Methods and systems for unified HSM and key management services are disclosed. According to certain embodiments, an encryption service request is issued by a client instance to a key management service (KMS) logic in a KMS cloud instance. The KMS logic parses the request to verify authorization for the request, identify the instance ID, and provide additional information to the request needed by hardware security management (HSM) middleware and hardware. A router receives the request from the KMS logic and routes the request to a service based on the instance ID, that transfers the request to HSM middleware. The HSM middleware parses HSM type from the request, translates the request to HSM vendor-specific instructions and routes the translated request to an HSM. The HSM according to certain embodiments is in a cloud computing environment separate from the KMS cloud instance, and in some embodiments the HSM is on-prem at a physical client site.

A method for securely receiving a multimedia content by a client device operated by one or more operator(s) involving a dedicated provisioning server of a security provider managing symmetric secrets used by the client devices and operators license servers. The provisioning server provides to the client device one or more generations of operator specific unique device secrets, which are then exploited by the various operators' license servers to deliver licenses such that authorized client devices can consume protected multimedia contents.

A data management system (1) for securely managing data transactions comprises a computing system which incorporates, a public key distribution system, a trusted storage system which is in communication with the public key distribution system, the trusted storage system being configured to store a record for each respective party using the system, each record comprising a unique identifier and a public key for a respective party using the system. The system (1) comprises a verification system which is configured to check the identity of a party seeking to participate in a transaction involving an exchange of data. If the verification system is not able to verify the identity of the party seeking to participate in the transaction, the verification system prevents the transaction from being carried out. If the verification system is able to verify the identity of the party seeking to participate in the transaction, the verification system permits the transaction to be carried out and the trusted storage system stores a transaction record comprising a record of the transaction and a record of the party participating in the transaction.

A disclosed method for managing encryption keys, which may be performed by a key management server, responds to receiving, from a first client, a request to create a new key for a self-encrypting drive (SED) associated with the first client by retrieving unique identifiers of the first client and the SED, generating and storing the new key and a corresponding key identifier (KeyID), and associating the unique identifiers of the SED and first client with the new key. Upon receiving, from a second client, a locate key request that includes the SED identifier, providing the new key, the KeyID, and the first client identifier to the second client. Associating the SED and first client identifiers with the new key may include adding the identifiers as attributes of the KeyID. Embodiments may be implemented in accordance with a key management interoperability protocol (KMIP) standard.

An information handling system may include a processor and a management controller communicatively coupled to the processor. The management controller may be configured to, in response to an encrypted storage resource being coupled to the information handling system: transmitting a request to at least one other management controller for an encryption key associated with the encrypted storage resource; receiving a response from the at least one other management controller, the response including the encryption key associated with the encrypted storage resource; and unlocking the encrypted storage resource with the received encryption key.

A Quantum Digital Signature (QDS)-based mail system and a transceiving method are provided. The system is a three-layer structure formed by a physical layer, a key layer, and an application layer. The physical layer is a key generation terminal and is used to generate a key string for signature in real time; the key layer is used to store the key string generated by the physical layer and provide a required key to the upper layer, namely, the application layer when required; and the application layer is a transceiving software part in the mail system, and is used to extract keys generated by the physical layer from the key layer so as to encrypt information to be sent. The mail transceiving method comprises: a quantum key distribution (QKD) phase, a mail signature phase, and a signature verification phase.

A method executed by a dynamic session key acquisition (DSKA) engine residing in a virtual environment includes receiving session decryption information extraction instructions that configure the DSKA engine to obtain session decryption information for at least one communication session involving a virtual machine and obtaining the session decryption information from the virtual machine in accordance with the session decryption information extraction instructions. The session decryption information includes cryptographic keys utilized by an application server instance in the virtual machine to establish the at least one communication session. The session decryption information obtained from the virtual machine is stored and provided to a network traffic monitoring (NTM) agent. The NTM agent utilizes the session decryption information to decrypt copies of encrypted network traffic flows belonging to the at least one communication session involving the virtual machine.

A device may not trust another device with which it is in communication. To establish trust, a first device may send a second device an indication of signed code that is stored in a protected memory of the first device. Based on determining that the first device is a trusted device, the second device may send the first device an encrypted content asset, a decryption key associated with the content asset, and/or an encryption key associated with the content asset.

Aspects of the invention include receiving a request from a responder channel on a responder node to initiate a secure communication with an initiator channel on an initiator node. The request includes an identifier of a shared key, and a nonce and security parameter index generated by the initiator node for the secure communication. The receiving is at a local key manager (LKM) executing on the responder node. A security association is created at the LKM between the initiator node and the responder node. The shared key is obtained based at least in part on the identifier of the shared key. Based on obtaining the shared key, a message requesting initialization of the secure communication between the responder channel and the initiator channel is built. The message includes an initiator nonce and an initiator security parameter index generated by the LKM for the secure communication.

The present disclosure describes methods, systems and devices for establishing secure communication between a user equipment and a service application in a wireless communication. One method includes receiving, by the user equipment, an authentication and key management for service applications identifier (AKMAID) from an authentication server function (AUSF) upon successful completion of an authentication process for registering the user equipment with the communication network. The method also includes storing, by the user equipment, the AKMAID; deriving, by the user equipment, an application key based on a base authentication key; sending, by the user equipment, a communication request to the service application, the communication request comprising the AKMAID; and receiving, by the user equipment, an application session establishment response to the communication request from the service application to establish a security communication session between the user equipment and the service application based on the application key.