Methods and apparatus to enable a distinction between “new” and “used” digital content and to enable a market in used digital content files between mobile phone terminals and an electronic store, securely, by means of a wireless telephony network and a server complex to handle contents right management, transaction reporting, inventory, content delivery, payment, and billing. A server receives a signal generated by a wireless user device that was sent over a wireless telephony network. The signal indicates an election for returning at least one previously purchased digital content item. The server deletes user rights for the at least one digital content item identified by the received signal and sends information to the user device that generated the signal. Access to the associated digital content item at the user device is removed according to the sent information.

Techniques for sorting encrypted data within a software as a service (SaaS) environment. Data is encrypted on a per symbol basis with a symbol based encryption module. Sort and search functionality preserving encryption that allows other modules to sort tokens and to search for tokens is provided. Encrypted tokens that have been encrypted by the symbol based encryption module are stored in a database. Access to the encrypted tokens is provided through the SaaS environment.

Aspects related to the secure transfer and use of secret material are described. In one embodiment, an encrypted secret key and encrypted revocation data are imported into a trusted execution environment and decrypted with private provider and vendor keys. In this manner, a provider of cryptographic processes is not exposed to the secret key or revocation data of a customer, as the secret key and revocation data are decrypted and stored within the trusted execution environment but not accessed in an unencrypted form. In turn, the provider can receive various instructions to perform cryptographic operations on behalf of the customer. Based on the outcome of a revocation check using the revocation data, the instructions can be performed by the trusted execution environment.

Encryption keys for an enterprise are stored at a perimeter device such as a gateway, and rules are applied at the network perimeter to control whether and how these keys are used for cryptographic processing of communications passing through the perimeter device. The encrypted status of communications, e.g. whether and how files are encrypted with the encryption keys, may also be used to assist in selecting appropriate security handling and routing of the communications.

In general, in one aspect, a method includes receiving software code with an invalid characteristic, repeatedly attempting to execute the software code with the invalid characteristic on a device, and in response to successful execution of the software code with the invalid characteristic, taking an action. The action may include an action to remediate the device.

A method for key rotation includes initiating key rotation for a user account of a multi-factor authentication platform enabling one-time password authentication using a first symmetric cryptographic key; generating, at an authenticating device, a second symmetric cryptographic key; transmitting, at the authenticating device, the second symmetric cryptographic key to the multi-factor authentication platform; configuring the multi-factor authentication platform and the authenticating device to disable authentication that uses the first symmetric cryptographic key; and configuring the multi-factor authentication platform and the authenticating device to enable authentication that uses the second symmetric cryptographic key.

A device includes a reset resistant store and a trusted key service. The reset resistant store maintains data across various different device reset or data invalidation operations. The trusted key service maintains, for each of one or more operating systems that run on the device from a boot configuration, an encrypted key associated with the boot configuration. The device also has a master key that is specific to the device. Each of the keys associated with a boot configuration is encrypted using the master key. When booting the device, the boot configuration being run on the device is identified, and the key associated with that boot configuration is obtained (e.g., from the reset resistant store or the encrypted key vault). The master key is used to decrypt the obtained key, and the obtained key is used to decrypt secrets associated with the operating system run from the boot configuration.

As disclosed herein a computer system for secure database backup and recovery in a secure database network has N distributed data nodes. The computer system includes program instructions that include instructions to receive a database backup file, fragment the file using a fragment engine, and associate each fragment with one node, where the fragment is not stored on the associated node. The program instructions further include instructions to encrypt each fragment using a first encryption key, and store, randomly, encrypted fragments on the distributed data nodes. The program instructions further include instructions to retrieve the encrypted fragments, decrypt the encrypted fragments using the first encryption key, re-encrypt the decrypted fragments using a different encryption key, and store, randomly, the re-encrypted fragments on the distributed data nodes. A computer program product and method corresponding to the above computer system are also disclosed herein.

A method of sharing collaborative data between registered users in an online collaboration system. The collaboration system has a server and one or more electronic user devices that are capable of data communication with the server over a data network. Each registered user is allocated a unique asymmetric key pair comprising a user public key and a user private key for encryption and decryption of shared data content. The server is able to modify uploaded encrypted data content to enable access by multiple authorised users, and is able to convert uploaded data content into alternative formats, typically to enable web-browser viewing.

In one embodiment, a secure computing system comprises a key generation sub-system configured to generate cryptographic keys and corresponding key labels for distribution to computer clusters, each computer cluster including a plurality of respective endpoints, a plurality of quantum key distribution (QKD) devices connected via respective optical fiber connections, and configured to securely distribute the generated cryptographic keys among the computer clusters, and a key orchestration sub-system configured to manage caching of the cryptographic keys in advance of receiving key requests from applications running on ones of the endpoints, and provide respective ones of the cryptographic keys to the applications to enable secure communication among the applications.