Systems and processes are described for a message service with distributed key caching for server-side encryption. Message requests are received by message handlers of the message service that cache data encryption keys used to encrypt and decrypt messages that are stored to message containers in back end storage. A metadata service obtains the data encryption keys from a key management service, caches the keys locally, and sends the keys to the message handlers upon request, where the keys are cached, again. The key management service may generate the data encryption keys based on a master key (e.g., a client's master key). The message handlers may send both message data encrypted using the data encryption key and an encrypted copy of the data encryption key to be stored together in the data store.

A method for Internet of Things (IoT) network security includes collecting information for each network device (device), determining a minimum viable resource allocation for each device based on the information, which defines the minimum resources needed by each device to engage the IoT network and handle data, and for each device, distributing minimum viable resource allocations and rules, determining monitoring sets, monitoring using the monitoring set, collecting updated information based partially on the monitoring set, analyzing the updated information to determine trends and insights relative to the devices and the IoT network, updating the monitoring set, minimum viable resource allocation, and rules based on the analyzed updated information, checking compliance with a current minimum viable resource allocation and rules, identifying devices having violations, and performing same on a continuous as it and automatic basis. The method establishes and maintains a chain of custody for data traversing through multiple network segments.

Examples described herein relate to systems and methods for integrating and implementing ad hoc groups within a policy hierarchy environment. The ad hoc groups may implement particular guidelines for group membership, policy evaluations, and group actions. Systems and methods provide a framework for creating groups, removing groups, and associating groups, nodes, clients, and users with groups and policy. In some examples, there is provided a method for implementing ad hoc groups in a policy hierarchy environment, the method including: receiving a key orchestration operation request at a client associated with a node, a group, and a user; applying a sum of policies associated with the node to the request; applying a sum of policies associated with the group to the request; applying a sum of policies associated with the client to the request; applying a sum of policies associated with the user to the request; and evaluating the key orchestration operation request based on each of the sum of policies of the node, the group, the client, and the user.

Among other things, at a central server, management of a document sharing process includes uploading from client devices through a communication network, storing at the server, and downloading to client devices through the communication network documents that are shared between users of the client devices. Encryption keys are used to protect features of the documents from unauthorized or unintended disclosure. Operations are performed on encryption keys or encrypted data as a result of which protection of features of the documents from unauthorized or unintended disclosure may be compromised. A determination is made whether performance of a given one of the operations on any of the encryption keys or encrypted data meets predefined conditions for approval by members of an approval group. Performance of the operation on the encryption key or encrypted data is controlled based on a result of the determination.

A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.

A communication relay device that relays communication performed between an image processing device and an application server via a network includes: an exchange key generating unit that generates an exchange key, and transmits the exchange key to the image processing device and a license server; a relay information generating unit that generates relay information used for relaying the communication; a storage unit that stores the relay information; a communication relay unit that relays the communication; a backup unit that transmits the relay information to a backup server connected to the network; an exchange key authenticating unit that determines whether or not an exchange sequence start condition is satisfied, and, when satisfied, acquires the exchange key and transmits the exchange key to the license server; and a setting reflecting unit that acquires the relay information from the backup server, and stores the relay information in the storage unit.

A method includes, for respective queues of a plurality of queues stored in a storage: generating, using a processor, a private key—public key pair; and storing the private key—public key pair to a back of the queue. The private key—public key pair may include a private key and a public key. The method also includes receiving a request from a certificate user to utilize a private key—public key pair. The method further includes retrieving a first private key—public key pair from a front of a first queue of the plurality of queues. The method also includes using the first private key—public key pair and generating a new private key—public key pair to replace the first private key—public key pair. The method also includes storing the new private key—public key pair to a back of the first queue.

This document describes a system and method for managing communications between modules in a Controller Area Network (CAN) in a secure manner. In particular, the system employs a hierarchical key generation method that allows a module in the CAN to use a single ascendant key together with relevant identifiers to generate descendant keys for CAN identities in the Controller Area Network. These keys are then used by the broadcasting and receiving CAN modules to authenticate published messages.

Digital certificates include pointers to remote certificate information stores that maintain usage information associated with digital certificates. The pointers provide a mechanism for enabling the remote certificate information stores to be queried for usage information associated with a particular digital certificate. The usage information can be used to determine a validity of the digital certificate.

A method for Internet of Things (IoT) network security includes collecting information for each network device (device), determining a minimum viable resource allocation for each device based on the information, which defines the minimum resources needed by each device to engage the IoT network and handle data, and for each device, distributing minimum viable resource allocations and rules, determining monitoring sets, monitoring using the monitoring set, collecting updated information based partially on the monitoring set, analyzing the updated information to determine trends and insights relative to the devices and the IoT network, updating the monitoring set, minimum viable resource allocation, and rules based on the analyzed updated information, checking compliance with a current minimum viable resource allocation and rules, identifying devices having violations, and performing same on a continuous as it and automatic basis. The method establishes and maintains a chain of custody for data traversing through multiple network segments.