The disclosed embodiments relate generally to complex data stream control and entitlement. Specifically, the disclosed embodiments provide systems and methods for ensuring that only authenticated/verified participants receive data streams. A third party, e.g., a party other than the data provider or the data recipient, who is nevertheless associated with both the data provider and the data recipient, may be involved in controlling whether data streams from the data provider can reach the data recipient. Thus, a third party may logically sit between the data provider and the data recipient, and may decide whether the data recipient should receive data streams. The disclosed embodiments implement data generation, flow, control and permissioning between multiple entities via digital assets accessed and manipulated on a shared data structure.

In one embodiment, a method of secure network transmission is performed by a computer system. The method includes encrypting a payload via a first symmetric key and encrypting the first symmetric key via a second symmetric key. The method further includes encrypting an author header comprising the encrypted first symmetric key and a recipient list via a third symmetric key, wherein the recipient list comprises at least one recipient. The method also includes encrypting the third symmetric key via a public asymmetric key associated with an authentication server. Furthermore, the method includes transmitting the encrypted author header and the encrypted third symmetric key to the authentication server for use in recipient-initiated pre-access authentication. In addition, the method includes transmitting the encrypted payload and the second symmetric key over a computer network to the at least one recipient.

A method for operating a first vehicle-side terminal is provided, wherein the first vehicle-side terminal determines at least one symmetric group key that is assigned to the group of terminals, encrypts the at least one symmetric group key with a public asymmetric individual key that is assigned to a second vehicle-side terminal or with a symmetric pair key that is assigned to the second vehicle-side terminal, transmits the encrypted symmetric group key in the direction of the second vehicle-side terminal, receives an encrypted message from the second vehicle-side terminal, and decrypts the encrypted message depending on the symmetric group key.

Periodically re-encrypting user data stored on a storage device, including: detecting that a data encryption key should be decommissioned; and for user data stored on the storage device that is encrypted with the data encryption key: reading the user data that is encrypted with the data encryption key from the storage device; re-encrypting the user data utilizing a current data encryption key; and writing the user data that is encrypted utilizing the current data encryption key to the storage device.

A method for securely receiving a cipher key from a key provider to a key requester is provided. The method includes generating a session key shared between the key requester and the key provider, determining at least one key in accordance with the session key. The method also includes transmitting a request from the key requester to the key provider, and receiving a response from the key provider, where the response comprises an encrypted payload and an authentication tag. The method also includes authenticating the response and decrypting the encrypted payload using the at least one key to obtain the cipher key.

A method and apparatus for a streamlined electronic credit transaction that provides more security in a streamlined transaction process than any current deferred net settlement system. The removal of the physical credit card restores the proper risk balance to all participants and performs processing in real time, faster than any current system. The method relies on secure authentication and encryption security communications, based on the provably secure unbreakable mathematics of underdetermined systems of equations, which are maintained everywhere throughout the transaction process.

A communication device capable of performing encrypted communication with other communication device with use of a common key, obtains, from the other communication device, a certificate including a public key and identification information on the other communication device, verifies validity of the certificate on a basis of the identification information on the other communication device included in the certificate, and transmits the common key encrypted by the public key to the other communication device to perform the encrypted communication in a case where the certificate is valid as a result of the verification.

A set of hardware security modules (HSMs) in a database system may implement a key management system with a database storing encryption keys or other secrets. The set of HSMs may identify a first key encryption key (KEK) and a second KEK stored in the set of HSMs. The set of HSMs may retrieve, from the database, a set of encryption keys encrypted by the first KEK and decrypt each encryption key of the set of encryption keys using the first KEK. The set of HSMs may re-encrypt each encryption key of the set of encryption keys with the second KEK and transmit, to the database, the set of encrypted encryption keys encrypted by the second KEK for storage. Then, the set of HSMs may delete the first KEK from the set of HSMs.

A virtual cryptographic module is used to perform cryptographic operations. The virtual cryptographic module may include a fleet of cryptographic modules and a load balancer that determines when a cryptographic module should be added to or removed from the fleet. The fleet size may be adjusted based on detecting a set of conditions that includes the utilization level of the fleet. One or more cryptographic modules of the fleet may be used to fulfill requests to perform cryptographic operations. A cryptographic module may be a hardware security module (HSM).

According to a first aspect of the present disclosure, a method for facilitating secure communication in a network is conceived, comprising: encrypting, by a source node in the network, a cryptographic key using a device key as an encryption key, wherein said device key is based on a device identifier that identifies a destination node in the network; transmitting, by said source node, the encrypted cryptographic key to the destination node. According to a second aspect of the present disclosure, a corresponding non-transitory, tangible computer program product is provided. According to a third aspect of the present disclosure, a corresponding system for facilitating secure communication in a network is provided.