An apparatus for cloud key management may include a networking interface, a memory, and a processor, coupled to the memory and the networking interface, the networking interface to couple the apparatus to one or more endpoint servers (EPSs) of a cloud service provider (CSP), each EPS including a hardware accelerator, and a management node (MN) of the CSP. The apparatus may further include an accelerator functional unit (AFU) developer interface module operated by the processor to receive cryptographic material (CM) for each of one or more AFU developers (AFUDs) and store it into the memory, the CM includes a public key hash (PKH), and an encryption key (EK) to decrypt an AFU of the AFUD. The apparatus may also include an EK communication module operated by the processor to: receive, from the MN, a request to send to a targeted EPS an encrypted lookup table (LUT), the LUT including PKHs and associated EKs for a set of the one or more AFUDs from which the targeted EPS is authorized to receive AFUs, and in response to the request, send, to the targeted EPS, the LUT.

Improvements to publish-subscribe protocols are provided, including a method for communicating data in a network comprising publisher devices, a broker and subscriber devices, comprising one of the publisher devices: i-a. receiving a public key from the broker; i-b. determining, based on one or more attributes of data to be published to the broker, whether a sensitivity level of the data is low; and ii. following completion of both of steps i-a and i-b, publishing the data to the broker, wherein: when step i-b results in a determination that the sensitivity level of the data is low, step ii comprises transmitting the data to the broker unencrypted; and when step i-b results in a determination that the sensitivity level of the data is not low, step ii comprises encrypting the data then transmitting resulting encrypted data to the broker, wherein the step of encrypting the data uses the public key.

A method includes receiving, by a server computer, a thin client identifier from a thin client on a communication device. The server computer can then retrieve an encrypted first cryptographic key based on the thin client identifier. The encrypted first cryptographic key is a first cryptographic key that is encrypted with a second cryptographic key. The server computer can initiate the sending of the encrypted first cryptographic key to the thin client. The server computer then receives an encrypted secret from the thin client, the encrypted secret being a secret encrypted with the first cryptographic key.

A method is provided for securely providing data for use in a consumer electronics device having a processor performing instructions defined in a software image. The method includes receiving the data encrypted according to a global key, further encrypting the data according to a device-unique hardware key, storing the further encrypted data in a secure memory of the consumer electronics device, providing the global key to a whitebox encoder for encoding according to a base key to generate a whitebox encoded global key, and transmitting the software image to the consumer electronics device for storage in an operating memory of the consumer electronics device, the software image having a whitebox decoder utility corresponding to the whitebox encoder and the whitebox encoded global key.

Systems and methods for providing policy-controlled communication over the Internet are provided. A system may include a client endpoint function configured to execute on a client device while coupled to a first VPN tunnel, a service endpoint function that operates a remote service of a plurality of remote services, a gateway server including a first VPN termination point that authenticates and terminates the first VPN tunnel, a stitcher server including a second VPN termination point that authenticates and terminates a second VPN tunnel, and a mid-link server coupled to the first VPN tunnel and the second VPN tunnel. The mid-link server may include a plurality of Access Resource Servers (ARSs), and the gateway server and the stitcher server may communicate via a network connecting the plurality of ARSs.

A method includes receiving, from a server, a plurality of data packets at a wireless client device; identifying, by the wireless client device, receive times for the plurality of data packets; identifying, by the wireless client device, a first subset of the plurality of data packets having shorter delay times than a second subset of the plurality of data packets having higher delay times based on the received times; and mixing, by the wireless client device, a subset of the first plurality of data packets to generate an encryption key.

Disclosed are examples of systems, apparatus, devices, computer program products, and methods implementing aspects of a decentralized content fabric. In some implementations, one or more processors are configured to execute a software stack to define a fabric node of a plurality of fabric nodes of an overlay network situated in an application layer differentiated from an internet protocol layer. The defined fabric node is configured to: obtain a request for digital content from a client device; obtain, from one or more of the plurality of fabric nodes, a plurality of content object parts of a content object representing, in the overlay network, at least a portion of the digital content; generate consumable media using: raw data stored in the content object parts, metadata stored in the content object parts, and build instructions stored in the content object parts; and provide the consumable media to the client device. In some instances, the consumable media is further generated using a digital contract stored in a blockchain.

Systems, methods, and software for secure access control to digitally stored information. Owners of digitally stored information enter access control data using a first graphical user interface (GUI) on a first device. Vault space is allocated in memory for receiving and storing the information remotely from the first device. A keyholder and a guardian identified by the access control data are associated with the information. A keyholder access request for the information is transmitted via a second GUI on a second device. Responsive to determining the keyholder to be associated with the information, a third device of a guardian receives a notification of the access request, and the guardian may use a third GUI to transmit an access authorization. The information may be transmitted to the second device upon determining that the guardian is associated with the information.

Disclosed is an approach to implement an on-demand secure communications channel to a cloud-related resource that is located in a customer's on-premises data center, where the on-demand channel provides access to the resource to a cloud provider's operator employees. This creates on a temporary basis all of the infrastructure that is needed to allow the operational access to the customer system, which can then be destroyed once it is no longer needed.

A cryptographic anonymization method, apparatus, and system are disclosed. An example apparatus includes a server configured to receive encrypted usage information and an identifier from an application operating on a user terminal and trans-cypher the encrypted usage information from a first encryption scheme to a second encryption scheme to create second encrypted usage information without decrypting the encrypted usage information. The server is also configured to convert and encrypt the identifier to an encrypted unique identifier. The server is further configured to compare the second encrypted usage information to a taxonomy of data labels using rules. For each match of at least some of the second encrypted usage information to a data label, the server is configured to add the encrypted unique identifier to the matching data label. The server uses the data labels and/or the encrypted unique identifier for serving advertisements to the user.