This disclosure describes techniques for controlling group access to a collaboration technology. The techniques include generating a shared encryption key among authorized producers of content associated with a collaboration technology. The techniques include receiving, by the authorized producers and from authenticated consumers, requests to access the content. The requests may be received in a partitioned manner, such that individual producers are serving a particular subset of the authenticated consumers. In response to receiving the requests, the techniques include sending the shared encryption key from the individual producers to the corresponding subset of authenticated consumers. The techniques include using the shared encryption key to encrypt content by the authorized producers, which may then be decrypted by the authenticated consumers using the shared encryption key, achieving end-to-end encryption of event content.

The present disclosure relates to a method and apparatus for key relay control based on software-defined networking in a quantum key distribution network. A method of controlling key relay in a quantum key distribution network (QKDN) according to an embodiment of the present disclosure includes: receiving, by a first control entity, a key relay route request from a key management (KM) layer; determining, by the first control entity, whether or not key relay is associated with a plurality of resource groups; and, transmitting a key relay route request from the first control entity to a second control entity, when key relay is associated with the plurality of resource groups, wherein key relay route information produced by the second control entity may be provided to the KM layer.

Technologies for secure collective authorization include multiple computing devices in communication over a network. A computing device may perform a join protocol with a group leader to receive a group private key that is associated with an interface implemented by the computing device. The interface may be an instance of an object model implemented by the computing device or membership of the computing device in a subsystem. The computing device receives a request for attestation to the interface, selects the group private key for the interface, and sends an attestation in response to the request. Another computing device may receive the attestation and verify the attestation with a group public key corresponding to the group private key. The group private key may be an enhanced privacy identifier (EPID) private key, and the group public key may be an EPID public key. Other embodiments are described and claimed.

In one embodiment, an illustrative method herein may comprise: determining, by a device of a communication session, that a new epoch has occurred within the communication session, wherein the communication session has one or more member devices; generating, by the device and in response to the new epoch, a new key encryption key and a key bundle comprising one or more keys to decrypt content of the communication session from one or more previous epochs of the communication session; encrypting, by the device, the key bundle with the new key encryption key to create an encrypted key bundle; and sharing, from the device, the encrypted key bundle with the one or more member devices to allow the one or more member devices to access the content of the communication session from the one or more previous epochs.

This disclosure generally relates to encrypted communication between terminal devices and service applications via a communication network. Such encrypted communication may be based on various hierarchical levels of encryption keys that are generated and managed by the communication network. Such encrypted communication and key management may be provided by the communication network to the terminal devices as a service that can be subscribed to. The various levels of encryption keys may be managed to improve flexibility of the communication network and to reduce potential security breaches.

A method, apparatus and computer program product are provided for encrypting and decrypting data using multiple authority keys including receiving, from a first computing device, a data decrypt request to decrypt encrypted data, the data decrypt request comprising a user key, determining that the user key is associated with a key hierarchy that comprises a server key, decrypting the server key using the user key, decrypting the encrypted data using the decrypted server key and permitting access to the decrypted data by the first computing device.

An approach is provided for distributing a root key to a hardware security module (HSM) of an HSM cluster. A signed first command is transmitted to a source HSM to create a master key. A fingerprint of the master key is received in a response signed by the source HSM using a module signing key hardcoded into the source HSM at manufacturing time. A second command is transmitted to a first HSM to generate an importer key pair. A request is transmitted to the source HSM to create and export a wrapped master key. The master key wrapped with a transport key is received. The wrapped master key is transmitted to the first HSM. The master key is activated in the first HSM.

A memory address allocation unit allocates, to each of nodes in a tree structure configured for protecting a memory, a memory address unique to the node. A tag generation unit defines, for each of the nodes in the tree structure, a connection of the memory address and a constant as a nonce, and generates a tag by inputting the nonce and a plaintext of which tampering with is to be detected, or the nonce and a plurality of constants of child nodes of each of the nodes into a message authentication code, the message authentication code being a code by which a partially-updatable tag can be output. A node generation unit uses a constant as a local counter, and generates each of the nodes in the tree structure by combining at least a tag and the local counter.

A method for performing an encrypted data operation may include generating an encrypted hierarchical path identifier corresponding to a hierarchical data space for at least one plaintext data operation that preserves the hierarchy of the hierarchical data space. The at least one plaintext data operation may correspond to at least one subdivision of the hierarchical data space. The method may further include encrypting the at least one plaintext data operation, and sending a request to perform an encrypted data operation to a server. The request may include the encrypted data operation and the encrypted hierarchical path identifier.

Embodiments described herein provide a tree-based key management protocol with enhanced computational and bandwidth efficiency. A tree structure including a plurality of nodes is formulated according to modules in a vehicle. A group key and a blinded key are computed for a leaf node from the plurality of nodes based at least in part on a multiplication operation defined in an ecliptic curve group. Or a group key and a blinded key are recursively computed for a non-leaf node based at least in part on a key derivation function and the multiplication operation involving a group key and a blinded key corresponding to nodes that is one level down to the non-leaf node.