Secure secrets can be used, in one embodiment, to generate a master key. In one embodiment, a first secret value, generated and stored in a first secure element, can be used with a user's credential (e.g., a user's passcode) to generate, through a first key derivation function, a second secret value. A master key can then be generated through a second key derivation function based on the second secret value and a derived or stored secret such as a device's unique identifier.

Systems, devices, media, and methods are presented for retrieving authentication credentials and decryption keys to access remotely stored user-generated content. The systems and methods receive a first authentication credential and access a second authentication credential based on receiving the first authentication credential. The system and methods generate an authentication token and an encryption token Based on the authentication token, the system and methods access a set of encrypted content and an encrypted content key. The systems and methods decrypt the encrypted content key using the encryption token and decrypt the set of encrypted content using the decrypted content key. At least a portion of the content is presented at the user device.

A Digital Payment Device (DPD) including a Digital Transaction Processing Unit (DTPU), a Microcontroller Unit (MCU), and a command generation unit, wherein the command generation unit is operable to generate a DTPU command capable of being authenticated against a targeted security domain of the DTPU, the DTPU command including a payload capable of being executed by the DTPU; and the MCU is operable to communicate the DTPU command to the DTPU for execution by the DTPU.

A computer implemented method includes generating, by a processor associated with a first client computer, a request message; generating, by the processor, a first public token based on a first private token; augmenting, by the processor, the electronic data transaction request message with the first public token; transmitting, by the processor, the augmented electronic data transaction request message to a second client computer; generating, by the processor, a second public token based on the first public token; identifying, by the processor, from a database of result messages, a result message labeled with the second public token, the identified result message including encrypted confidential information; generating, by the processor, a second private token corresponding to the second public token used to identify the result message; and decrypting, by the processor, the encrypted confidential information with the second private token.

Fault-tolerant storage of cryptographic information maintained on a fleet of HSMs may be provided by dividing the cryptographic information into a number of stripes which are distributed and stored on individual HSMs in the HSM fleet. Parity information is generated which allows one or more stripes to be regenerated if one or more stripes becomes corrupt or is lost. The parity information may be stored on an HSM in the HSM fleet, or outside the fleet on a storage service, HSM management hub, tangible computer-readable media, or other device. If an HSM in the HSM fleet fails, resulting in the loss of a stripe, an HSM in the fleet can recover the missing stripe by re-creating the missing stripe from the remaining stripes combined with the parity information. In some examples, stripes are mirrored within the fleet of HSMs.

Hybrid encryption of imported key material is provided. A request to import key material is received from a user system. In response to the request, two public keys are sent to the user system. The two public keys include a classical cryptography (CC) public key and a quantum-safe cryptography (QSC) public key. At least one public key of the two public keys is retrieved from a hardware security module (HSM). Hybrid-encrypted key material is received from the user system. The hybrid-encrypted key material is key material that has been encrypted using the two public keys. The key material, at least partially encrypted by the at least one public key, is sent to the HSM.

A method, apparatus and computer program product are provided for encrypting and decrypting data using multiple authority keys including receiving, from a first computing device, a data decrypt request to decrypt encrypted data, the data decrypt request comprising a user key, determining that the user key is associated with a key hierarchy that comprises a server key, decrypting the server key using the user key, decrypting the encrypted data using the decrypted server key and permitting access to the decrypted data by the first computing device.

Media, method, and system for providing encryption key management for international data residency. Organizations using a group-based communication system can designate a particular geopolitical area where that organization's data can be stored and another geopolitical area (which may be the same or different) where encryption keys used to encrypt and decrypt that data should be stored. Users of that organization can post message or access messages previously posted on the group-based communication system from any geopolitical area, causing the system to automatically store and retrieve messages and encryption keys from the appropriate regions to allow the users to transparently access the group-based communication system while maintaining security and data residency requirements.

A first party uses a secret key to encrypt information, which is then sent through an untrusted connection to a second party. The second party, however, cannot decrypt the information on its own, and it relays the encrypted information through a secure network. The secure network includes one or more nodes linking the first and second parties through one or more trusted connections (“hops”); each hop features uses of a shared secret key unique to that hop. The first party's connection to the network (domain) receives the information relayed through the secure network by the second party, it decrypts that information according to the secret key of the first party, and it then retransmits the decrypted information to the second party using the secure hops. Techniques are provided for sharing a private session key, federated credentials, and private information.

A system that provides responses to requests obtains a key that is used to digitally sign the request. The key is derived from information that is shared with a requestor to which the response is sent. The requestor derives, using the shared information, derives a key usable to verify the digital signature of the response, thereby enabling the requestor to operate in accordance with whether the digital signature of the response matches the response.