The present document describes systems and methods that provide an envelope including an encrypted message and a data encryption key reference. A message is encrypted with a data encryption key to produce an encrypted message. The data encryption key is further encrypted using a key encrypting key to produce an encrypted data encryption key. An envelope includes the encrypted message and the data encryption key reference is then provided to a recipient.

One example method includes logging into websites through devices including insecure devices. A logon device may store credentials. The logon device is configured to connect with an insecure device and then communicate with a website for authentication purposes without exposing a user's credentials to the insecure device. After the user is authenticated, the session is transferred to the insecure device.

A method including determining, by a device, an assigned key pair including an assigned public key and an assigned private key; determining, by the device for a group associated with a folder, a group access key pair including a group access public key and a group access private key; encrypting, by the device, the group access private key by utilizing the assigned public key; and accessing, by the device, the folder based at least in part on decrypting the group access private key. Various other aspects are contemplated.

Techniques are described for securely updating a point-of-sale (POS) system that includes a merchant-facing device and a buyer-facing device. For instance, the merchant-facing device may execute first software that provides first POS functionality and the buyer-facing device may execute second software that provides second POS functionality. To update both devices, the merchant-facing device may receive a software update from a payment service via a network connection, and update the first software using the software update. The merchant-facing device can then cause, via a physical connection, the buyer-facing device to reboot in an update mode and send the software update to the buyer-facing device. In response, the buyer-facing device can update the second software using the software update and then reboot in a payments mode. In some instances, the buyer-facing device can then update a secure enclave on the buyer-facing device using the software update.

One disclosed example involves a client device joining a videoconferencing meeting in which there is end-to-end encryption, where the end-to-end encryption is implemented by the client devices participating in the meting using a meeting key provided by the meeting host. Thereafter, the client device receives a public key of an asymmetric key pair corresponding to the host of the meeting, where the public key is different from the meeting key. The client device then generates a security code based on the public key and output the security code on a display device. The security code can be compared to another security code generated by another client device participating in the meeting to verify if the meeting is secure. The client device may also receive encrypted videoconferencing data, decrypt it using the meeting key, and output the decrypted videoconferencing data on the display device.

A system and a method for accessing data in a secure manner are provided, in which the data comprises a number of data sets and each of the data sets is assigned to a user. The data sets are stored in a database in an encrypted manner, and are decryptable by means of a first decryption key assigned to the particular entity. The first decryption keys are stored in a volatile memory unit, and each of the first decryption keys are encrypted separately using a first and at least a second encryption key assigned to the particular entity, and the encrypted first decryption keys are stored in a permanent memory unit. After the volatile memory unit is erased, the encrypted first decryption keys are copied from the permanent memory unit into the volatile memory unit, and the encrypted first decryption keys are decrypted in the volatile memory unit.

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, that protect analytics for resources of a publisher from traffic directed to such resources by malicious entities. An analytics server receives a first message that includes an encrypted token and analytics data for a publisher-provided resource. The token includes a portion of the analytics data and a trust score indicating a likelihood that activity on the resource is attributed to a human (rather than an automated process). The analytics server decrypts the token. The analytics server determines a trustworthiness measure for the analytics data included in the first message based on the trust score (in the decrypted token) and a comparison of the analytics data in the first message and the portion of the analytics data (in the decrypted token). Based on the measure of trustworthiness, the analytics server performs analytics operations using the analytics data.

Techniques are disclosed relating to generating authentication information independent of user input. In some embodiments, an authentication application repeatedly performs operations to authenticate a client application to one or more hosts of a server system during an automated tasks. In some such embodiments, an instance of the operations includes receiving, from the client application, a request to generate authentication information. In response to the request, the authentication application may retrieve authentication data for the user and, independent of user input, generate an item of authentication information based on the authentication data. The authentication application may then output the item of authentication information to the client application, where the item of authentication information is usable by the client application to authenticate to at least one of the one or more hosts.

A computing system includes persistent storage configured to store a plurality of software applications and a distribution application configured to perform operations. The operations include obtaining a first cryptographic key of a pair of asymmetric cryptographic keys, where a second cryptographic key of the pair is stored by an on-premises computational instance, obtaining a selection of a software application from the plurality of software applications for installation, and obtaining an identifier associated with the on-premises computational instance. The operations additionally include encrypting the software application by way of a symmetric encryption algorithm and using a third cryptographic key, and encrypting the third cryptographic key by way of an asymmetric encryption algorithm and using the first cryptographic key. The operations further include generating an installation file that includes the software application as encrypted, the third cryptographic key as encrypted, and a representation of the identifier.

Method and system of secured direct link set-up (DLS) for wireless networks. In accordance with aspects of the method, techniques are disclosed for setting up computationally secure direct links between stations in a wireless network in a manner that is computationally secure. A direct link comprising a new communication session is set up between first and second stations in a wireless local area network (WLAN) hosted by an access point (AP), the direct link comprising a new communication session. The AP generates a unique session key for the new communication session and transfers secured copies of the session key to each of the first and second stations in a manner under which only the first and second stations can obtain the session key. A security mechanism is then implemented on the unsecured direct link to secure the direct link between the first and second stations using a secure session key derived from the session key.