A method of securely dispersing private user data may include operating a software application configured to utilize user data, receiving the user data, generating a sequence of random bits, and generating a plurality of secret shares from the user data. Generating the plurality of secret shares may include selecting a subset of the user data for each secret share and combining the subset of the user data with the sequence of random bits. The subset of the user data may be a first half of the user data for a first secret share, a second half of the user data for a second secret share, and the whole user data for a third secret share. The method may also include dispersing each of the secret shares.

A system and method for providing secure Single-Sign-On (SSO) authentication in a zero-knowledge architecture. A first server component may operate as a first relying party in a first SSO flow. When the user of an application successfully authenticates to a first identity provider, a first part of a secret key may be provided to the application. Additionally, a second server component may operate as a second relying party in a second SSO flow. When the first part of the secret key is received by the application, authentication information may be provided to a second identity provider. Based on a successful authentication, a second part of the secret key may be provided to the application. The first and second parts of the secret key may be combined by the application to generate a final secret key that may be used to decipher encrypted user data.

Systems and methods for sharing secrets including passwords, keys, and other confidential information used in computing environments. A secrets record generated at a secrets vault client device is encrypted using an application key associated with a computing environment. The encrypted secrets record is stored in the secrets vault server. The secrets vault client device configures a sharing client device and associated with an access token. The secrets vault client device hashes the access token and sends to the secrets vault server as a client identifier. The sharing client device performs a first-time authentication using a hashed access token with the secrets vault server. Upon successful authentication, the sharing client device requests secrets records from the secrets vault server using the client identifier.

An example operation may include one or more of initializing a smart contract (SC) and appending it to a blockchain, registering each of a plurality of participants as a party to the SC, receiving from at least some of the participants an encrypted confidential input commitment, appending the encrypted input commitments to the blockchain, decrypting the encrypted input commitments, executing by the SC at least one business rule using the decrypted input commitments to obtain a business rule result, and identifying a prevailing participant based at least in part on the business rule result.

The present description relates to systems and techniques for allowing a third party verifier to verify aspects of secured data, or successful communication thereof. For example, a message or other data may be associated with a shared manifest that describes aspects of some data but does not reveal or expose the data. As a result, the data may be kept private while selective privacy and verification with respect to the data is achieved by the inclusion of only selected aspects of said data in the shared manifest.

Systems and methods for attesting an enclave in a network. A method includes receiving, by a first device, proof information from an application provider entity that the enclave is secure, wherein the proof information includes a public part, Ga, of information used by the enclave to derive a Diffie-Hellman key in a key generation process with the application provider entity, processing, by the first device, the proof information to verify that the enclave is secure and ensuring that Ga is authentic and/or valid, deriving, by the first device, a new Diffie-Hellman key, based on Ga and x, wherein x is a private part of information used by the first device to derive the new Diffie-Hellman key, and sending, by the first device, a message including Ga and a public part, Gx, of the information used by the first device to derive the new Diffie-Hellman key to the enclave.

A system for using hardware-secured receptacle devices includes a transfer processing device configured to store transfer method data associated with user on at least a cryptographically secured receptacle device, receive user authentication credentials from a user, authenticate user identity as a function of the user authentication credentials, retrieve a transfer authorization from the at least a cryptographically secured receptacle device as a function of the transfer method data, generate a transfer as a function of the transfer authorization.

Systems and methods for controlling record relationship changes in a content management system. The content management system may have several layers of access controls, which may include a layer of access control at the object level, a layer of access control at the row level and a layer of access control at the field level. Access may be controlled at the object level by a user's security profile, at the object record level (or row level) by the user's role, and/or at the object field level by the user's role or a state in a document lifecycle. A secure inbound relationship attribute may be used to control record relationship changes. Actions for creating, deleting and reassigning are permitted only when the inbound relationship is editable according to the secure inbound relationship attribute.

A method for establishing a fully private, information secure interconnection between a source and a destination over a data network with at least a portion of a public infrastructure. The method comprising at the source creating n shares of a source data according to a predetermined secret sharing scheme, and encrypting the n shares using (n, k) secret sharing. Further, defining for at least one node vi a directed edge (Vi1, Vi2) that has a k−1 capacity. All outgoing links of vi are connected to vi2. Additionally, using a maximum flow algorithm to define the maximum number of shares outgoing from vi2, and therefore from vi, on each outgoing link. The number of shares forwarded by node vi does not exceed the number of maximum shares that were defined by the maximum flow algorithm.

An aggregate sum is efficiently obtained while keeping confidentiality. A prefix-sum part computes a prefix-sum from a share of a sorted value attribute. A flag converting part converts a format of a share of a flag representing the last element of a group. A flag applying part generates a share of a vector in which a prefix-sum is set when a flag representing the last element of a group is true, and a sum of the whole is set when the flag is false. A sorting part generates a share of a sorted vector obtained by sorting a vector with a permutation which moves elements so that the last elements of each group are sequentially arranged from beginning. A sum computing part generates a share of a vector representing a sum for each group.