A computing device such as a network security device receives one or more digital certificates in a certificate chain and generates one or more surrogate digital certificates that form a surrogate certificate chain. A surrogate certificate may be generated using certificate information from a corresponding digital certificate of the received certificate chain. In some cases, the received certificate chain may have a trusted root certificate that is a trust anchor for the received certificate chain and the generated surrogate certificate chain may have a different trusted root certificate that is the trust anchor for the surrogate certificate chain. Cryptographic keys of the certificate chains may be used to establish cryptographically protected communication sessions. The computing device may monitor network traffic utilizing cryptographic keys included in the certificate chains to encrypt data. The encrypted data may be decrypted and inspected to determine whether sensitive information is transmitted in an improper manner.

Methods and apparatus for securing client-specified credentials at cryptographically-attested resources are described. An indication is obtained that resources deployed for execution of a compute instance of a multi-tenant computing service at an instance host of a provider network meet a client's security criteria. An encrypted representation of credentials to be used at the compute instance to implement operations on behalf of a client is received at the instance host. The credentials are extracted from the encrypted representation using a private key unique to the instance host, used for the operations, and then removed from the instance host without being saved in persistent memory.

Systems and processes are described for a message service with distributed key caching for server-side encryption. Message requests are received by message handlers of the message service that cache data encryption keys used to encrypt and decrypt messages that are stored to message containers in back end storage. A metadata service obtains the data encryption keys from a key management service, caches the keys locally, and sends the keys to the message handlers upon request, where the keys are cached, again. The key management service may generate the data encryption keys based on a master key (e.g., a client's master key). The message handlers may send both message data encrypted using the data encryption key and an encrypted copy of the data encryption key to be stored together in the data store.

A hierarchical symmetric key distribution method, system, and apparatus (HKDS) is provided for a scalable and fundamentally secure solution for a security protocol for financial transactions, including the electronic payment industry. The security protocol can be used in conjunction with various message authentication code generators and extended output functions to derive unique symmetric keys which can be used to protect messaging and communications in the financial services industry. The security protocol, for example, provide a distributed key management protocol that generates unique transaction keys from a base terminal key, such that the terminal does not retain information that could be used to reconstruct the key once the transaction has been completed, the capture of the terminals state does not provide enough information to construct future derived keys, and the server can reconstruct the transaction key using a bonded number of cryptographic operations.

Methods, systems, and devices for wireless communication are described. A user equipment (UE) may determine that a security context with a network node has been established for more than a threshold time period. The UE may identify, based on a key hierarchy, a parent network node associated with the network node. The UE may transmit a key refresh request message to the parent network node to trigger a key refresh procedure between the parent network node and the network node. The UE may perform a procedure with the network node to establish a new security context based on the key refresh procedure.

A method of operating a first device in group of devices in a network is disclosed. The method comprises encrypting and decrypting, with a processor of the first device, communications with other devices in the group of devices using a shared key that is stored in a memory of each device in the group of devices; receiving, with a transceiver of the first device, a first message from a second device in the group of devices, the first message indicating that the first device is authorized to share the shared key; and transmitting, with the first device, the shared key to a third device in the network that is not in the first group of devices only after receiving the first message indicating that the first device is authorized to share the shared key.

Methods, systems, and devices for wireless communication are described. A user equipment (UE) may determine that a security context with a network node has been established for more than a threshold time period. The UE may identify, based on a key hierarchy, a parent network node associated with the network node. The UE may transmit a key refresh request message to the parent network node to trigger a key refresh procedure between the parent network node and the network node. The UE may perform a procedure with the network node to establish a new security context based on the key refresh procedure.

Some embodiments include a broker policy manager (BPM) comprising a transceiver and a processor, where the processor is configured to dynamically change a policy associated with an Internet of Things (IoT) client certificate based on an incident invitational model. In some embodiments the processor can determine that a first IoT client is a participant of an incident communications network corresponding to an incident, and transmit first instructions to a certificate-based IoT broker to change a first IoT policy associated with a first certificate of the first IoT client, to enable the first IoT client to publish or subscribe to a topic that corresponds to the incident. The first instructions can indicate a change to a second IoT policy associated with a second certificate of a second IoT client that enables the second IoT client to publish or subscribe to the topic that corresponds to the incident.

A communication apparatus accepts from a user a setting relating to display of QR code (a two-dimensional code), in which wireless communication parameters for connecting to the communication apparatus are encoded, to be read by an application that operates on a mobile terminal. The communication apparatus, in accordance with a setting accepted from a user, performs display control for selecting whether to display a common QR code, or to display at least one of a QR code for the standard application or a QR code for the proprietary application.

An apparatus comprises a storage system, a key manager incorporated in or otherwise associated with the storage system, and an input-output controller coupled to the key manager and configured to control storage of data items in the storage system. The key manager is configured to determine a controller key accessible to the input-output controller and a plurality of data encryption keys utilizable by the input-output controller to encrypt the data items for storage in the storage system. A given one of the data items is encrypted using a particular one of the data encryption keys and has associated metadata that includes the particular data encryption key encrypted using the controller key. The metadata may comprise an inner wrapping of the particular data encryption key using the controller key and at least one outer wrapping of the inner wrapping using at least one additional key.