Abstract: Techniques are disclosed relating to user authentication using multi-party computation and public key cryptography. In some embodiments, a server may receive, from a client, a request to authenticate a user to a service. The server may access key-pair information that includes, for a server key-pair, a first component of a server private key and, for a client key-pair, a client public key and a first component of a client private key. The server may generate a partial signature value that is based on the first component, but not the entirety, of the server private key. The server may send, to the client, an authentication challenge that includes challenge information and the partial signature value. The server may then determine whether to authenticate the user based on an authentication response from the client.

Abstract: Disclosed are some implementations of systems, apparatus, methods and computer program products for securing memory dumps. In response to a trigger condition, a server generates a symmetric key corresponding to an instance of a memory dump. The server encrypts memory contents of the server using the symmetric key. In addition, the server encrypts the symmetric key using a key-encrypting key (kek), which can include a public key Both the encrypted memory contents and the encrypted symmetric key are stored for the instance of the memory dump. Responsive to a request for information pertaining to the instance of the memory dump, the encrypted memory contents and the encrypted symmetric key are retrieved from storage, the encrypted symmetric key is decrypted using a private key, and the symmetric key is used to decrypt the encrypted memory contents.

Abstract: Methods, systems, and devices for encryption key storage are described. An application server may store an encryption key in volatile memory and access the key directly from the volatile memory when performing an encryption process. In some cases, a user may supply the encryption key to the application server on demand. Accordingly, when the application server is restarted, the encryption key may be purged from the memory. In some cases, the encryption key may be wrapped in a public key, and the application server may derive a private key to decrypt the public key-encrypted information to access the encryption key and store it in the volatile memory. Additionally or alternatively, the user may supply a first fragment of the encryption key, and the application server may derive the encryption key from the first fragment and a second fragment of the encryption key retrieved from a database.

Abstract: Some embodiments of the present invention include an apparatus for securing data and include a processor, and one or more stored sequences of instructions which, when executed by the processor, cause the processor to set a data download threshold, encrypt data to be downloaded by a user based on detecting size of the data violating the download threshold such that the user receives encrypted downloaded data, and manage a decryption key used to decrypt the encrypted downloaded data. The decryption key may be deconstructed into “N” key fragments and may be reconstructed using “K” key fragments where “N” is equal to “2K?1”.

Abstract: The disclosed technology for a hardware system to access a secure backend system uses non-volatile memory to hold encrypted secrets, volatile memory to hold decrypted secrets ready for use, a keys-for-all (K4A) server, and app servers running K4A clients. To access the backend system in production, each app server uses a decrypted secret and a certificate that identifies the app server and certifies its role and physical and logical location. At initialization of the app server, a K4A client is instantiated that launches and tracks processes, running on the app server, that are authorized to request decryption services. The K4A client responds to a decryption request from an authorized process, determined based on tracking of processes launched, by requesting decryption by a K4A server, using the certificate, and returns to the process, in volatile memory, a decrypted secret or a reference to the decrypted secret, decrypted by the K4A server.

Abstract: Techniques are disclosed relating to user authentication using multi-party computation and public key cryptography. In some embodiments, a client system may receive, from a server system, an authentication challenge that includes a first partial signature value. The client system may access key-pair information that includes, for a server key-pair, a server public key and a second component of a server private key, where the server system has access to a first component of the server private key. The client system may then generate a second partial signature value using the second component of the server private key but not an entirety of the server private key, and may generate a final signature value based on the first and second partial signature values. Using the final signature value, the client system may then determine whether the authentication challenge was sent by the server system.

Abstract: The disclosed technology for a hardware system to access a secure backend system uses non-volatile memory to hold encrypted secrets, volatile memory to hold decrypted secrets ready for use, a keys-for-all (K4A) server, and app servers running K4A clients. To access the backend system in production, each app server uses a decrypted secret and a certificate that identifies the app server and certifies its role and physical and logical location. At initialization of the app server, a K4A client is instantiated that launches and tracks processes, running on the app server, that are authorized to request decryption services. The K4A client responds to a decryption request from an authorized process, determined based on tracking of processes launched, by requesting decryption by a K4A server, using the certificate, and returns to the process, in volatile memory, a decrypted secret or a reference to the decrypted secret, decrypted by the K4A server.

Abstract: In a computing system, methods for secure OS level login authentication for internal users to access servers. Some or all servers in a group each utilize a local ID Service for generating and validating a challenge responsive to an OS login request. The challenge is processed in a centralized secure server HSM. Rather than copying individual user public keys to each host in the data center, we need only copy the public key of the HSM to each host in the group. When a user attempts OS level login to a host, it encrypts the challenge using the public key of the HSM and forwards the request for processing in the HSM. There, it decrypts the challenge using the private key in the HSM and re-encrypts the challenge with the public key of the individual user. The user's mobile device, previously registered, is required to complete the authentication process.

Abstract: Methods, systems, and devices for user authentication are described. A user may attempt an authentication procedure when accessing an application or cloud platform. When the user requests access to the application or cloud platform, a server may determine one or more unique identifiers to display at a first application for the user, and the user may select one of the unique identifiers. The server may then display unique identifiers (e.g., in some cases, the same unique identifiers) at a second application associated with the user. The user may verify that the selected unique identifier is displayed on the second application, and may select the same unique identifier in the second application. Additionally, the user may input a user-specific identifier to confirm their identity. The server may authenticate the user's identity if the user selected matching unique identifiers, and if the user-specific identifier matches an expected identifier for the user.

Abstract: Embodiments include an apparatus for securing customer data and include a processor, and one or more stored sequences of instructions which, when executed, cause the processor to store an encrypted first key fragment in a first storage area, store an encrypted second key fragment in a separate second storage area, wherein access to the first storage area and to the second storage area is mutually exclusive. The instructions further cause the processor to decrypt the encrypted first key fragment and the encrypted second key fragment using a key set and keys associated with a hardware security module based on receiving a request to derive a master key. The master key is derived using the decrypted first key fragment and the decrypted second key fragment and stored in an in-memory cache. The master key is used to encrypt or to decrypt encrypted customer data.

Abstract: Methods, systems, and devices for validation at an application server are described. The application server may validate a user device utilizing a public-private key pair, and may refrain from establishing a database connection until the user device is validated. For example, the application server may transmit a private key and a public key identifier to the user device. When the application server receives a session establishment message that is based on a private key and that contains the public key identifier, the application server may determine the public key of the public-private key pair based on the identifier. The application server may validate that the session establishment message is received from the user device based on the private key and the determined public key. Based on this validation procedure, the application server may establish a database connection with a database, granting the validated user device access to requested data.

Abstract: Some embodiments of the present invention include an apparatus for securing data and include a processor, and one or more stored sequences of instructions which, when executed by the processor, cause the processor to set a data download threshold, encrypt data to be downloaded by a user based on detecting size of the data violating the download threshold such that the user receives encrypted downloaded data, and manage a decryption key used to decrypt the encrypted downloaded data. The decryption key may be deconstructed into “N” key fragments and may be reconstructed using “K” key fragments where “N” is equal to “2K?1”.

Abstract: Within one or more instances of a computing environment where an instance is a self-contained architecture to provide at least one database with corresponding search and file system. User information from the one or more instances of the computing environment is organized as zones. A zone is based on one or more characteristics of corresponding user information that are different than the instance to which the user information belongs. User information is selectively obfuscated prior to transmitting blocks of data including the obfuscated user information. The selective obfuscation is based on zone information for one or more zones to which the user information belongs.

Abstract: Systems and methods for identify confirmation and transaction security are described. The system generates a challenge. The system transmits to a client computing system an encrypted challenge generated using the challenge and a public key of an asymmetric key pair to a client computing system. The system fragments a private key of the asymmetric key pair into a first, second and third private key fragments. The system generates a first partially decrypted challenge using the first private key fragment and the encrypted challenge. The system receives a second and a third partially decrypted challenges from the client computing system. The system generates a decrypted challenge using the first, second and third partially decrypted challenges. The system compares the decrypted challenge and the challenge for identity verification.

Abstract: Methods, systems, and devices for data migration are described. In a system, databases may utilize different database-specific encryption keys for storage security. In some cases, the system may migrate data from a first (i.e., source) database to a second (i.e., target) database. To securely migrate the data, the source database may generate a temporary encryption key. The source database may decrypt the data using its database-specific key and may re-encrypt the data using this temporary encryption key. Additionally, the source database may wrap the temporary key with a public key corresponding to the target database. The source database may send the re-encrypted data and the wrapped temporary key to the target database. The target database may unwrap the temporary key using a private key associated with the public key and may decrypt the data using the temporary key before re-encrypting the data with its database-specific key for data storage.

Abstract: Within one or more instances of a computing environment where an instance is a self-contained architecture to provide at least one database with corresponding search and file system. User information from the one or more instances of the computing environment is organized as zones. A zone is based on one or more characteristics of corresponding user information that are different than the instance to which the user information belongs. User information is selectively obfuscated prior to transmitting blocks of data including the obfuscated user information. The selective obfuscation is based on zone information for one or more zones to which the user information belongs.

Abstract: Systems and methods for identify confirmation and transaction security are described. The system transmits to a client computing system an encrypted challenge generated using a public key of an asymmetric key pair and a first partially decrypted challenge generated by applying a first private key fragment of a private key of the asymmetric key pair to the encrypted challenge. The system receives a decrypted challenge generated by applying a second private key fragment of the private key to the encrypted challenge to generate a second partially decrypted challenge, applying a third private key fragment of the private key to the encrypted challenge to generate a third partially decrypted challenge, and combining the first partially decrypted challenge, the second partially decrypted challenge and the third partially decrypted challenge to generate the decrypted challenge. The system uses the decrypted challenge for verification.

Abstract: A method is disclosed. The method includes, in a client device, acquiring first and second asymmetric cryptographic key pairs for a user, where each key pair includes a public key and a corresponding private key, securing the private key of the second key pair in a cryptographic processor, and splitting the private key of the first key pair into plural private key fragments, so that a sum of the plural private key fragments equals the private key of the first key pair. The method further includes storing at least one of the plural private key fragments on the client device, and registering the user with an identity service not hosted on the client device. Registering the user includes providing to the identity service, for use in securely authenticating the user, the public keys of the first and second key pairs, and the plural private key fragment(s) excluding the at least one private key fragment secured on the client device.

Abstract: Techniques are disclosed relating to signing and authentication of network messages such as API calls. A server system and a client system may collaboratively establish a shared secret key, which is then usable to sign such messages. These techniques may be useful in various situations, such as for integrations between different systems.

Abstract: An ID service on an app server interacts with a corresponding identity app installed on a user device such as a smart phone. At setup, the ID service receives the user's public key and only a segment of the corresponding private key. A special challenge message is created and partially decrypted using the private key segment on the server side, and then decryption is completed on the client app using the remaining segment(s) of the private key to recover the challenge. A token authenticator based on the result of the decryption is sent back to the identity service, for it to verify validity of the result and, if it is valid, enable secure login without requiring a password.