Security can be provided for data stored using resources that are deployed in an environment managed by a third party. Physical and logical detection mechanisms can be used to monitor various security aspects, and the resulting security data can be used to identify potential threats to these resources. In some embodiments, suspicious activity can cause resources such as data servers to be automatically and remotely rebooted such that keys stored in volatile memory on those data servers will be lost from those servers, such that an attacker will be unable to decrypt data stored on those servers. Once a determination of safety is made, the keys can be provided to the respective data servers such that data operations can resume.

A security processor includes a key generator circuit configured to randomly generate a key, an encryption circuit configured to encrypt user data based on the key, and a security manager circuit configured to receive a first user identification (ID), which uniquely corresponds to a user of a device, and determine whether to allow access to the user data by authenticating the first user ID.

A vehicle control apparatus and a control method thereof are provided. A vehicle control apparatus includes a processor including a host core and a hardware security module (HSM) core. The processor generates a first private key and a first public key, receives a second public key from a diagnostic device, generates a shared key based on the first private key and the second public key, receives a security data transmission request from the diagnostic device, and encodes data based on the shared key and transmits the encoded data to the diagnostic device.

An apparatus for cloud key management may include a networking interface, a memory, and a processor, coupled to the memory and the networking interface, the networking interface to couple the apparatus to one or more endpoint servers (EPSs) of a cloud service provider (CSP), each EPS including a hardware accelerator, and a management node (MN) of the CSP. The apparatus may further include an accelerator functional unit (AFU) developer interface module operated by the processor to receive cryptographic material (CM) for each of one or more AFU developers (AFUDs) and store it into the memory, the CM includes a public key hash (PKH), and an encryption key (EK) to decrypt an AFU of the AFUD. The apparatus may also include an EK communication module operated by the processor to: receive, from the MN, a request to send to a targeted EPS an encrypted lookup table (LUT), the LUT including PKHs and associated EKs for a set of the one or more AFUDs from which the targeted EPS is authorized to receive AFUs, and in response to the request, send, to the targeted EPS, the LUT.

A computer-implement method comprises: selecting a trusted computing node via smart contract on a blockchain; completing remote attestation of the selected trusted computing node; writing secret information to an enclave of the selected node; causing a thin device to establish a private connection with the selected node without revealing the secret information; and causing the selected node to act as a proxy on the blockchain for the device. Another method comprises: receiving a signed device access request from a device owner; validating, by a verification node, the received request; executing, by a verification node, a smart contract on a blockchain based on the received request; and producing, based on the executed smart contract, an output command to access the device for the device to validate, decrypt and execute.

A computing system has with a computing device. The computing system has an input data path, which unidirectionally connects an interface device of the computing system to the computing device, and an output data diode, which unidirectionally connects the computing device to at least one output interface of the computing system. The input data path has a series circuit which is arranged downstream of the interface device and contains an input data diode and a data lock. The input data diode allows a transmission of data in the direction of the computing device and prevents the transmission of data in the opposite direction. The data lock has a first and a second terminal and a temporary storage unit for temporarily storing data and is configured such that the temporary storage unit can be selectively connected solely to the first or second terminal but not simultaneously to both terminals.

A system for authorizing a serverless application function having a plurality of tenants, each tenant may include one or more entities that share a common access to a processing space and a data store. The system includes a gateway that receives a request from a tenant, an authorization component that access a public key assigned to the tenant, and a serverless processor that generates public and private keys for the tenant. The serverless processor also generates an access token for the first tenant that is signed using the private key and requests a transaction token from the authorization component using the access token. The authorization component transmits a transaction token to the serverless processor, which is used to make further requests to a virtual environment.

Aspects of the invention include receiving a request from a responder channel on a responder node to initiate a secure communication with an initiator channel on an initiator node. The request includes an identifier of a shared key, and a nonce and security parameter index generated by the initiator node for the secure communication. The receiving is at a local key manager (LKM) executing on the responder node. A security association is created at the LKM between the initiator node and the responder node. The shared key is obtained based at least in part on the identifier of the shared key. Based on obtaining the shared key, a message requesting initialization of the secure communication between the responder channel and the initiator channel is built. The message includes an initiator nonce and an initiator security parameter index generated by the LKM for the secure communication.

A method includes receiving, by a server computer, a thin client identifier from a thin client on a communication device. The server computer can then retrieve an encrypted first cryptographic key based on the thin client identifier. The encrypted first cryptographic key is a first cryptographic key that is encrypted with a second cryptographic key. The server computer can initiate the sending of the encrypted first cryptographic key to the thin client. The server computer then receives an encrypted secret from the thin client, the encrypted secret being a secret encrypted with the first cryptographic key.

Example implementations include a system of secure decryption by virtualization and translation of physical encryption keys, the system having a key translation memory operable to store at least one physical mapping address corresponding to at least one virtual key address, a physical key memory operable to store at least one physical encryption key at a physical memory address thereof; and a key security engine operable generate at least one key address translation index, obtain, from the key translation memory, the physical mapping address based on the key address translation index and the virtual key address, and retrieve, from the physical key memory, the physical encryption key stored at the physical memory address.