A computer-implemented method for generating an identity-based cryptographic key, the method comprising: obtaining a set of private key shares and a set of corresponding public key shares, wherein each private key share is generated based on the personal identifier, and wherein at least one of the set of private key shares is generated by a respective one of a set of key-generating parties; generating an identity-based private key based on each of the one or more private key shares; and generating a partial identity-based public key, wherein the partial identity-based public key is generated based on each of the set of corresponding public key shares; transmitting the partial identity-based public key to at least one of the set of key-generating parties for generating the identity-based public key; and/or generating the identity-based public key, wherein the identity-based public key comprises the personal identifier and the partial identity-based public key.

An ABE method with multiple tracing attribute authorities: performing, by a central authority, system initialization to generate a public parameter and disclosing the public parameter; performing, by each of attribute authorities, initialization to generate a key pair, and disclosing a public key in the key pair; performing, by a data owner, symmetric encryption on plaintext data, performing ABE on a symmetric key based on a hidden access structure, and generating an integrity verification value; requesting, by a data user, a decryption key to the attribute authority according to an own attribute; restoring, by the data user in response to decryption, an access structure, generating an outsourcing decryption key, sending the outsourcing decryption key to a cloud storage center for semi-decryption; generating, by the cloud storage center, a semi-decrypted ciphertext, and feeding the semi-decrypted ciphertext back to the data user; fully decrypting the semi-decrypted ciphertext according to a private decryption key.

Various embodiments are disclosed for self-authorized identification and services, and applications therefor. A computing device may generate a public-private key pair and a self-authorizing identifier (SAID), a byte string that is globally unique and immutable to the computing device. A remote service implementing a blockchain protocol may store a public key of the public-private key pair in a distributed blockchain ledger, which is used to authenticate the computing device in various network-based communications, and encrypt or decrypt such communications. An enclave service may be employed to asynchronously send messages between computing devices. The computing device may have an isolated environment that permits collaboration applications to execute therein, as well as an actallet that permits distribution applications not executing in the isolated environment to access the SAID or data pertaining thereto.

A system for providing access is configured to receive an application access request from an application for authorization to access and a sensitive data access request from the application for authorization to access a document that includes sensitive data. The system is further configured to determine to authorize access to the application in response to the application access request; to determine the user authentication device in response to the sensitive data access request; to provide a secondary request for authorization to access sensitive data to the user authentication device in response to the sensitive data access request, receive a secondary request response from the user authentication device to the secondary request; and to provide the secondary request response to the application enabling access to the sensitive data, where the document is encrypted for delivery to the application for the user using a blinding secret and an identity private key.

The disclosure relates to augmented reality vehicle identification with visual light communication. For example, a mobile device may be configured for “scanning” an area having multiple parked vehicles within visual range of the mobile device, to identify a target vehicle. The mobile device may include an application for identifying the target vehicle using visual light communication (VLC) equipment and techniques that present an augmented reality outline or other identification of the target vehicle on the smartphone screen once the vehicle is identified by the system. The encrypted communication channels with the vehicle may be established to utilize vehicle headlamps, interior lights, or another light emitting device to establish the VLC between the user's phone and the vehicle VLC system. The mobile device may emit VLC signals using an onboard light emitter while being in visual communication with the target vehicle, establish an encrypted communication channel with the vehicle, and identify the vehicle using automatic and/or user-selectable identification features.

Methods and apparatuses are described for decentralized authorization of user access requests in a distributed service architecture. A gateway node receives a user access request from a remote computing device. The gateway generates a signed and encrypted access token based upon the user access request using an authorization service node and a key management service node. The gateway transmits the access token, the user access request, and a security certificate received from the authorization service to a security proxy node of a microservice container. The security proxy validates the certificate and the access token. The security proxy decrypts the access token using a public key from the certificate, and determines user authorization to access a service endpoint node based upon the decrypted token. The security proxy transmits the user access request to the service endpoint, which provides the remote device with access to services based upon the user access request.

Embodiments of this application provide a key update method and a related apparatus. One example method includes: sending a first key update request to a second node, where the first key update request includes a first key negotiation parameter and first identity authentication information, and the first identity authentication information is generated by using a first shared key; receiving a first response message from the second node, where the first response message includes second identity authentication information; performing verification on the second identity authentication information by using the first shared key; and if the verification on the second identity authentication information succeeds, determining a first target key based on the first key negotiation parameter.

An information processing device according to the present application includes a control unit. The control unit acquires, from an authentication server in a state in which a first authenticator used for FIDO authentication and a second authenticator used for recovery for the FIDO authentication cooperate with each other, a recovery execution request that is transmitted from a user terminal including the second authenticator to the authentication server, and if the recovery execution request meets a predetermined authentication condition that is set in advance, notifies the user terminal including the second authenticator of a recovery execution permission.

A key manager receives one or more asymmetric key pairs associated with a user to be associated with remote access of cloud computing resources, selects a first asymmetric key pair of the one or more asymmetric key pairs, determines one or more cloud service providers associated with the user, selects a first cloud service provider of the one or more cloud service providers to be associated with the first asymmetric key pair, determines one or more cloud service components associated with the first cloud service provider that are accessible to the user, provisions at least one of the one or more cloud service components with the first public key, and configures a connection component to establish a secure connection to the at least one of the one or more cloud service components using the first private key.

A method for controlling distribution of a product in a computer network is provided, comprising: providing a computer network having a plurality of processing devices each comprising one or more processors and a storage; and providing keys for asymmetric cryptography in the computer network. In a first data processing device assigned to the manufacturer in the computer network, the following is provided: generating a matrix code by encoding first electronic information comprising the private product key; providing the public product key, the public manufacturer key, and the private manufacturer key; generating a first transaction assigned to the product, a first transaction content of the first transaction comprising the public product key, and the public manufacturer key; and signing the first transaction with both the private product key and the private manufacturer key. Imprint data are provided for imprinting an imprint of the matrix code on the product. Further, a system is provided.