data, transmitting the first partial data and pseudonymized second partial data and the assigning information to the analysis unit, storing the second partial data on the connection unit, providing third partial data on the analysis unit in the form of analyzed first partial data, transmitting the third partial data and the pseudonymized second partial data with the assigning information to the connection unit via the secure connection, and combining the third partial data and the second partial data using the assigning information.

To allow secure communications between a video capturing device and mobile devices, an association process includes providing a unique pattern, such as a QR code, to the mobile device in proximity to the video capturing device. The unique pattern is used by the mobile device to request pairing with the client device, either directly or via a cloud-based system. The QR code includes an identifier or “shared secret” that allows the client device to verify the pairing request originates from the mobile device in close proximity. The association process may also involve cryptographic keys to further secure communications and may also involve a process to retrieve a mobile app without additional user intervention. Once the devices are associated, they can communicate directly using wireless communications, such as cellular or WiFi, and transfer video data and other data automatically.

An HSM cluster includes a set of hardware security modules that maintain a set of cryptographic keys that are synchronized across the HSM cluster. Individual applications running on client computer systems access the HSM cluster using HSM cluster clients running on the client computer systems. The HSMs are accessed via a set of HSM cluster servers that monitor the synchronization of the cryptographic keys. Synchronization of the HSMs is maintained by the HSM cluster clients. The HSM cluster clients replicate key-addition and key-deletion operations across the HSM cluster. When a new key is created by a particular HSM, a prefix associated with the particular HSM is added to the identifier associated with the new key to avoid key-namespace collisions. If the set of cryptographic keys becomes unsynchronized across the HSM cluster, applications may continue read-only cryptographic operations while the HSM cluster is resynchronized by the HSM cluster clients.

A cryptography system for the protection of data in transit using a post-quantum encryption key management system that eliminates the need for PKI or other asymmetric key management systems used in today's solutions, while allowing encryption of data in transit with no hands-on management including configuration of routers, switches, etc. The present system includes a multi-factor post-quantum key management mechanism that strengthens existing symmetric encryption systems and industry standard key generators on existing hardware through the post-quantum age.

A computing system includes persistent storage configured to store a plurality of software applications and a distribution application configured to perform operations. The operations include obtaining a first cryptographic key of a pair of asymmetric cryptographic keys, where a second cryptographic key of the pair is stored by an on-premises computational instance, obtaining a selection of a software application from the plurality of software applications for installation, and obtaining an identifier associated with the on-premises computational instance. The operations additionally include encrypting the software application by way of a symmetric encryption algorithm and using a third cryptographic key, and encrypting the third cryptographic key by way of an asymmetric encryption algorithm and using the first cryptographic key. The operations further include generating an installation file that includes the software application as encrypted, the third cryptographic key as encrypted, and a representation of the identifier.

Methods and apparatuses are described herein for improved communications between a service and end devices via a gateway. A token may be in a signed encrypted state when sent to untrusted devices and may be signed, but not encrypted, when used by trusted devices. Untrusted devices may receive the encrypted token and may use it to access services. An untrusted device may send the received encrypted token to the gateway, which may then send the token to its issuer so that the token issuer may decrypt the data payload. The token may then be sent back to the gateway, which may then read the decrypted data and verify whether the untrusted device is permitted to access the requested service. The gateway may then send, within the trusted domain, the request and token to the service provider so that the untrusted device can obtain access to the requested service.

Systems, devices, and methods for securing sensitive data in the cloud are provided. The system includes a cloud server including a cloud service and a client device communicatively connected to the cloud server. The client device executes a client user interface (“UI”) module configured to: upon a first login of the first user to the cloud service, generate an asymmetric keypair including a public key and a private key, store the private key in a local storage on the client device, and send the public key to the cloud server; and, in response to a user command to upload case data to the cloud service, generate a symmetric case key, encrypt sensitive data of the case data using the symmetric case key, encrypt the symmetric case key using the public key, and send the case data, the encrypted sensitive data, and the encrypted symmetric case key to the cloud server.

A system (100) for providing a user device (102) access to a resource or data is disclosed. The system (100) comprises: the user device (102) comprising: a light detector (104) configured to detect light (130) emitted by a light source (122), which light (130) comprises an embedded code comprising a light source identifier of the light source (122), a communication unit (108) configured to communicate with a network device (112), a processor (106) configured to retrieve the light source identifier from the light (130), and to communicate the light source identifier to the network device (112). The system (100) further comprises the network device (112), comprising: a receiver (114) configured to receive the light source identifier from the user device (102), and a controller (116) configured to identify the light source (122) based on the light source identifier, to encrypt an access key or data with a public key corresponding to a private key, and to control the light source (122) such that the light (130) comprises an updated embedded code comprising the encrypted access key or the encrypted data. The processor (106) of the user device (102) is further configured to retrieve the encrypted access key or the encrypted data from the updated embedded code comprised in the light (130), and to decrypt the encrypted access key or the encrypted data with the private key, and access the resource with the decrypted access key or retrieve the decrypted data.

A communication terminal which is capable of reducing load of a server apparatus by reutilizing a message key to be used for encrypting a message is provided. The communication terminal includes a session key storage part which stores a session key which is shared with another communication terminal and which is not shared with the server apparatus, a message key generating part which generates a message key, a message key storage part which stores the message key to be reutilized in association with a message key identifier, a message encrypting part which generates a message encrypted text based on a common key cryptosystem using the message and the message key, a message key encrypting part which generates a message key encrypted text based on a common key cryptosystem which can perform re-encryption using the session key and the message key, and an encrypted text transmitting part which transmits a group identifier which is an identifier of a group to which an own terminal belongs, the message key encrypted text or the message key identifier, and the message encrypted text to the server apparatus.