A method of an authentication server may include receiving, from a recipient computer system, recipient metadata comprising recipient information from the recipient computing system and a recipient network address. Access to the encrypted payload is authenticated by the recipient computer system using the recipient metadata. A response is sent to the recipient computer system after authenticating the recipient computer system. The recipient computer system decrypts the encrypted payload to access the payload in response to receiving the response.

A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

A password management service provides automated password management. In one embodiment, a method for automating password changes begins in response to a determination that automated password changes are authorized. In response, a data mining session is initiated. Within the data mining session, a set of third party applications or sites are identified. Then, and responsive to receipt of a password reset flow authorization, a password reset flow to one or more of the third party applications or sites is initiated by the service. Thereafter, and still within the data mining session, and for each of the one or more third party applications or sites, a determination is made whether a password reset confirmation link has been received by the service. In response to a determination that a password reset confirmation link has been received for a given third party application or site, the service uses the password reset confirmation link to perform an automated password reset and thereby obtain a new user password for the application or site.

A cryptographic service device includes: a processor; and a memory storing instructions executable by the processor, wherein the processor is configured to execute the instructions to operate as a registration module, a working key creation module, and a cryptographic operation calling module. The registration module is configured to call a secondary security module to generate an asymmetric key pair including a target public key and a target private key. The working key creation module is configured to receive a working key creation request of a business system, and call a primary security module to generate a working key for the business system. The cryptographic operation calling module is configured to receive a cryptographic operation request of the business system, and call a target security module to obtain an operation result of the target security module.

Implementations disclose a user interface that supports an access control mechanism for peer-to-peer sharing technology. An example method includes providing for display a user interface comprising a plurality of media items and a plurality of media availability indicators, wherein a portion of the user interface represents that an encrypted version of a media item of the plurality of media items and an encryption key for the encrypted version are being received over a peer-to-peer connection; updating a media availability indicator of the media availability indicators to represent that the encrypted version of the media item and the encryption key are saved; receiving an indication that the encrypted version of the media item is decrypted; and updating the media availability indicator to represent the media item is available to be experienced.

A method for combining different partial data includes providing a secure connection between a connection unit in a first network and an analysis unit a second network, separating original data into at least two items of partial data comprised of analysis data and personal data as first and second partial data that can be assigned to each other by way of assigning information, pseudonymizing the second partial data, transmitting the first partial data and pseudonymized second partial data and the assigning information to the analysis unit, storing the second partial data on the connection unit, providing third partial data on the analysis unit in the form of analyzed first partial data, transmitting the third partial data and the pseudonymized second partial data with the assigning information to the connection unit via the secure connection, and combining the third partial data and the second partial data using the assigning information.

Apparatus and associated methods relate to securely transmitting, directly between two mobile devices, AES-256 encrypted file attachments which are decrypted within an application program (APP) using a decryption key that is available only to the APP. In an illustrative embodiment, the encrypted file may be attached to an e-mail. The e-mail may be transmitted directly to another mobile device via direct Wi-Fi, for example. The e-mail may be transmitted directly to another mobile device using Bluetooth, for example. In encrypted attachment may be deciphered only within the APP running on the receiving mobile device using a private key accessible to only the APP.

A sharing package data structure for the secure maintenance and sharing of information relating to a person with one or more parties is described. The data structure comprises: (1) a version of the data that has been encrypted in such a way that a data decryption key is needed to decrypt it; (2) a hash on the data decryption key; and (3) access control list entries each containing a version of the data decryption key that has been encrypted with a public key associated with a different party authorized to access the data. The contents of the data structure are usable to provide access to a decrypted version of the data to a party that is able to decrypt the encrypted data decryption key stored in one of the access control entries.

Techniques for securely updating a point-of-sale (POS) system that includes a merchant-facing device and a buyer-facing device are described. For instance, the merchant-facing device may execute first software that provides first POS functionality and the buyer-facing device may execute second software that provides second POS functionality. To update both devices, the merchant-facing device may receive a software update from a payment service via a network connection, and update the first software using the software update. The merchant-facing device can then cause, via a physical connection, the buyer-facing device to reboot in an update mode and send the software update to the buyer-facing device. In response, the buyer-facing device can update the second software using the software update and then reboot in a payments mode. In some instances, the buyer-facing device can then update a secure enclave on the buyer-facing device using the software update.

A method and system for performing computational jobs securely on a shared computing resource. Data files for the computational job are encrypted on a secure system and the encrypted data files are stored in a data store on the shared computing resource. A key distribution server is established using a secure enclave on a front end of the shared computing resource. Cryptographic keys and application binaries are transferred to the enclave of the shared computing resource using a session key. The computational job is run using an application launcher on compute nodes of an untrusted execution environment of the shared computing resource, the application launcher obtaining the application binaries and the cryptographic keys from the key distribution server.