The solutions disclosed enable security credentials to be shared between two entities. Embodiments of the present invention can be used to facilitate the transfer security credentials associated with a first level of permission of a first entity to a second entity that does not have the security credentials associated with the first level of permission in response to receiving a request to share security credentials between two entities.

A method for resuming a Transport Layer Security (TLS) session in a Service Function Chain comprising a plurality of Service Function nodes coupled to a Service Function Forwarder. A request is received at a first Service Function node to establish a TLS session, and a Pre-Shared Key (PSK) and a PSK identifier that uniquely correspond to the first Service Function node and the TLS session are generated. The PSK identifier is forwarded to one or more of the Service Function Forwarder and the plurality of Service Function nodes. A request to resume the TLS session is received from a client device that previously disconnected. It is determined that the connection request contains the PSK identifier, a second Service Function node is selected, and the TLS session is re-established between the client device and the second Service Function node using the same PSK as the prior TLS session.

Hardware Security Modules (HSMs) may be utilized to store master keys that are used to secure (e.g., wrap) encryption keys that are stored outside of the HSMs. The wrapping of the encryption keys may include using the master key to mask each of the plurality of encryption keys. The master keys are then stored within the HSMs and the wrapped encryption keys may be stored outside of the HSMs. Since the plurality of encryption keys are wrapped, the wrapped encryption keys may be stored outside of the HSMs with a reduced potential for the wrapped encryption keys to be misappropriated. As such, the plurality of encryption keys may be stored in systems that do not have as many security requirements, and thus, have more memory available. As such, the memory needed to store keys within the HSMs is reduced.

Methods, systems, and computer-readable media are directed towards receiving, at an untrusted component, a query for a data store. The query includes a plurality of data operations. The data store is accessible by the untrusted component. A first proper subset of data operations is determined from the plurality of data operations that do not access sensitive data within the data store. A second proper subset of data operations is determined from the plurality of data operations that access sensitive data within the data store. The first proper subset of data operations is executed, at the untrusted component, to create first results. The second proper subset of data operations is sent to a trusted component for execution. Second results based on the sending the second proper subset of data operations are received from the trusted component. Results to the query are returned based on the first results and the second results.

A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

Systems and methods for securing objects in a computing environment. Objects are encrypted using keys that are also encrypted after encrypting the objects. In order to access the objects, a master key that is unknown to the service storing the objects and/or managing the keys is used to decrypt the keys so that the objects can be decrypted with the decrypted key. Thus, a key is needed to access the key needed to access the object. The master key is typically maintained separately from all of the encrypted objects and corresponding encrypted keys.

A method for securing an identifier of a user equipment used when connecting to a network connection in a wireless communication system, according to an embodiment of the present invention, may comprise the steps of: receiving, from the user equipment, a message requesting a first ticket for authenticating a right to access the identifier in a serving network of the user equipment, wherein the message includes information on a second ticket for authenticating a right to access the identifier in a home network of the user equipment; transmitting the information on the second ticket to a mobility management entity (MME) of the home network; receiving, from the MME of the home network, identification information of the user equipment that is determined on the basis of the information on the second ticket; and transmitting, to the terminal, information on the first ticket and a temporary key used to encrypt the identifier in the serving network, on the basis of the identification information.

Embodiments of the present invention provide systems and techniques for changing cryptographic keys in high-frequency transaction environments to mitigate service disruptions or loss of transactions associated with key maintenance. In various embodiments, a server device can employ a working key encrypted with a first master key to decrypt messages being communicated from a client device, whereby each message is encrypted with a first cryptogram that was generated based on the working key encrypted with the first master key. While the working key encrypted with the first master key is being employed, the server device can generate a notification including a second cryptogram generated based on the working key encrypted with a second master key for transmission to the client device. The transmitted notification can cause the client device to encrypt the messages being communicated with the second cryptogram. The server device can concurrently employ the working key encrypted with one of the first and second master keys to decrypt messages received from the client device, whether encrypted with the first cryptogram or the second cryptogram.

A failover system can receive active data from user devices running an application specific to a service entity providing an application service. For each user device, the active data can indicate a current status. The failover system can transmit restoration data to the user devices for storage to restore the current status of the user devices in the case of a failover event. When a failover event occurs, the failover system can recover the restoration data from a first user device to restore the current status of the application service for the first user device.

A system and method for pairing a mobile device with a computer for password-less login using a network service is provided. The method may include sending a pairing request to a network server from a computing device, wherein the pairing request includes computer authentication data and a computer public key. The network server may pair the mobile device with the computing device; wherein, the computing device may generate a pairing secret key and an associated QR image, which the user is prompted to scan using the mobile device. A pairing agent within the mobile device may validate the computer authentication data and parse the computer public key therefrom. In some embodiments a PIN could be displayed by the computer and entered by the user into the mobile device or silently exchanged between the computer and the mobile device, when proximate to each other, for the mutual authentication data validation.