An enhanced email service that mitigates drawbacks of conventional email services by enabling transmission of encrypted content to a recipient regardless of the recipient having a prior relationship with the sender or having credentials issued from a certificate authority. A method is provided for receiving encrypted content and generating a message includes both the encrypted content as an attachment and a link to enable access to the encrypted content. The method may include transmitting the message to an intended recipient's mailbox while also storing the message in another mailbox to provide for subsequent decryption of the encrypted content. The link may provide the intended recipient of the message with access to the encrypted content in various ways depending on, for example, whether the recipient is viewing the message through a webmail browser or through a local mail client that is compatible with the enhanced email service.

Establishing inter-device communication is disclosed including receiving, using a first device, an encrypted session key sent by a second device, decrypting, based on a private key of the first device, the encrypted session key in a trusted environment to obtain a decrypted session key, and conducting, based on the decrypted session key, data communications with the second device.

A virtual cryptographic module is used to perform cryptographic operations. The virtual cryptographic module may include a fleet of cryptographic modules and a load balancer that determines when a cryptographic module should be added to or removed from the fleet. The fleet size may be adjusted based on detecting a set of conditions that includes the utilization level of the fleet. One or more cryptographic modules of the fleet may be used to fulfill requests to perform cryptographic operations. A cryptographic module may be a hardware security module (“HSM”).

A method, computer system, and a computer program product for secure transport of data is provided. The present invention may include defining a trust relationship based on a secret. The present invention may also include associating a trusted transport key identity (TTKI) based on the defined trust relationship. The present invention may then include receiving a trusted transport key (TTK), wherein the TTK is digitally signed and encrypted with the TTKI. The present invention may further include verifying the digitally signed TTK. The present invention may also include enveloping the secret with the TTK.

A system and method wherein an authentication request to verify authentication information submitted to a first system in connection with a first request submitted to the first system is received from the first system. A response to the authentication request is generated that includes information usable by a second system to make, without communicating with the authentication system, based at least in part on the information and one or more cryptographic processes, a determination whether fulfillment of a second request from the first system is allowable under authority of the authentication system, with the determination being based at least in part on policy information included in the information that specifies one or more policies applicable to an identity that is associated with the first request. The response generated is provided to the first system.

A system is configured for detecting a point of sale, receiving a personal identification number (PIN), generating a PIN based key using a message digest of the PIN, decrypting a data encryption key (DEK) using the PIN based key, and generating a DEK based dynamic key using the PIN based key. The system may also decrypt a session key using the DEK based dynamic key, generate a cryptogram from the session key, and send the cryptogram to the point of sale.

A computer system and methods for securing files in a file system with storage resources accessible to an authenticable user using an untrusted client device in a semi-trusted client threat model. Each file is secured in the file system in one or more ciphertext blocks along with the file metadata. Each file is assigned a unique file key FK to encrypt the file. A wrapping key WK assigned to the file is used for encrypting the file key FK to produce a wrapped file key WFK. A key manager is in charge of generating and storing keys. The file is encrypted block by block to produce corresponding ciphertext blocks and corresponding authentication tags. The authentication tags are stored in the file metadata, along with an ID of the wrapping key WK, wrapped file key WFK, last key rotation time, an Access Control List (ACL), etc. The integrity of ciphertext blocks is ensured by authentication tags and the integrity of the metadata is ensured by a message authentication code (MAC).

A processor associates with one another terminal identifiers for identifying terminals. Each terminal identifier includes a to-be-authenticated section common to the terminal identifiers and used to authenticate a user. The processor associates the terminal identifiers with one another as respective terminal identifiers for a communication source and a communication destination that can perform communication with the communication source. Upon receiving from a first terminal as a communication source a first terminal identifier for identifying the first terminal and a second terminal identifier for identifying a second terminal as a communication destination, the processor transmits a request to the second terminal to start communication with the first terminal for a case where the first and second terminal identifiers are associated with one another. Otherwise the processor does not transmit a request to the second terminal to start communication with the first terminal.

A cryptographic service device includes: a processor; and a memory storing instructions executable by the processor, wherein the processor is configured to execute the instructions to operate as a registration module, a working key creation module, and a cryptographic operation calling module. The registration module is configured to call a primary security module to generate a master key for a newly added secondary security module. The working key creation module is configured to receive a working key creation request of a business system, call the primary security module to generate a working key for the business system, and acquire a working key ciphertext. The cryptographic operation calling module is configured to receive a cryptographic operation request of the business system; call a target security module, and obtain an operation result of the target security module.

The invention relates to a computer-implemented system and method for selective dynamic encryption and decryption of data. The method may comprise the steps of identifying confidential data elements in a data table (e.g., confidential columns in a table) that contain confidential information; storing in a metastore behind a firewall the locations of the confidential data elements; intercepting a query to the database to add unencrypted confidential data elements; encrypting the unencrypted confidential data elements in computer memory; and transmitting to the public cloud the data table including the encrypted specific data elements and other data elements that have not been encrypted. The reverse process can be implemented for retrieving and selectively decrypting data stored in the cloud.