A lock node for storing data and a protected storage unit. The lock node includes an input section which provides a plurality of key maps, each corresponding to one of a plurality of primary keys, respectively, applied to the input section, each key map including at least one main key, a variable lock section producing a derived key from a logical operation on the main keys corresponding to the primary keys applied to the input section, and an output section producing the data in response to the derived key.

Technologies for key management of internet-of-things (IoT) devices include an IoT device, an authority center server, and a group management server. The IoT device is configured to authenticate with an authority center server via an offline communication channel, receive a group member private key as a function of the authentication with the authority center server, and authenticate with a group management server via a secure online communication channel using the group member private key. The IoT device is further configured to receive a group shared key as a function of the authentication with the group management server, encrypt secret data with the group shared key, and transmit the encrypted secret data to the group management server. Other embodiments are described herein.

Disclosed is a key downloading management method, comprising: a device end authorizing the validity of an RKS server by checking a digital signature of a work certificate public key of the RKS server, and the RKS server generating an authentication token (AT); encrypting by using an identity authentication secondary key DK2 of the device end, and sending the ciphertext to the device end; the device end decrypting the ciphertext by using the identity authentication secondary key DK2 saved thereby, encrypting the ciphertext by using the work certificate public key and then returning same to the RKS server; the RKS server decrypting same by using a work certificate private key thereof and then comparing whether the authentication token (AT) is the same as the generated authentication token (AT) or not, and if so, it is indicated that the device end is valid, thereby achieving bidirectional identity authentication.

Control of access by a requesting entity to an asset includes defining an approved state of the requesting entity. A validation of a representation of the approved state of in a non-repudiatable form in obtained from an event validation system. The requesting entity is triggered to determine its current state by an access-control entity, which compares the current state with the approved state and allows access by the requesting entity to the asset only if the current state is the same as the approved state. In a pre-authorization procedure, one or both of the entities issues a data set challenge to the other, which then validates the challenge via the event validation system and returns this validation to the challenging entity, which then checks the validation to see if it is correct. Data sets may be validated, for example, with hash tree based signatures or blockchain entries.

Embodiments of a data encryption and/or decryption technique are disclosed. Briefly, for example, in accordance with one example embodiment a method is provided. A message based at least in part on a hierarchical symbol assignment system is encrypted. The hierarchical symbol assignment system is represented as a numerical value.

In an approach to encryption key management, a computing device, responsive to a key storage condition, stores, in a cache memory, a first e/d key. The computing device receives a request to read a first file. The computing device, responsive to the request, accesses the first file, with the accessing of the first file including: accessing, from the cache memory, the first e/d key, decrypting the first file using the first e/d key and a second e/d key, and accessing the decrypted version of the first file.

Examples described herein relate to a system for orchestrating a security object, including a memory and processor configured to define a plurality of complex policies in a database, wherein the complex policies comprises one or more of EQUAL policy, ONE-OF policy, MEMBER OF policy, NULL policy, NOT-NULL policy, GREATER-THAN policy, GREATER-THAN-OR-EQUAL-TO policy, LESS-THAN policy, or LESS-THAN-OR-EQUAL-TO policy, receive the security object and at least one object attribute associated with the security object, determine acceptability of the security object based, at least in part, on the at least one object attribute and at least one of the plurality of complex policies corresponding to the at least one object attribute, and distribute the security object to at least one communication device associated with the processor when the security object is determined to be acceptable, wherein the at least one communication device establishes communication based, at least in part, on the security object.

Examples described herein relate to systems and methods for integrating and implementing ad hoc groups within a policy hierarchy environment. The ad hoc groups may implement particular guidelines for group membership, policy evaluations, and group actions. Systems and methods provide a framework for creating groups, removing groups, and associating groups, nodes, clients, and users with groups and policy. In some examples, there is provided a method for implementing ad hoc groups in a policy hierarchy environment, the method including: receiving a key orchestration operation request at a client associated with a node, a group, and a user; applying a sum of policies associated with the node to the request; applying a sum of policies associated with the group to the request; applying a sum of policies associated with the client to the request; applying a sum of policies associated with the user to the request; and evaluating the key orchestration operation request based on each of the sum of policies of the node, the group, the client, and the user.

A method for performing an encrypted data operation may include generating an encrypted hierarchical path identifier corresponding to a hierarchical data space for at least one plaintext data operation that preserves the hierarchy of the hierarchical data space. The at least one plaintext data operation may correspond to at least one subdivision of the hierarchical data space. The method may further include encrypting the at least one plaintext data operation, and sending a request to perform an encrypted data operation to a server. The request may include the encrypted data operation and the encrypted hierarchical path identifier.

A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.