Abstract: Both end-to-end security and traffic visibility may be achieved by a system using a controller that derives a cryptographic key that is different for each client based on a derivation key and a client identifier that is conveyed in each data packet. The controller distributes the derivation key to information technology monitoring devices and a server to provide traffic visibility. For large key sizes, the key may be derived using a derivation formula as follows: client_key_MSB=AES128(base_key_1,client_ID),??(1) client_key_LSB=AES128(base_key_2,client_ID+pad),and??(2) client_key=client_key_MSB?client_key_LSB, where (1) and (2) are executed in parallel. The client key and a client identifier may be used so that end-to-end security may be achieved.

Abstract: An apparatus and method for preserving image privacy when manipulated by cloud services includes middleware for receiving an original image, splitting the original image into two sub-images, where the RGB pixel values of the sub-images have a bit value that is less than RGB pixel values of the original image. The sub-images are encrypted by adding a keystream to the RGB pixel values of the sub-images. The sub-image data is transmitted to a cloud service such as a social network or photo-sharing site, which manipulate the images by resizing, cropping, filtering, or the like. The sub-image data is received by the middleware and is successfully decrypted irrespective of the manipulations performed by the cloud services. In an alternative embodiment, the blocks of the original image are permutated when encrypted, and then reverse-permutated when decrypted.

Abstract: A method and device for securely sharing images across untrusted channels includes downloading an encrypted image from a remote server to a computing device. The encrypted image may be encrypted at the time of uploading by another user. The current user of the computing device is authenticated using a facial recognition procedure. If the current user is authenticated and is determined to be authorized to view the decrypted image, the encrypted image is decrypted and displayed to the user. If the user becomes unauthenticated (e.g., the user leaves the computing device or another user replaces the current user), the encrypted image is displayed in place of the encrypted image such that the decrypted image is displayed only for authorized persons physically present at the computing device.

Abstract: An embodiment may include circuitry to generate, at least in part, and/or receive, at least in part, a packet. The packet may include at least one field and an encrypted payload. The at least one field may include, at least in part, a first key and/or at least one value. The first key and at least one value, as included in the at least one field, may be encrypted by a second key. The encrypted payload may be capable of being decrypted, at least in part, based, at least in part, upon the first key and/or the at least one value to yield an unencrypted payload. The unencrypted payload may include at least a portion of application layer data that is to be communicated in a secure session.

Abstract: An embodiment may include circuitry to establish, at least in part, a secure communication channel between, at least in part, a client in a first domain and a server in a second domain. The channel may include a first and second domain sessions in the first and second domains. The circuitry may generate first and second domain session keys that may encrypt, at least in part, respectively, the first and second domain sessions. The first domain session key may be generated based upon a first domain key assigned to the first domain and a first data set associated with the first domain session. The second domain session key may be generated based upon a second domain key assigned to the second domain and a second data set associated with the second domain session.

Abstract: Cooperating entities share a signaling interface. Each entity establishes a security association between itself and an endpoint, and one of the entities transmits keepalive messages over a channel associated with the security association. Chipsets and systems to implement related methods are also described and claimed.

Abstract: An embodiment may include circuitry to generate, at least in part, and/or receive, at least in part, a packet. The packet may include at least one field and an encrypted payload. The at least one field may include, at least in part, a first key and/or at least one value. The first key and at least one value, as included in the at least one field, may be encrypted by a second key. The encrypted payload may be capable of being decrypted, at least in part, based, at least in part, upon the first key and/or the at least one value to yield an unencrypted payload. The unencrypted payload may include at least a portion of application layer data that is to be communicated in a secure session.

Abstract: In an embodiment, a method is provided. The method of this embodiment provides monitoring on a system flow statistics to identify one or more non-compliant traffic flows on the system, each of the one or more non-compliant traffic flows having packets; assigning a tag to each of the one or more non-compliant traffic flows, each of the tags corresponding to one of at least one congestion management policy; and applying one of the tags to each of the packets associated with any of the non-compliant traffic flows.