A technique for hiding topological information in a message that leaves a trusted network-domain is presented. The message pertains to a subscriber session and comprises a Fully Qualified Domain Name (FQDN) of a message originator. The originator is located in a first network domain, and the message is directed towards a destination in a second network domain. A method aspect comprises the steps of receiving the message, determining the FQDN comprised in the message and determining an identifier associated with the message. The identifier comprises at least one of a subscriber identifier, a session identifier and a destination identifier. Further, the method comprises applying a cryptographic operation on the FQDN and the identifier, or on information derived therefrom, to generate a cryptographic value. The message is then processed by substituting at least a portion of the FQDN with the cryptographic value prior to forwarding the message towards the second network domain.

Methods, systems, and computer-readable media for secure offline transmission of a plurality of data segments from a sending device to one or more receiving devices. The sending device and the one or more receiving devices may communicate via an offline local network. A secure, encrypted container may be created at the receiving device to temporarily cache the received data segments one at a time and the encrypted storage container prevents access by one or more applications of the receiving device to data stored therein based on storage instructions from the sending device. The encrypted container may be configured to store the data segments such that less than all of the data segments are stored at the receiving device at any one time.

Systems and methods are provided for receiving encrypted data from a second computing system and instantiating the computing system to process the encrypted data. The instantiation includes decrypting the encrypted data using a private key, performing an operation on the decrypted data, presenting an output indicating a result of the operation on the decrypted data, and re-encrypting the decrypted data. After the data is re-encrypted, the data is transmitted to the second computing system or a third computing system.

An inline network traffic monitor is deployed inline between two endpoints of a computer network. A particular endpoint of the two endpoints works in conjunction with the inline network traffic monitor to decrypt encrypted network traffic transmitted between the two endpoints. A series of Change Cipher Spec (CCS) messages is exchanged between the inline network traffic monitor and the particular endpoint during a Transport Layer Security (TLS) handshake between the two endpoints. The series of CCS messages allows the particular endpoint and the inline network traffic monitor to detect each other on the computer network. After detecting each other's presence, the particular endpoint sends the inline network traffic monitor a session key that is used by the two endpoints to encrypt their network traffic. The inline network traffic monitor uses the session key to decrypt encrypted data of the network traffic transmitted between the two endpoints.

Apparatus and method for device and data authentication in a computer network, such as but not limited to an IoT (Internet of Things) network. In some embodiments, a trust hub device is coupled to an interconnectivity device. The trust hub device includes a controller and non-volatile memory (NVM), and may be a network capable data storage device. The interconnectivity device is configured as an Internet of Things (IoT) or Operational Technology (OT) device, and includes a controller and a sensor. Data from the sensor are transferred from the interconnectivity device to the trust hub device. The trust hub device proceeds to attest a provenance of the data from the sensor to a remote entity associated with the interconnectivity device. The trust hub device includes a firewall to the external network, establishes a root of trust for the local interconnectivity device, and performs enrollment and signing services for the interconnectivity device.

The disclosed computer-implemented method may include receiving, from a third party, a portion of data or computer-executable logic that is part of a specified model. Each model may include various portions of independently verifiable computer-executable logic. The method may further include receiving data at a processing engine. The processing engine may be configured to apply the specified model to the received data. The method may then execute the specified model at the processing engine to modify the received data and send the modified data to an application that is configured to process the modified data. Various other methods, systems, and computer-readable media are also disclosed.

To allow access to encrypted data stored in the memory of a user terminal, the corresponding secret encryption key is stored in a secure element integrated into the user terminal and this secure element serves as a highly secure relay toward an access device to this data, used by a third party. To do so, a secure communication channel is established between the third party and the secure element. The EAC standard allows mutual authentication accompanied by the establishment of such a secure communication channel. The secure element performs an encryption conversion of the data so that the latter is protected by a session (or transport) key associated with the secure communication channel, and no longer by the initial secret key. The third party can thus access the encrypted data without even knowing the initial secret key.

The present invention provides an encrypting device including an encryption unit and a communications unit. Paired encrypting devices allow for communication of trusted data between trusted devices over an untrusted network. Data received by the encryption unit is encrypted and provided with a connectionless header for delivery to the communications unit. Data received by the communications units is provided with a complex header for delivery to the paired encrypting device. The encrypting devices may be implemented in hardware or may be virtualized on a server or a plurality of servers. Arrangement of the encrypting devices in a hub-and-spoke topology allows for communication amongst a plurality of trusted devices. The encrypting devices can be used to convert commercially available equipment suitable for high assurance environments.

Generally described, one or more aspects of the present application correspond to techniques for creating encrypted block store volumes of data from unencrypted object storage snapshots of the volumes. These encryption techniques use a special pool of servers for performing the encryption. These encryption servers are not accessible to users, and they perform encryption and pass encrypted volumes to other block store servers for user access. The encryption context for the volumes can be persisted on the encryption severs for as long as needed for encryption and not shared with the user-facing servers in order to prevent user access to encryption context.

A method includes retrieving a server certificate from a server in response to a request from a client to negotiate a connection between the client and the server and generating a new server public key and a new client public key in response to the request. The method also includes generating a new server certificate using information in the server certificate. The method further includes signing the new server certificate to produce a new signed server certificate, communicating the new signed server certificate, which includes the new server public key, to the client, and generating a new client certificate using information in a client certificate received from the client. The method also includes signing the new client certificate to produce a new signed client certificate and communicating the new signed client certificate, which includes the new client public key, to the server to establish the connection.