Abstract: One example method includes generating a biometric of a user, requesting, and receiving, biometric data from a card, comparing the biometric data with the biometric, and when the biometric data matches data of the biometric, authorizing a transaction requested by a user using the card. The request for biometric data may identify what particular type of biometric data is compatible with the device making the request, and the biometric data may be a subset of the data that makes up the biometric.

Abstract: One example method includes continuously performing key related operations. Each data set in a storage system is encrypted with a different key. New keys are repeatedly introduced and new data is encrypted only with the newest or latest key. Data being rekeyed is re-encrypted with the latest key. By repeatedly introducing new keys and rekeying data sets associated with older keys, the overall key age of the system can be kept low and the data is less susceptible to being compromised.

Abstract: One example method includes sending, by a sender, a commitment message, wherein the commitment message is digitally signed by the sender but is not verifiable by a recipient until a public key is revealed by the sender, transmitting, by the sender, the commitment message to the recipient, confirming, by the sender, that the commitment message has been received by the recipient, and only after receipt of the commitment message has been confirmed by the recipient, revealing in a second message, by the sender, the public key, wherein the public key is usable by the recipient to verify that the commitment message was validly signed by the sender.

Abstract: An apparatus in an illustrative embodiment comprises a client device configured for communication with a storage system, with the client device comprising a processor coupled to a memory. The client device is further configured to generate a data encryption key for a data item by computing a function of at least the data item, to encrypt the data item using the data encryption key for the data item, to encrypt the data encryption key using a secret key of the client device, and to send the encrypted data item and the encrypted data encryption key to the storage system for storage in the storage system. The client device is still further configured to retrieve the encrypted data item and the encrypted data encryption key from the storage system, and to perform an integrity check on the retrieved encrypted data item using a result of decrypting the retrieved encrypted data encryption key.

Abstract: An apparatus comprises at least one processing device that includes a processor coupled to a memory. The processing device is configured to obtain access credentials for accessing a protected resource via a server over a network, to modify at least a portion of the obtained access credentials based at least in part on identifying information of at least one of the protected resource and the server, and to utilize the modified access credentials in place of the obtained access credentials in an authentication protocol carried out with the server. In some embodiments, modifying at least a portion of the obtained access credentials illustratively comprises modifying at least a portion of the obtained access credentials in a manner compliant with one or more credential format rules for the protected resource. The access credentials may comprise at least one of a username and a password.

Abstract: One example method includes maintaining a deduplication data structure including one or more entries that each identify a respective fingerprint, and pointer, and also maintaining a ClientBlockList data structure comprising one or more entries that each identify a respective handle, retention date, and block, receiving a write request that identifies a handle, retention date, and block, computing a fingerprint of the block identified in the write request, determining, by the server, whether the fingerprint is in the deduplication data structure, and when the fingerprint is not in the deduplication data structure, storing the block identified in the write request at location ‘L’ in the deduplication data structure, and adding, to the deduplication data structure, an entry that identifies the fingerprint and the location ‘L,’ and adding, to the ClientBlockList data structure, an entry that identifies the handle, retention date, and fingerprint.

Abstract: An apparatus in one embodiment comprises at least one processing device that includes a processor coupled to a memory, with the at least one processing device being configured to provide an authentication service for sharing access credentials of a protected resource among multiple users. The at least one processing device in providing the authentication service for sharing the access credentials is further configured to obtain the access credentials at least in part from a first one of the users, to automatically provide the access credentials to at least one additional one of the users responsive to authentication of the at least one additional user and satisfaction of one or more specified distribution conditions, and to automatically modify the access credentials responsive to satisfaction of one or more specified revocation conditions. The protected resource may comprise, for example, a user account of a website.

Abstract: Selecting a review panel of dissimilar peers. An asset is reviewed from an ethical perspective by a panel of reviewers. The panel of reviewers includes members that are selected based on their dissimilarity to creators of the asset. Selecting dissimilar members for the panel of reviewers allows bias in the asset to be identified and remedied. A portion of the panel of reviewers may be selected randomly to further improve the effectiveness of the panel of reviewers in reviewing the asset for ethicalness.

Abstract: One example method includes logging into websites through devices including insecure devices. A logon device may store credentials. The logon device is configured to connect with an insecure device and then communicate with a website for authentication purposes without exposing a user's credentials to the insecure device. After the user is authenticated, the session is transferred to the insecure device.

Abstract: A method of sending blocks of data from a client to be stored at a storage server, wherein for each block compression and encryption is performed at the client, and deduplication is performed at the server. Security is thus enhanced as the block is compressed and encrypted when it is sent over an unsecured network and when it is stored in potentially a third-party backup system. Provisions are made to enable addition of new compression algorithms and for retirement of old compression algorithms, while ensuring that a client would not receive a block which was compressed using an unsupported, e.g., retired, compression algorithm. In some examples a compression algorithm ID is tied to an encryption key version to enable refresh of blocks compressed with old algorithm.

Abstract: One example method includes sending, by a sender, a commitment message, wherein the commitment message is digitally signed by the sender but is not verifiable by a recipient until a public key is revealed by the sender, transmitting, by the sender, the commitment message to the recipient, confirming, by the sender, that the commitment message has been received by the recipient, and only after receipt of the commitment message has been confirmed by the recipient, revealing in a second message, by the sender, the public key, wherein the public key is usable by the recipient to verify that the commitment message was validly signed by the sender.

Abstract: In a cloud-based multiple client encryption and deduplication environment, secret plaintext data of a client is encrypted to produce ciphertext in an enclave comprising a trusted execution environment which is inaccessible by unauthorized entities and processes even with administrator privileges. Encryption is performed with an initialization vector and an encryption key calculated in the enclave. The encrypted ciphertext is deduplicated prior to storage by comparing a hash of the corresponding plaintext data to hashes of previously stored plaintext data.

Abstract: One example method includes accessing stored data, associating a unique identifier with the data, creating a hash by hashing a combination that comprises the unique identifier and the data, transmitting the hash to a notary service, receiving, from the notary service, a digital signature that corresponds to the hash, appending the digital signature to the data, and storing, as an object, a combination that comprises the digital signature, the data, and the unique identifier.

Abstract: One example method includes generating a biometric of a user, requesting, and receiving, biometric data from a card, comparing the biometric data with the biometric, and when the biometric data matches data of the biometric, authorizing a transaction requested by a user using the card. The request for biometric data may identify what particular type of biometric data is compatible with the device making the request, and the biometric data may be a subset of the data that makes up the biometric.

Abstract: One example method includes logging into websites through devices including insecure devices. A logon device may store credentials. The logon device is configured to connect with an insecure device and then communicate with a website for authentication purposes without exposing a user's credentials to the insecure device. After the user is authenticated, the session is transferred to the insecure device.

Abstract: One example method includes maintaining a deduplication data structure including one or more entries that each identify a respective fingerprint, and pointer, and also maintaining a ClientBlockList data structure comprising one or more entries that each identify a respective handle, retention date, and block, receiving a write request that identifies a handle, retention date, and block, computing a fingerprint of the block identified in the write request, determining, by the server, whether the fingerprint is in the deduplication data structure, and when the fingerprint is not in the deduplication data structure, storing the block identified in the write request at location ‘L’ in the deduplication data structure, and adding, to the deduplication data structure, an entry that identifies the fingerprint and the location ‘L,’ and adding, to the ClientBlockList data structure, an entry that identifies the handle, retention date, and fingerprint.

Abstract: One example method includes continuously performing key related operations. Each data set in a storage system is encrypted with a different key. New keys are repeatedly introduced and new data is encrypted only with the newest or latest key. Data being rekeyed is re-encrypted with the latest key. By repeatedly introducing new keys and rekeying data sets associated with older keys, the overall key age of the system can be kept low and the data is less susceptible to being compromised.

Abstract: An apparatus in one embodiment includes at least one processing device comprising a processor coupled to a memory. The processing device is configured to implement a first ledger maintenance node. The first ledger maintenance node is configured to communicate over one or more networks with a plurality of additional ledger maintenance nodes, to identify a block for proposed addition to a distributed ledger collectively maintained by the first and additional ledger maintenance nodes, to apply a digital signature of the first ledger maintenance node to the block, and to receive digital signatures on the block from at least a subset of the additional ledger maintenance nodes. Responsive to receipt of sufficient digital signatures from respective ones of the additional ledger maintenance nodes to meet a specified quorum of digital signatures required for addition of the block to the distributed ledger, the first ledger maintenance node adds the block to the distributed ledger.

Abstract: A method of sending blocks of data from a client to be stored at a storage server, wherein for each block compression and encryption is performed at the client, and deduplication is performed at the server. Security is thus enhanced as the block is compressed and encrypted when it is sent over an unsecured network and when it is stored in potentially a third-party backup system. Provisions are made to enable addition of new compression algorithms and for retirement of old compression algorithms, while ensuring that a client would not receive a block which was compressed using an unsupported, e.g., retired, compression algorithm.

Abstract: An apparatus in an illustrative embodiment comprises a client device configured for communication with a storage system, with the client device comprising a processor coupled to a memory. The client device is further configured to identify a data item to be stored in the storage system, and to generate a data encryption key for the data item as a function of a first secret key and the data item. For example, the function may comprise hashing at least the data item. The client device is further configured to encrypt the data item using the data encryption key for the data item, and to send the encrypted data item to the storage system for storage therein. The client device in some embodiments is further configured to encrypt the data encryption key using a second secret key, and to send the encrypted data encryption key to the storage system for storage therein as metadata of the data item.