Systems and processes are described for a message service with distributed key caching for server-side encryption. Message requests are received by message handlers of the message service that cache data encryption keys used to encrypt and decrypt messages that are stored to message containers in back end storage. A metadata service obtains the data encryption keys from a key management service, caches the keys locally, and sends the keys to the message handlers upon request, where the keys are cached, again. The key management service may generate the data encryption keys based on a master key (e.g., a client's master key). The message handlers may send both message data encrypted using the data encryption key and an encrypted copy of the data encryption key to be stored together in the data store.

A communication relay device that relays communication performed between an image processing device and an application server via a network includes: an exchange key generating unit that generates an exchange key, and transmits the exchange key to the image processing device and a license server; a relay information generating unit that generates relay information used for relaying the communication; a storage unit that stores the relay information; a communication relay unit that relays the communication; a backup unit that transmits the relay information to a backup server connected to the network; an exchange key authenticating unit that determines whether or not an exchange sequence start condition is satisfied, and, when satisfied, acquires the exchange key and transmits the exchange key to the license server; and a setting reflecting unit that acquires the relay information from the backup server, and stores the relay information in the storage unit.

A cryptographic service system rekeys encrypted information that was encrypted at a granular level using hierarchical cryptographic key management. Encrypted information is retrieved from a cloud data store. The encrypted information includes an encrypted data key and an encrypted key-encrypting key. The plain version of the key-encrypting key is received from a key provider. The plain version of the key-encrypting key is used to decrypt the original data key. A new key-encrypting key is retrieved from a local key pool. The new key-encrypting key is used to encrypt the original data key. The original encrypted information is stored with the new encrypted version of the original data key and the encrypted version of the new key-encrypting key.

A computing device is configured to divide an Oblivious Pseudorandom Function (OPRF) key to generate a plurality of N partial keys, distribute a respective one of the plurality of N partial keys to a corresponding plurality of N Key Management System (KMS) units. The computing device receives from a threshold number T of KMS units, a plurality T partial blinded keys, wherein the plurality T partial blinded keys are based on processing of a value of a blinded key received by a respective KMS unit and a corresponding stored partial key of the N partial keys, combines the plurality T of partial blinded keys into the blinded key, processes the blinded key based on the blinding key in accordance with an OPRF unblinding operation to generate a key and accesses secure information based on the key.

Operating upon encrypted data with a particular data scope. A base encryption key is established and associated with the particular data scope, and then stored in a base encryption key store. That base encryption key store might be managed by an application or service that stores base encryption keys for multiple data scopes. A proxy encryption key acts as a kind of proxy for the base encryption key. The proxy encryption key may be used for frequent operations on encrypted data within the particular data scope. Thus, the principles described herein act as a frequency amplifier that allows key-based operations upon the particular data scope to be performed at much higher frequencies than otherwise would be possible by operating directly using the base encryption key.

A client maintains a pinned collection of trusted digital certificates. An original digital certificate in the collection may be updated by sending a request to the certificate authority that issued the original digital certificate. The certificate authority generates an updated certificate, signs the updated certificate with a private key of the updated certificate, and also signs the updated certificate with the private key of the original digital certificate. The server provides the updated certificate to the client. The client can validate the signature created with the updated private key using the updated public key of the certificate authority, and the signature created with the original private key can be validated using the original public key of the certificate authority. If both signatures are valid, a continuity of trust may be established, and the updated certificate added to the collection of trusted digital certificates.

Digital certificates include pointers to remote certificate information stores that maintain usage information associated with digital certificates. The pointers provide a mechanism for enabling the remote certificate information stores to be queried for usage information associated with a particular digital certificate. The usage information can be used to determine a validity of the digital certificate.

An identity authentication method for a quantum key distribution process includes selecting, by a sender, preparation bases of an identity authentication bit string in accordance with a preset basis vector selection rule; sending, by a sender, quantum states of the identity authentication bit string and quantum states of a randomly generated key bit string by using different wavelengths. The identity authentication bit string is interleaved in the key bit string at a random position and with a random length. The method further includes measuring, by a receiver, the received quantum states in the quantum state information in accordance with the different wavelengths and measurement bases selected according to the preset basis vector selection rule to obtain identity authentication information from the measurement of the identity authentication bit string; and determining, by the receiver, whether the identity authentication information obtained through the measurement corresponds with the preset basis vector selection rule.

Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Systems and processes are described for a message service with distributed key caching for server-side encryption. Message requests are received by message handlers of the message service that cache data encryption keys used to encrypt and decrypt messages that are stored to message containers in back end storage. A metadata service obtains the data encryption keys from a key management service, caches the keys locally, and sends the keys to the message handlers upon request, where the keys are cached, again. The key management service may generate the data encryption keys based on a master key (e.g., a client's master key). The message handlers may send both message data encrypted using the data encryption key and an encrypted copy of the data encryption key to be stored together in the data store.