A module has a processor for executing an encryption process to encrypt a message to a cipher-text with authentication. The encryption process includes generating a tag from a secret message authentication code (MAC) key, a nonce, a message, and optionally an additional data using a Poly 1305 function, generating a pseudorandom initialization vector (IV) from a secret encryption key and the tag using a first encryption function, and generating a cipher-text from the secret encryption key, the generated IV, and the message using a second encryption function. The module or a similar module may execute a corresponding decryption process to decrypt the cipher-text to a decrypted message and verify the authenticity of the cipher-text. At least one of the first and second encryption functions may be an Advanced Encryption Standard (AES) encryption function such as an AES-CTR encryption function, an AES-like encryption function, and/or other suitable encryption functions.

Systems and methods for determining cryptographic operation masks for improving resistance to external monitoring attacks. An example method may comprise: selecting a first input mask value, a first output mask value, and one or more intermediate mask values; based on the first output mask value and the intermediate mask values, calculating a first transformation output mask value comprising two or more portions, wherein concatenation of all portions of the first transformation output mask value produces the first transformation output mask value, and wherein exclusive disjunction of all portions of the first transformation output mask value is equal to the first output mask value; and performing a first masked transformation based on the first transformation output mask value and the first input mask value.

Techniques for securely controlling multiple lighting devices simultaneously with a lighting control device are disclosed. Command messages may be transmitted from the lighting control device to multiple lighting devices over a computer network without routing through a remote cloud service. The messages may be encrypted and may include an incremented sequence number. Lighting devices that receive a command message may compare the incremented sequence number to a previously stored sequence number corresponding to the lighting control device. If the incremented sequence number is greater than the stored sequence number, then a lighting device may determine the message was transmitted by an authorized lighting control device and may implement any command instruction included therein. If the incremented sequence number is equal to or less than the stored sequence number, then the lighting device may determine the command message was transmitted by a malicious source and may ignore the command message.

In one aspect the present invention disclose system for recording and handling media for use as evidence in legal proceeding. In one other aspect the present invention discloses a device for recording media for use as evidence in legal proceedings. In another aspect the present disclosure provides a server also referred to herein as an evidence vault or vault for handling media from a media recording device for use as evidence in legal proceedings. The all three aspects the invention benefit from a double layer symmetrical and asymmetrical encryption method to protect the media recordings of the device, the server and the system as a whole as well as the transmission of media between different components.

A secret key estimation device is provided for determining an estimate of at least one secret key used during a number of executions of a cryptographic function used by at least one cryptographic algorithm. The number of executions of the cryptographic function is at least equal to two. The secret key estimation device comprises an analysis unit for determining a plurality of sets of leakage traces from a side-channel information acquired during the number of executions of the cryptographic function. Each set of leakage traces corresponds to an execution of the cryptographic function and comprising at least one leakage trace. The secret key estimation device further comprises a processing unit configured to determine a statistical distribution of the acquired plurality of sets of leakage traces. The statistical distribution is dependent on a leakage function, the leakage function being represented in a basis of functions by a set of real values. The secret key estimation device is configured to determine the secret key from the statistical distribution of the plurality of sets of leakage traces using an estimation algorithm according to the maximization of a performance metric.

A customer premises device may include a memory configured to store day 0 configuration instructions, a first network interface to couple to an out-of-band network, a second network interface operatively coupled to a customer network, and at least one processor configured to automatically and without user input execute the day 0 configuration instructions. The at least one processor is configured to establish and maintain a secure tunnel connection with a security gateway device via the out-of-band network and to establish a connection with a configuration platform on the provider network via the secure tunnel connection. Orchestration instructions for configuring one or more VNFs are received from the configuration platform via the tunnel connection. The at least one processor is further configured to receive VNF management instructions via the secure tunnel connection, wherein the VNF management instructions include one of: updates, reconfigurations, or patches.

A system includes an application TEE and a first cloud service of a trusted cloud provider. The first cloud service is configured to receive an encrypted disk image and to launch the application TEE. The system also includes a second cloud service of a first alternate cloud provider, which is configured to launch a first attestation service instance from an attestation disk image that includes a secret and to provide the secret to the application TEE instance. Additionally, the system includes a third cloud service of a second alternate cloud provider, which is configured to launch a second attestation service instance and to provide the secret to the application TEE instance when the second cloud service is unavailable.

According to an embodiment, an encryption processing device includes a memory and one or more processors. The memory stores a plurality of divided masks to be applied to an input sentence on which mask processing is performed in unit of processing of a predetermined size corresponding to a size of data obtained by dividing target data of encryption processing into a plurality of pieces, the divided masks having a same size as that of data obtained by further dividing the data of the unit of processing. The one or more processors are configured to: read out the plurality of divided masks from the memory at different respective timings, and generate a plurality of first masks by using the read-out divided masks at different respective timings; and execute arithmetic processing on intermediate data of the encryption processing using the plurality of first masks at different respective timings.

Techniques for on-demand issuance of private keys for encrypted video transmission are described. A video processing service of a provider network receives a request from a computing device outside the provider network to begin video processing of video data generated by a video source device outside the provider network. The video processing service sends instructions to a video encoding device associated with the video source device to establish the connection for video transmission. The video processing service sends an encryption key to the video encoding device, and sends a decryption key to a video decryption engine. Subsequently, the video processing service receives video data from the video source device, via the video encoding device.

Generally described, one or more aspects of the present application correspond to techniques for creating encrypted block store volumes of data from unencrypted object storage snapshots of the volumes. These encryption techniques use a special pool of servers for performing the encryption. These encryption servers are not accessible to users, and they perform encryption and pass encrypted volumes to other block store servers for user access. The encryption context for the volumes can be persisted on the encryption severs for as long as needed for encryption and not shared with the user-facing servers in order to prevent user access to encryption context.