Abstract: According to one example, a system includes a second computing device that has one or more processors configured to receive encrypted data from a first computing device, the encrypted data being encrypted based on a first encryption key. The one or more processors are further configured to generate a second encryption key that matches the first encryption key, decrypt the encrypted data using the second encryption key, and transmit the data for use.

Abstract: An anti-counterfeit product of manufacture includes a housing defining a cavity. The housing is constructed of a first and second bodies forming an original joint at a parting line. Inner workings of the product are enclosed within the cavity. An encryption device includes an encryption-coded ceramics-based pin grid array embedded in the first body of the housing. An RFID circuit is connected with the ceramics-based pin grid array. The RFID circuit is configured to report out a confirmation signal based on the code set by the connected ceramics-based pin grid array upon an RFID reader interrogation trigger. The RFID circuit is programmed to prevent future reporting of the confirmation signal upon detachment of the ceramics-based pin grid array from the RFID circuit, such that the confirmation signal is configured to confirm both product authenticity and integrity of the original joint.

Abstract: A system for providing off-the-record functionality is provided herein. The system may include a processor configured to execute processor-executable instructions stored in non-transitory computer-readable medium to establish a video conference having a plurality of participants, each participant of the plurality of participants exchanging a plurality of audio or video streams via the video conference. The processor may also be configured to receive, from a first client device associated with one of the plurality of participants, a first audio stream or a first video stream of the plurality of audio or video streams, and record the plurality of audio or video streams within a recording. The processor may also be configured to receive an off-the-record request to begin an off-the-record time period, and in response to the off-the-record request, prevent at least one of the first audio stream or the first video stream from being included in the recording.

Abstract: This application provide a positioning method, including: obtaining, by a first electronic device, a first location of a second electronic device; determining a plurality of candidate locations by using the first location as a center point; selecting a plurality of candidate positioning locations from the plurality of candidate locations based on elevations and azimuths of a plurality of satellites relative to the candidate locations, grid data corresponding to the plurality of candidate locations, and signal parameters of broadcast signals received by the second electronic device from the plurality of satellites; and correcting the first location based on the plurality of candidate positioning locations, to output a corrected second location.

Abstract: An example device may include one or more processors to receive a request for a service from a requestor user device; provide transaction information associated with the service to a provider user device, where the transaction information may include location information corresponding to a location at which the service may be provided; obtain verification information from the requestor user device based on an interaction associated with the requestor user device or the provider user device at the location, where the verification information may include one or more characteristics of the requestor user device; generate a verification token based on the one or more characteristics of the requestor user device; and provide the verification information to the provider user device to permit the provider user device to verify the requestor user device, based on receiving the verification information and obtaining the verification token from the requestor user device.

Abstract: A mobile device is disclosed. The device includes a communicator, a GPS unit for calculating location information, a memory, a display, and a processor, and the processor is configured to generate movement path information of the mobile device by performing homomorphic encryption of a plurality of pieces of location information stored in the memory, transmit the movement path information to a server apparatus through the communicator, based on operation result data obtained by operating based on the movement path information and comparison target path information being transmitted from the server apparatus, decrypt the operation result data, and output a message notifying whether a route overlaps the comparison target path information based on a decrypted result through the display. Therefore, the route overlap is rapidly and accurately confirmed without invasion of privacy.

Abstract: A method for updating a cryptographic key via a computation unit configured with one or more processors and a memory coupled to the one or more processors is disclosed. The method includes loading a base key into a cryptographic storage unit integrated with a cryptographic application. The method includes generating a temporal key based on the base key using a one-way key update algorithm via cryptographic application logic integrated within the cryptographic application. The temporal key is assigned an update count based on the number of updates performed on the temporal key. The method further includes comparing the update count value to a required update count, updating the temporal key if the update count is less than the required update count, and zeroizing the temporal key if the update count is more than the required update count, in which the temporal key may be regenerated with the required update count.

Abstract: The disclosure provides an approach for cryptographic agility. Embodiments include establishing, by a proxy component associated with a cryptographic agility system, a first secure connection with an application. Embodiments include receiving, by the proxy component, via the first secure connection, a communication from the application directed to an endpoint. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information related to the communication. Embodiments include establishing, by the proxy component, a second secure connection with the endpoint based on the cryptographic technique. Embodiments include transmitting, by the proxy component, a secure communication to the endpoint via the second secure connection based on the communication.

Abstract: A method and system of providing a second broadcast signal from a first broadcast signal is described. The method includes receiving a broadcast signal containing media content and data content and selecting, from the data content, a first portion containing control and configuration and a second portion containing replacement content. The method further includes converting the first portion and the second portion into a multicast internet protocol stream and processing the replacement content as a second broadcast signal using the control and configuration information. The system includes a transceiver that receives a broadcast signal, selects a first portion and a second portion of the data content, and converts the first portion of the data content and the second portion of the data content into a multicast internet protocol stream. The system further includes a gateway device that processes the replacement content using the control and configuration information.

Abstract: A method for quantum routing is performed by a relay network node that is connected to a plurality of nearest-neighbor network nodes. The method includes receiving, from a source network node of the plurality of nearest-neighbor network nodes, a first command indicating a destination network node. The method includes selecting, based on the destination network node, a next-hop network node from the nearest-neighbor network nodes. The method includes determining a number of current quantum-entangled channels between the relay network node and the next-hop network node. The method includes establishing a new quantum-entangled channel between the relay network node and the next-hop network node in response to the number of current quantum-entangled channels being less than a threshold.

Abstract: A proximity based authentication system and method is described. The system includes a gateway, a cloud component, and a mobile device. The gateway is associated with a particular location and is communicatively coupled to a cloud component. The gateway includes a gateway short-range wireless radio capable of establishing a short-range wireless communication channel. The mobile device is also communicatively coupled the cloud component and includes a mobile device short-range wireless radio that communicates with the gateway using the short-range wireless communication channel when the mobile device is in proximity of the gateway. The mobile device receives a gateway key over the short-range wireless communication channel. The mobile device then communicates the gateway key to a cloud component database. The cloud component authenticates the particular location of the mobile device when the cloud component receives the gateway key from the mobile device.

Abstract: A method and system for anonymizing data to be transmitted to a destination computing device is disclosed. Anonymization strategy for data anonymization is provided. Data to be transmitted is received from a user computer. Selective anonymization of the data is performed, based on the anonymization strategy, using an anonymization module. The data includes a plurality of characters. A portion of the anonymized data is selected as a search ID. A cross reference between a search key indicative of a portion of the received data and the corresponding search ID is stored.

Abstract: Embodiments are disclosed for a quantum key distribution (QKD) enabled intra-datacenter network. An example system includes a first QKD device and a second QKD device. The first QKD device includes a first quantum-enabled port and a first network port. The second QKD device includes a second quantum-enabled port and a second network port. The first quantum-enabled port of the first QKD device is communicatively coupled to the second quantum-enabled port of the second QKD device via a QKD link associated with quantum communication. Furthermore, the first network port of the first QKD device is communicatively coupled to a first network switch via a first classical link associated with classical network communication. The second network port of the second QKD device is communicatively coupled to a second network switch via a second classical link associated with classical network communication.

Abstract: Systems, methods, apparatuses, and computer program products directed to next generation (e.g., 5G systems) key set identifier(s) are provided. One method includes requesting, by a network node, authentication of a user equipment with an authentication server, receiving a master key and authentication parameters/vectors from the authentication server when authorization is successful, and verifying validity of the authentication request. When the verification is successful, the method may further include instantiating a security context for the user equipment and assigning a security context identifier for next generation system security context to the user equipment, and then sending a security mode command message to instruct the user equipment to instantiate security context using the security context identifier.

Abstract: A cover or components for cellphones or other digital devices featuring physical cryptography to forward and receive encrypted messages on a tamper-proof basis which uses physical encryption to send encrypted messages between two or more users, in which decoding of the forwarded message takes place by overlaying (30) on the cell phone device or digital device (1) a key image cover (20) matching the forwarded matrix image (10).

Abstract: A method for communication in a hearing system comprising the server device and a hearing device system, the hearing device system comprising a hearing device and a user accessory device with a user application installed thereon, the method includes: obtaining hearing device data for the hearing device; securing the hearing device data using a first security scheme to obtain a first output; securing the first output using a second security scheme to obtain a second output, wherein the second security scheme is different from the first security scheme; and transmitting the second output to the user accessory device.

Abstract: In one embodiment, a method includes receiving, at a social-networking system an identifier corresponding to a post item stored in the social-networking system, and information indicative of a plurality of coordinated user gestures input into a composition interface control. The composition interface control comprises a plurality of interface targets each associated with a respective musical note. The information comprises target musical note and timing data associated with each of the user gestures. The method further includes translating the plurality of coordinated user gestures into a musical composition that includes musical notation reflecting the musical note and timing data of each user gesture. The method also includes associating the musical composition with the post item, and in response to receiving a request for the post item, formatting the post item and a graphical representation of each note in the musical composition for display in a user interface control.

Abstract: Methods, apparatus and computer software are provided for authorizing an EMV transaction between a user device and a point of sale terminal, particularly, but not exclusively, in situations where a secure element is not made available for the deployment of a payment application on the user device. The payment application is instead deployed to a processing environment that is outside of any secure element on the user device. The payment application is associated with a certificate and a corresponding hash. The hash is adapted to be generated on the basis of an application expiration date parameter, which is adapted to comprise data indicative of an expiration date of day level granularity associated with the certificate. During processing of the EMV transaction, the point-of-sale terminal verifies the hash, thereby establishing the authenticity of the application expiration date, and hence the validity of the certificate.

Abstract: Methods and systems for improved and novel encryption that make it difficult or impossible in any practical way to extract data that has been protected on the computing system. A computing device may receive authentication data from a client device. The computing device may generate an encryption key and a corresponding decryption key. The computing device may receive, from the client device, information associated with a timed access window. The computing device may send, to the client device, the encryption key. The computing device may receive, from the client device, a request for the corresponding decryption key. The computing device may calculate that the request for the corresponding decryption key is during the timed access window and send, to the client device, based on the request and the calculation that the request for the corresponding decryption key is during the timed access window, the corresponding decryption key.

Abstract: Methods and apparatus for providing protected content to subscribers of a managed (e.g., MSO) network via a content source accessible via an internetwork such as the Internet. In one embodiment, a user accesses a service provider portal (e.g., website), and requests content. The service provider determines whether the requesting user is permitted to access the content, and what rights or restrictions are associated with the user. This includes authenticating the user as a subscriber of the MSO, and determining the subscriber's subscription level. In another embodiment, a user's account with the MSO and service provider may be federated, thus a given user will have MSO-specific information regarding its identity (such as login information, GUID, etc.) and is able to perform a single sign on to request and receive content.

Abstract: The system is used by both Producer and Consumer of digital evidence, which use the system to provide a secure and irrefutable record of a transaction involving the use of the digital evidence to produce new protected digital evidentiary content, e.g. transcription, according to a set of rules and limitations on the use of the digital evidence over a specific period of time which expires after a certain time. The newly create evidentiary content along with security and metadata are evaluated, and results used to confirm that the evidence has been maintained according to the terms and conditions.

Abstract: Media, system, and method for providing encryption key management to a channel within a group-based communication system. The contents of the channel is encrypted according to the encryption key management policy of the organization to which the author of the content belongs and is stored in a data store. Responsive to a revocation request from a first organization, the encryption keys associated with any content in the channel submitted by the authors of said first organization may be revoked from a second organization, such that users of the second organization no longer have access to the content.

Abstract: Methods, systems and apparatus for quantum error correction. A layered representation of error propagation through quantum error detection circuits is constructed. The layered representation includes multiple line circuit layers that each represent a probability of local detection events in a quantum computing system associated with potential error processes in an execution of a quantum algorithm. To construct the layered representation, potential detection events associated with each potential error process occurring at quantum gates in the quantum circuit are determined. Lines are associated with each potential error process, the lines each connecting a potential detection event associated with the potential error process to another potential detection event associated with the same potential error process or a boundary of the quantum circuit. Similar lines are merged and used to construct unique line circuit layers.

Abstract: A method making modifications during a key phase of physical layer security methods and enabling the physical layer security methods to be applicable in a wireless communication is provided. The method includes a step of generating a K common key, including steps to be carried out at a modulator during a data transmission phase.

Abstract: In order to acknowledge uplink frames transmitted from end devices to server equipment, the server equipment allocates the end devices to groups and to subgroups. The addresses of the end devices are constructed so as to identify the groups and subgroups to which said end devices belong. The server equipment carries out mass acknowledgements by group, by broadcasting a message wherein each subgroup of said group is associated with the same item of information acknowledging, or not, said uplink frames of all the end devices of said subgroup. The mass acknowledgement further includes information representing an estimated instant of next transmission of a mass acknowledgement for said group. The server equipment acknowledges, in unicast mode, the uplink frames received that have not been acknowledged by the mass acknowledgement.

Abstract: Various embodiments relate to a method performed by a processor of a computing system. An example method includes determining a first cryptographic algorithm utilized in a first block of a first blockchain. The first block of the first blockchain has a first unique block identifier. A second cryptographic algorithm utilized in a second block of the first blockchain is determined. The second block of the first blockchain having a second unique block identifier. A first cryptographic algorithm status transition (“CAST”) event is defined if the second cryptographic algorithm is different than the first cryptographic algorithm. A first CAST record is defined upon occurrence of the first CAST event. The first CAST record includes the second cryptographic algorithm and the second unique block identifier. The first CAST record is digitally signed and stored on a second blockchain. The second blockchain may be referenced out-of-band of the first blockchain.

Abstract: The disclosed embodiments disclose techniques for extracting encryption keys to enable monitoring services. During operation, an encrypted connection is detected on a computing device. A monitoring service harvests an encryption key for this encrypted connection from the memory of a computing device and then forwards the encryption key to an intercepting agent in an intermediate computing environment that intercepts encrypted traffic that is sent between the computing device and a remote service via the encrypted connection.

Abstract: Implementations of the present specification provide a model-based prediction method and apparatus. The method includes: a model running environment receives an input tensor of a machine learning model; the model running environment sends a table query request to an embedding running environment, the table query request including the input tensor, to request low-dimensional conversion of the input tensor; the model running environment receives a table query result returned by the embedding running environment, the table query result being obtained by the embedding running environment by performing embedding query and processing based on the input tensor; and the model running environment inputs the table query result into the machine learning model, and runs the machine learning model to complete model-based prediction.

Abstract: A method for voiceprint recognition of an original speech is used to reduce information losses and system complexity of a model for data recognition of a speaker's original speech. The method includes: obtaining original speech data, and segmenting the original speech data based on a preset time length to obtain segmented speech data; performing tail-biting convolution processing and discrete Fourier transform on the segmented speech data through a preset convolution filter bank to obtain voiceprint feature data; pooling the voiceprint feature data through a preset deep neural network to obtain a target voiceprint feature; performing embedded vector transformation on the target voiceprint feature to obtain corresponding voiceprint feature vectors; and performing calculation on the voiceprint feature vectors through a preset loss function to obtain target voiceprint data, where the loss function includes a cosine similarity matrix loss function and a minimum mean square error matrix loss function.

Abstract: Distributed storage system and method for transmitting storage-related messages between host computers in a distributed storage system uses a handshake operation of a first-type communication connection between a source data transport daemon of a source host computer and a target data transport daemon of a target host computer to derive a symmetric key at each of the source and target data transport daemons. The two symmetric keys are sent to a source data transport manager of the source host computer and to a target data transport manager of the target host computer. The source and target data transport managers then use the same symmetric keys to encrypt and decrypt storage-related messages that are transmitted from the source data transport manager to the target data transport manager through multiple second-type communication connections between the source and target data transport managers.

Abstract: Polynomial multiplication for side-channel protection in cryptography is described. An example of an apparatus includes one or more processors to process data; a memory to store data; and polynomial multiplier circuitry to multiply a first polynomial by a second polynomial, the first polynomial and the second polynomial each including a plurality of coefficients, the polynomial multiplier circuitry including a set of multiplier circuitry, wherein the polynomial multiplier circuitry is to select a first coefficient of the first polynomial for processing, and multiply the first coefficient of the first polynomial by all of the plurality of coefficients of the second polynomial in parallel using the set of multiplier circuits.

Abstract: A service monitors password and username use while maintaining username and password privacy by receiving a hash of a username, a hash of a password, and a host name and comparing the received hashes against a database of associated host names and hashes of usernames and passwords. When the comparison determines that the hash of the new password meets certain conditions, e.g., no hash in the database matches the hash of the new password, then the new password may be allowed and the service informs the security component accordingly.

Abstract: Disclosed herein are methods, systems, and processes for the enhanced crawling of unexposed web applications for vulnerability scanning purposes. A response to a request generated to a web application is received and a web application framework detection routine on the response for web application frameworks is executed. A determination is made that a web application framework is part of the response and the response is loaded in a web browser associated with the web application. A custom web application framework hook for the web application framework is injected into a web page of a web browser and a list of Document Object Model (DOM) elements and corresponding event handlers is received. A determination is made, based on the list, to execute DOM events to discover functionality of the web application. The web page is loaded in the web browser, the DOM events are executed, and network activity of the web browser during execution of the DOM events is recorded.

Abstract: Keystream generators for secure data transmission, the keystream generators being operated in counter mode, against repeated or improper generation of an already generated keystream and to protect the data transmission against repeated use of a keystream, so-called reuse are provided. The keystream generator is operated, with respect to realization options, selectively in one of two operating modes, an encryption operating mode and a decryption operating mode. In the encryption operating mode, a keystream generated on the basis of a first control data set is used to encrypt data, in particular payload data, to form cipher-data, the product of ciphered data or payload data. In the decryption operating mode, a keystream generated on the basis of a second control data set is used to decrypt the cipher-data. The keystream is output only if the generation of the keystream from the encryption of a counter value of the keystream generator operated in counter mode with a block cipher key is error-free.

Abstract: In one embodiment, a computer-implemented method performed by a data processing (DP) accelerator includes receiving, at the DP accelerator, first data representing an artificial intelligence (AI) model that has been previously trained from a host processor; receiving, at the DP accelerator, a request to implant a watermark in the AI model from the host processor; and implanting, by the DP accelerator, the watermark within the AI model. The DP accelerator then transmits second data representing the AI model having the watermark implanted therein to the host processor. In embodiment, the method further includes extracting, at the DP accelerator, a watermark algorithm identifier (ID) from the request to implant a watermark; and generating the watermark using a watermark algorithm identified by the watermark algorithm ID.

Abstract: There is provided a method performed by a network unit, and a corresponding network unit as well as a corresponding wireless communication device, for supporting interworking and/or idle mode mobility between different wireless communication systems, including a higher generation wireless system and a lower generation wireless system, to enable secure communication with the wireless communication device. The method comprises selecting, in connection with a registration procedure and/or a security context activation procedure of the wireless communication device with the higher generation wireless system, at least one security algorithm of the lower generation wireless system, also referred to as lower generation security algorithm(s). The method also comprises sending a control message including information on the selected lower generation security algorithm(s) to the wireless communication device.

Abstract: A system and method for provisioning devices on respective LTE or 5G network cores using a hierarchical provisioning connector. Maintained by a connectivity management platform, a hierarchical provisioning connector serving as an extension of a single provisioning connector of the customer account, such that the hierarchical provisioning connector may contain an array of single provisioning connectors. A rule processor that is utilized by the hierarchical provisioning connector to classify devices by access technology. Each configured rule may take one or more unique device identifiers as input and return a reference to exactly one configured single provisioning connector.

Abstract: A system and method for issuing requests to a stateless computing platform is described. In an example implementation, the system may include a stateless computing platform configured to receive and service a first set of requests and a second set of requests from a stateful server.

Abstract: A non-interactive protocol is provided for evaluating machine learning models such as decision trees. A client can delegate the evaluation of a machine learning model such as a decision tree to a server by sending an encrypted input and receiving only the encryption of the result. The inputs can be encoded as vector of integers using their binary representation. The server can then evaluate the machine learning model using a homomorphic arithmetic circuit. The homomorphic arithmetic circuit provides an implementation that requires fewer multiplications than a Boolean comparison circuit. Efficient data representations are then combined with different algorithmic optimizations to keep the computational overhead and the communication cost low. Related apparatus, systems, techniques and articles are also described.

Abstract: Methods, systems, and apparatuses associated with a secure stream protocol for a serial interconnect are disclosed. An apparatus comprises a first device comprising circuitry to, using an end-to-end protocol, secure a transaction in a first secure stream based at least in part on a transaction type of the transaction, where the first secure stream is separate from a second secure stream. The first device is further to send the transaction secured in the first secure stream to a second device over a link established between the first device and the second device, where the transaction is to traverse one or more intermediate devices from the first device to the second device. In more specific embodiments, the first secure stream is based on one of a posted transaction type, a non-posted transaction type, or completion transaction type.

Abstract: Systems and methods are provided for obtaining data to be secured based on a secret sharing technique, the data being associated with a file identifier and a split specification that includes at least a number of splits n and a minimum number of splits m required for reconstructing the data, and a Repeatable Random Sequence Generator (RRSG) RRSG scheme. An RRSG state can be initialized based at least in part on a given data transformation key to provide repeatable sequence of random bytes. For every m bytes of data: a polynomial whose coefficients are determined based at least in part on m bytes of the data and a portion of the repeatable sequence of random bytes can be determined; the polynomial can be evaluated at n unique values determined by a portion of repeatable sequence of random bytes to generate n bytes. Each byte can be stored into one of the n split stores.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for post-quantum cryptography (PQC). An example method includes receiving data. The example method further includes receiving a set of data attributes about the data. The set of data attributes comprises one or more sets of data environment data attributes that are each representative of a set of data environments associated with the data. The example method further includes receiving one or more sets of data environment threat data structures associated with one or more data environments in the one or more sets of data environments associated with the data. The example method further includes selecting one or more cryptographic techniques for encrypting the data for at least the one or more data environments based on the set of data attributes, the one or more sets of data environment threat data structures, and a cryptograph optimization machine learning model.

Abstract: Examples described herein include systems and methods for onboarding a device into a management system. An example method can include loading a management agent onto the device and receiving inventory information for the device. The example method can further include receiving a request to whitelist the device. In some examples, the request originates from a different device, such as a device used by a technician installing the connected device. The management server can authorize the device and add it to the whitelist. After authorizing the device, the management server can onboard the device by sending management information to the management agent on the device. The management server can then exercise management control of the device through the management agent installed on the device.

Abstract: A method for asynchronous side channel cipher renegotiation includes: establishing, by a first computing device, a first communication channel and a second communication channel with a second computing device, where the first communication channel is an encrypted tunnel and packages exchanged using the encrypted tunnel are encrypted using a first cipher; receiving, by a receiver of the first computing device, a renegotiation request from the second computing device using the second communication channel, where the renegotiation request includes at least a password value and a relative time; generating, by a processor of the first computing device, a second cipher using at least an encryption protocol and the password value; receiving, by the receiver of the first computing device, a new encrypted packet from the second computing device using the first communication channel; and decrypting, by the processor of the first computing device, the new encrypted packet using the second cipher.

Abstract: Methods, apparatus and computer software are provided for authorizing an EMV transaction between a user device and a point of sale terminal, particularly, but not exclusively, in situations where a secure element is not made available for the deployment of a payment application on the user device. The payment application is instead deployed to a processing environment that is outside of any secure element on the user device. An ICC Master Key corresponding to the payment application is held by a trusted authority, such as the issuing bank. The trusted authority is adapted generate time-limited session keys on the basis of the ICC Master Key and distribute session keys to the payment application. Receipt of a session key by the payment application enables the payment application to conduct an EMV payment transaction. The session key is used to authorize a single EMV payment transaction.

Abstract: Methods may be provided to transmit encrypted data from a communication device to a remote storage system. A data value and information related to the data value may be provided, where the information related to the data value includes an identifier associated with the communication device and a time-value associated with the data value. A combination of the time-value and the identifier may be encrypted using a public key to provide a first encrypted value. The data value may be encrypted using the public key to provide a second encrypted value, and a hidden datum package may be generated including the time-value, the first encrypted value, and the second encrypted value. The hidden datum package including the time-value, the first encrypted value, and the second encrypted value may be transmitted to the remote storage system.

Abstract: A system and method for managing a population of devices and in particular, software updates and version control of applications across the population includes permitting a first device to receive an update from a publisher and generating an update manifest that is propagated to other devices in the population. Applications within a population of devices are selectively disabled and enabled to prevent multiple update versions of the same application across the population.

Abstract: A key management system includes a managed system coupled to a management system through a network. The managed system includes managed device locking subsystem(s) coupled to a managed device and a key storage. The managed device locking subsystem(s) retrieve, through the network from the management system, a managed device locking key that is configured to unlock the managed device. The managed device locking subsystem(s) then encrypt the managed device locking key to provide an encrypted managed device locking key, and store the encrypted managed device locking key in the key storage. Subsequent to storing the encrypted managed device locking key, the managed device locking subsystem(s) retrieve the encrypted managed device locking key from the key storage, and decrypt the encrypted managed device locking key to provide a decrypted managed device locking key. The managed device locking subsystem(s) then use the decrypted managed device locking key to unlock the managed device.

Abstract: A system and method are described for proactively performing key swaps among nodes in a quantum key distribution (QKD) network. The method includes determining a routing solution for nodes in the QKD network; making the routing solution available to the nodes in the QKD network; and initiating key swaps among the nodes in the QKD network according to the routing solution, prior to key requests being made within the QKD network. The method can also include continuously performing key swaps among the nodes in the QKD network according to the routing solution; detecting a change in capacity and/or a change in demand on one or more links within the QKD network; determining a new routing solution based on the detected change; and continuously preforming subsequent key swaps according to the new routing solution.

Abstract: Systems and methods for key management. An aspect of the disclosure provides for a key management system including an authenticating function, a key-management function, and at least one function. The system provides for separation of authentications and key-management functions. The authenticating function configured for receiving an authentication request associated with a terminal device (TD), authenticating the request, and sending an authentication response to the at least one function. The key-management function configured for receiving a key request associated with the TD, generating a key according to the key request, and sending the key to the at least one function. The at least one function configured for receiving a request for service, sending, to the authenticating function, the authentication request, and receiving, from the authenticating function, the authenticating response.