Abstract: Secure data transfers between communication nodes is performed using a group encryption key supplied by a remote management system. A first node transmits a request for secure communications with a second node to the remote management system using a control channel. The remote management system generates and encrypts a group encryption key usable by the first and second nodes and forwards the encrypted group encryption key to the first and second nodes using one or more control channels. The first and second communication nodes decrypt the group encryption key and use it to encrypt data transmitted between the nodes using a data transport network. In some implementations the securely communicating nodes may use encryption keys and/or techniques that prevent the remote management system from eavesdropping on the nodes' communications.

Abstract: A secure connection method for a network device includes: acquiring a public key operation value of a second device in an out-of-band manner; sending public key information of a first device to the second device; receiving public key information of the second device that is sent by the second device, and decrypting the public key information of the second device by using a private key of the first device, to obtain the public key of the second device; and performing a preset-algorithm operation on the public key of the second device to obtain a copy of the public key operation value of the second device, and after the copy of the public key operation value of the second device matches the public key operation value of the second device, accepting received connection information sent by the second device.

Abstract: A method includes detecting, at an interceptor device, a transmission of an encrypted media stream from a first device to a second device. The method also includes intercepting the encrypted media stream, during the transmission, for a simulcast operation associated with the encrypted media stream. The transmission of the encrypted media stream from the first device to the second device is substantially unaffected by the interception. The method further includes simulcasting a version of the encrypted media stream to at least a third device in response to intercepting the encrypted media stream.

Abstract: The present invention relates to a method to authenticate two devices to establish a secure channel, one belonging to a first group of devices, the second belonging to a second group of devices, in a non-traceable manner without the need to share a secret, each group being authenticated by an authority that stores a group secret key into the devices under its authority. The method uses a set of authentication tokens, one for each of the other groups with which the device is intended to communicate, said authentication token comprising at least a random number and a cipher of at least this random number by the secret key of each of these other groups, said authentication tokens being further renewed at each communication with a device from another group.

Abstract: A method for encrypting data based on all-or-nothing encryption includes: providing, by an encryption system, data to be encrypted and an encryption key; dividing, by the encryption system, the data into an odd number of blocks, wherein each of the blocks has the same size; encrypting, by the encryption system, the blocks with the encryption key to obtain an intermediate ciphertext c? comprising intermediate ciphertext blocks c0?, . . . , cN?, wherein c0? corresponds to a random seed and c1?, . . . , cN? corresponds to the encrypted blocks; and obtaining, by the encryption system, a final ciphertext c using the intermediate ciphertext c?. An intermediate overall ciphertext t is obtained based on XOR'ing the intermediate ciphertext blocks c0?, . . . , cN?; and obtaining a plurality of final ciphertext blocks c1, . . . cN by XOR'ing respective intermediate ciphertext blocks c1?, . . . , cN? with the intermediate overall ciphertext t.

Abstract: An interception-proof authentication and encryption system and method is provided that utilizes passcodes with individual pins that are made up of symbols from a set of symbols, and tokens that contain at least two symbols from the set of symbols used for the passcode. Multiple tokens (a “token set”) are presented to a user, with some or all of a user's pre-selected pins (symbols) randomly inserted into some or all of the tokens. The user selects a token from the token set for each pin position in the passcode. The user is authenticated based on the selected tokens. Because each selected token may or may not contain one of the pre-selected pins in the user's passcode, and also contains other randomly generated symbols that are not one of the pre-selected pins in the user's passcode, someone that observes which tokens the user has chosen cannot determine what the user's actual passcode is.

Abstract: A method for generating cryptograms in a webservice environment includes: receiving, in a first environment of a computing system, a credential request transmitted by an external computing device using a secure communication protocol, the credential request including a transaction identifier and account identifier; transmitting, by the first environment, a data request to a second environment of the computing system, the data request including the account identifier; receiving, by the first environment, an account profile and session key from the second environment; transmitting, by the first environment, a cryptogram request to a third environment of the computing system, the cryptogram request including the account profile and session key; receiving, by the first environment, a cryptogram from the third environment generated using the account profile and session key; and transmitting, by the first environment, the cryptogram and transaction identifier to the external computing device via the secure communic

Abstract: Techniques for using short-term session credentials across regions are described herein. A first request for resources generated using a short-term session credentials and digitally signed with a digital signature. The request is generated in a first region and received in a second region. In response to the request, a second request is generated in the second region to validate the first request. A new session token that is usable in the second region is generated and returned to the second region. The new session token can then be used in the second region to fulfill the first request.

Abstract: An access control apparatus comprises a control unit that, based on predetermined access control information, restricts access to an electronic file by software that is permitted to access or prohibited from accessing the electronic file. An access control system comprises: an access control apparatus that has a control unit that, based on predetermined access control information, restricts access to an electronic file by software that is permitted to access or prohibited from accessing the electronic file; and a management apparatus that is provided outside the access control apparatus, and provides, to the access control apparatus, at least one of the predetermined access control information and a judgment result based on the predetermined access control information.

Abstract: Securing information is increasingly difficult. With technological advances and tools/information sharing between hackers it is becoming even more difficult to ensure that sensitive data remains secure. Disclosed are systems and methods for uniquely securing data for each communication. The disclosed systems and methods allow for transmitting data across multiple boundaries (national, linguistic, operating system, platform, brand, etc.), while maintaining the desired security of the originator's data.

Abstract: Examples described herein include a computing device with a processing resource to execute beginning booting instructions of the computing device. The beginning booting instructions may include a first booting instruction. The computing device also includes an access line to access the first booting instruction, a measuring engine to duplicate the first booting instruction and to generate a first integrity value associated with the first booting instruction, and a measurement register to store the first integrity value. The measuring engine may be operationally screened from the processing resource and the measurement register may be inaccessible to the processing resource.

Abstract: A method includes: securely obtaining, by a first device, a first public key estimated value of a second device in an out-of-band manner; encrypting an asymmetric encryption public key by using the first public key estimated value; sending the encrypted asymmetric encryption public key to the second device; receiving an encrypted first key-exchange public key sent by the second device; decrypting the encrypted first key-exchange public key by using an asymmetric encryption private key; performing an operation based on the decrypted first key-exchange public key, to obtain a second public key estimated value; and when the first public key estimated value is consistent with the second public key estimated value, determining that the decrypted first key-exchange public key is correct, generating a shared key by using a key-exchange private key and the first key-exchange public key, and establishing a secure connection to the second device by using the shared key.

Abstract: The techniques and systems described herein are directed to providing targeted, secure software deployment in a computing system. An identity of the computing device can be determined and verified using a trusted platform module (TPM) of the computing device, and a software update can be expressly configured to operate solely on the computing device. Further, a configuration of the computing device can be ascertained using platform configuration registers (PCRs) of the TPM to determine that the computing device has not been modified from a trusted configuration. For example, if malware or unauthorized software is operating on the computing device, the software update may be prevented from being installed. Further, the software update can be targeted for a particular computing device, such that when the software update is received at the computing device, the software update may not be duplicated and provided to an additional, unauthorized device.

Abstract: A method of protecting a Rijndael-type algorithm executed by an electronic circuit against side channel attacks, wherein: each block of data to be encrypted or to be decrypted is masked with a first mask before a non-linear block substitution operation is applied based on a substitution box, and is then unmasked with a second mask after the substitution; and the substitution box is recalculated, block by block, before the non-linear operation is applied, the processing order of the blocks of the substitution box being submitted to a random permutation, commutative with the non-linear substitution operation.

Abstract: A computerized method that encrypts each of a plurality of segments of a binary value using a selected block cipher of a plurality of block ciphers and a unique symmetric key of a first plurality of unique, symmetric keys to produce a first ciphertext. The method further encrypts each of a plurality of segments of the first ciphertext using a selected block cipher of the plurality of block ciphers and a unique symmetric key of a second plurality of unique, symmetric keys to produce a second ciphertext. The selected block cipher used to encrypt a first segment of the binary value to produce a first segment of the plurality of segments of the first ciphertext is different than the selected block cipher used to encrypt the first segment of the ciphertext to produce a first encrypted segment of the second ciphertext.

Abstract: A method of protecting a Rijndael-type algorithm executed by an electronic circuit against side channel attacks, wherein: each block of data to be encrypted or decrypted is masked with a first mask before applying a non-linear block substitution operation from a first substitution box, and is then unmasked by a second mask after the substitution; the substitution box is recalculated, block by block, before applying the non-linear operation, the processing order of the blocks of the substitution box being submitted to a random permutation; and the recalculation of the substitution box uses the second mask as well as third and fourth masks, the sum of the third and fourth masks being equal to the first mask.

Abstract: The present invention is a system for monitoring encrypted data and preventing the encrypted data from being decrypted in large quantities, the system comprising: an access control unit which stores information of a decryption; a crypto-unit which receives the information of the decryption from the access control unit and decrypts the encrypted data; a counter which counts the number of the process of the decryption processed by the crypto-unit; an event logger which stores the number of the process of the decryption counted by the counter; and a monitoring server which receives the information of the number of the decryption and displays it.

Abstract: Booting a machine in a secure fashion in a potentially unsecure environment. The method includes a target machine beginning a boot process. The method further includes the target machine determining that it needs provisioning data to continue booting. The target machine contacts a secure infrastructure to obtain the provisioning data. The target machine provides an identity claim that can be verified by the secure infrastructure. As a result of the secure infrastructure verifying the identity claim, the target machine receives a request from the secure infrastructure to establish a key sealed to the target machine. The target machine provides the established key to the secure infrastructure. The target machine receives the provisioning data from the secure infrastructure. The provisioning data is encrypted to the established key. The target machine decrypts the encrypted provisioning data, and uses the provisioning data to finish booting.

Abstract: Exemplary embodiments provide various techniques for managing groups of authenticated entities. In one exemplary computer-implemented method, an entity accesses a group roster that includes a first group identifier identifying a first group, a first group digital certificate associated with the first group, and a first entity identifier identifying the entity being a member of the first group. The entity also receives a request to update the group roster. Here, the request includes a second group identifier identifying a second group and a second group digital certificate associated with the second group. In response to the request, the entity replaces the first group identifier in the group roster with the second group identifier. Additionally, in response to the request, the entity replaces the first group digital certificate with the second group digital certificate. The replacements change a membership of the entity from the first group to the second group.

Abstract: For improving the protection of a network against denial of service attacks and other hostile attacks, while keeping the operation of the network simple and efficient and considering restricted capacities of single network nodes, a control unit, a system and a method for operating a network with a plurality of nodes are provided, wherein at least one operation parameter of at least one node is adjusted based on a current network phase and a data packet received by the node (10) is processed based on the operation parameter.

Abstract: A method includes performing by at least one host entity implemented in a network, receiving an encryption key generated by a key server and a key identifier associated with said encryption key, generating a header comprising an information identifier associated with an information to be protected, the device identifier corresponding to the key server and the key identifier associated with the encryption key, encrypting said information using said encryption key and associating the header with the encrypted information, transmitting said encrypted information and the associated header to a receiving entity and transmitting an authorization information, said key identifier, and said header to the key server. Further, in response to determination that the receiving entity is authorized to access the encrypted information, the receiving entity decrypts the encrypted information using decryption key received from the key server.

Abstract: In an example, the mobile device may be configured to determine whether to authorize a request for the vehicle head unit to utilize a resource of the mobile device. The mobile device may be configured to utilize a proxy of the mobile device to establish a connection with a destination in response to determining to authorize the request.

Abstract: A method for facilitating network joining is disclosed, wherein, while a communication session is active between a network gateway and an NFC device comprised in or connected to a networkable device, the following steps are performed: the network gateway obtains a first cryptographic key associated with the networkable device; the network gateway encrypts, using said first cryptographic key, a network key associated with a network; the network gateway provides the encrypted network key to the networkable device, such that the networkable device may decrypt the encrypted network key using a second cryptographic key. Furthermore, a corresponding computer program product and a corresponding system for facilitating network joining are disclosed.

Abstract: Aspects of the disclosure provide a technological improvement to a cipher by improving data security of format-preserving encryption (FPE), by, inter alia, embedding specific key identifiers for rotating keys directly into ciphertext. Aspects of the disclosure relate to methods, computer-readable media, and apparatuses for improving data security in a format-preserving encryption (FPE) context by using specific methods of rotating and identifying the appropriate encryption key from among numerous rotating keys stored in a key data store. Specific to FPE, a plaintext of the data and its corresponding ciphertext of the data remain the same in length/size; yet the methods, computer-readable media, and/or apparatuses disclosed herein permit embedding of an identification of a specific key among the plurality of rotating keys for the particular ciphertext without compromising the technical requirements of FPE.

Abstract: Binding a security token to a client token binder, such as a trusted platform module, is provided. A bound security token can only be used on the client on which it was obtained. A secret binding key (kbind) is established between the client and an STS. The client derives a key (kmac) from kbind, signs a security token request with kmac, and instructs the STS to bind the requested security token to kbind. The STS validates the request by deriving kmac using a client-provided nonce and kbind to MAC the message and compare the MAC values. If the request is validated, the STS generates a response comprising the requested security token, derives two keys from kbind: one to sign the response and one to encrypt the response, and sends the response to the client. Only a device comprising kbind is enabled to use the bound security token, providing increased security.

Abstract: An access-control device that controls access to encrypted messages. During operation, the access-control device can receive an access key for a corrupted message, and can receive a cover message digest associated with the corrupted message. The access-control device stores the access key in association with the cover message digest, and stores the cover message digest in a block chain. A respective block of the block chain includes at least one cover message digest, and a hash value of a previous block of the block chain.

Abstract: Methods, systems, and computer program for implementing a private cloud are provided. A computer-implemented method may include registering a private cloud in a central registry; retrieving private cloud registration data from the central registry; sharing the private cloud registration data with other users; and allowing other users to connect to the private cloud using the shared private cloud registration data.

Abstract: A transport facilitation system can manage a transportation arrangement service that links requesting users with available drivers throughout a given region. In doing so, the transport facilitation system can receive pick-up requests from users and transmit invitations to drivers to service those requests. For each ride, the transport facilitation system can initiate one or more recording mechanisms to record content within a passenger interior of the vehicle as the driver transports the requesting user from a pick-up location to a destination location. After the vehicle arrives at the destination location, the transport facilitation system can dual encrypt the content utilizing a first public key associated with the driver and a second public key associated with the requesting user, and store the dually encrypted content in a storage device. Decryption can require a pair of private keys associated with the rider and the driver.

Abstract: It is an object of the present invention to enhance convenience and service qualities in an information distribution system. In a server serving as an information distribution apparatus and an information communication terminal, contents are managed by using content identifiers (content IDs) managed as IDs conforming to a rule of uniformity. Particularly, in the information communication terminal, a content ripped from a recording medium such as a CD and stored in storage means such as an HDD is also managed by using a content identifier acquired from the information distribution apparatus. In this way, contents stored in the storage means can be managed by using content IDs each managed as an ID common to the information communication terminal and the information distribution apparatus.

Abstract: The present invention prevents a maintenance tool for carrying out maintenance work of an electronic control unit (ECU) from being abused by a third person. In an authentication system according to the present invention, an authentication apparatus authenticates an operator of an operation terminal (equivalent to the maintenance tool), and the operation terminal forwards an authentication code generated by the authentication apparatus to the ECU. By using the authentication code, the ECU determines whether or not to permit the operation terminal to carry out a maintenance operation.

Abstract: Approaches described herein allow a stateless device to recover at least one private key. In particular, a stateless device can provide service-account credentials to a directory service to establish a first session and acquire a certificate and private key using information associated with the stateless device. The stateless device can store its private key before the first session ends. A stateless device can then provide user-account credentials to the directory service to establish a second session. After the second session begins, a private key can be acquired by the stateless device.

Abstract: A method provides a web service. The method includes obtaining authentication information of at least one web server from the at least one web server to establish a session in advance and storing the authentication information in a database; searching the database for authentication information of a particular web server, upon reception of a request from a client for access to the particular web server; and performing web server access acceleration if the particular web server exists.

Abstract: Information, such as a cryptographic key, is used repeatedly in the performance of operations, such as certain cryptographic operations. To prevent repeated use of the information from enabling security breaches, the information is rotated (replaced with other information). To avoid the resource costs of maintaining a counter on the number of operations performed, decisions of when to rotate the information are performed based at least in part on the output of stochastic processes.

Abstract: Disclosed are various examples of systems and methods for transferring data between applications executing in sandboxed environments. An application executing on a computing device in a sandbox provided by an operating system is identified. A key-value pair is retrieved from an access-restricted data store provided by the operating system, wherein the key-value pair comprises a timestamp and an application identifier. The application identifier is compared with the application. Data is sent to the application based at least in part on the application identifier matching an identification of the application and the timestamp specifying a point in time within a predetermined period of time.

Abstract: The validity/invalidity of a credit card, an IC card storing electronic money, or the like is appropriately determined based on a blacklist. A terminal device includes a list storage means and an invalidity recording means. The list storage means stores an identifier, validity information indicating validity or invalidity, and a blacklist that relates the identifier to an invalidity count specification value for a recording medium storing a set value. The invalidity recording means reads from the blacklist, the invalidity count specification value related to the identifier read from the recording medium, and compares the invalidity count specification value with the set value read from the recording medium. The invalidity recording means executes predetermined processing based on the validity information for the recording medium when the set value is equal to the invalidity count specification value.

Abstract: The present invention relates to a method (500) performed at an IP network node for IPSec establishment with other IP network nodes in a network. The method comprises collecting (S1) information about the other IP network nodes in the network using a dynamic routing protocol, the information comprising an IP address associated with the respective other IP network node, and establishing (S2) an IPSec relationship with a predetermined set of the other IP network nodes in the network based on the collected information and based on Internet Key Exchange (IKE) using a certification protocol and the identity of the IP network node, wherein the identity of the IP network node is determined by a pre-stored node certificate.

Abstract: Access to a linked resource may be protected using a time-based transformation of links to the resource. A linked resource may be transmitted to a browser in a markup language page. Information indicative of a time-based transformation of a link may be transmitted to the browser in the markup language page, or separately from the markup language page. The time-based transformation may be applied to the transmitted link. The transformed link may be requested, and compared to a version of the link that has been transformed, using the time-based transformation with respect to the time the request is received.

Abstract: According to one embodiment, a content key is split into split content keys and separately stored in a plurality of regions in a protected region of a memory device. Then, a common key is generated between the host device and the memory device, and encryption keys are cut out from the common key. When the split content keys are read from the memory device and transmitted to the host device, the split content keys are encrypted with the encryption keys and then decrypted with the encryption keys on the host device side. Subsequently, the split content keys decrypted with the encryption keys on the host side are combined with each other, and the original content key is thereby obtained. Finally, the content is decrypted with the content key.

Abstract: There is disclosed a method of providing a software update to a secure element comprised in a host device, comprising converting the software update into a sequence of ciphertext blocks using a chained encryption scheme, and transmitting said sequence of ciphertext blocks to the host device. Furthermore, there is disclosed a method of installing a software update on a secure element comprised in a host device, comprising receiving, by the host device, a sequence of ciphertext blocks generated by a method of providing a software update of the kind set forth, converting said sequence of ciphertext blocks into the software update, and installing the software update on the secure element. Furthermore, corresponding computer program products and a corresponding host device are disclosed.

Abstract: A method and system for securely enrolling personal identity credentials into personal identification devices. The system of the invention comprises the manufacturer of the device and an enrollment authority. The manufacturer is responsible for recording serial numbers or another unique identifier for each device that it produces, along with a self-generated public key for each device. The enrollment authority is recognized by the manufacturer or another suitable institution as capable of validating an individual before enrolling him into the device. The enrollment authority maintains and operates the appropriate equipment for enrollment, and provides its approval of the enrollment. The methods described herein discuss post-manufacturing, enrollment, backup, and recovery processes for the device.

Abstract: The present document describes systems and methods that, in some situations, improve data security. In one embodiment, communications between a client and a server are encrypted using an envelope-based encryption scheme. The envelope includes: a data encryption key reference; and data encrypted with a corresponding data encryption key. A data encryption key server maintains a collection of data encryption keys that are accessible using corresponding data encryption key references. In another embodiment, a storage server maintains stored data using the envelope-based encryption scheme. The stored data is made available to particular clients in encrypted or plaintext form based at least in part on a trust score determined for each client's request. In yet another embodiment, as a result of a secure transport handshake, a client is provided with a pluggable cipher suite.

Abstract: A messaging and content sharing platform that allows for sender-controlled permissions and rules. During operation, a sending device can receive user input to set permissions and rules for an object to be sent to a receiving device. The permissions and rules control how the object will be managed after leaving the sending device. A receiving device receives the object and complies with the permissions and rules associated with the object. Other features of the platform include a hierarchical view for group messaging, an attachment-only view of messages, large file attachments, and the ability to allow users to access external services such as social networking websites without logging in.

Abstract: Disclosed is a key downloading method. The method comprises: sending a hardware series number (SN) and a first random number (Rnd1) to a key server; receiving a second random number (Rnd2), a first encrypted text (C1) and a key server working certificate (KSWCRT) sent by the key server; authenticating the validity of KSWCRT by using a KSRCRT; if valid, extracting a public key (PuKS) from the KSWCRT, and decrypting the first encrypted text (C1) by using the PuKS to obtain a third random number (Rnd1?); determining whether Rnd1 is consistent with Rnd1?; if consistent, encrypting the second random number (Rnd2) by using a terminal authentication public key (TKP_Pu) to generate a third encrypted text (C2?), and sending the C2? to the key server; receiving an key encrypted text (Ctmk) sent by the key server; and obtain a master key (TMK), and storing the TMK in a security control module.

Abstract: Various embodiments include a method for managing a group of devices in communication with each other and sharing a set of keys. The method may include opening a secure channel with each of two devices from the group; providing the set of keys to the two devices from the group, wherein the set of keys include an encryption and an authentication key; indicating to the two devices to begin using the set of keys; and performing an audit process including verifying that nodes within a key group have the same copy of encryption and authentication keys. Embodiments of the method may include synchronization, active/standby redundancy and the ability to manage the network when some nodes perform the data encryption and some node do not, do, or when both encrypted and non-encrypted tunnels and services can work together.

Abstract: Disclosed is an apparatus, system, and method to decrypt an encrypted account credential at a second device that is received from a first device. The second device may receive a first share of a master key and the encrypted account credential from the first device. The second device may reconstruct the master key with the first share of the master key and a second share of the master key stored at the second device. The second device may decrypt the encrypted account credential with the reconstructed master key. Based upon the decrypted account credential, the second device may be enabled to access an account based upon the decrypted account credential.

Abstract: A system for asymmetrically selecting a memory element is described. The system includes a number of memory cells in a crossbar array. Each memory cell includes a memory element to store information. The memory element is defined as an intersection between a column electrode and a row electrode of the crossbar array. Each memory cell also includes a selector to select a target memory element by relaying a first selecting voltage to a column electrode that corresponds to the target memory element and relaying a second selecting voltage to a row electrode that corresponds to the target memory element. The system also includes a controller to pass a first standing voltage to column electrodes of the crossbar array and to pass a second standing voltage to row electrodes of the crossbar array. The first standing voltage is different than the second standing voltage.

Abstract: A method for providing mobile communication provider information and a device for performing the same are disclosed. A terminal having an eUICC receives data, in which mobile communication provider information is capsulized and included, and stores the received data in the eUICC. Therefore, the mobile communication provider information can be transferred by applying the highest security scheme, and duplication of the eUICC due to the exposure of an authentication key by external hacking attacks can be prevented.

Abstract: In connection with a data distribution architecture, client-side “deduplication” techniques may be utilized for data transfers occurring among various file system nodes. In some examples, these deduplication techniques involve fingerprinting file system elements that are being shared and transferred, and dividing each file into separate units referred to as “blocks” or “chunks.” These separate units may be used for independently rebuilding a file from local and remote collections, storage locations, or sources. The deduplication techniques may be applied to data transfers to prevent unnecessary data transfers, and to reduce the amount of bandwidth, processing power, and memory used to synchronize and transfer data among the file system nodes. The described deduplication concepts may also be applied for purposes of efficient file replication, data transfers, and file system events occurring within and among networks and file system nodes.

Abstract: A method and system encrypts data in a least privileged operating system. The method includes determining a first encryption scheme to be used with software code to be mapped to a virtual memory. The method includes mapping a first portion of the virtual memory with the software code for access by a processor using the first encryption scheme. The method includes receiving a call for an entry point of the operating system. The method includes determining a second encryption scheme to be used with the entry point when mapped to the virtual memory. The method includes mapping a second portion of the virtual memory for executing entry point code associated with the entry point for access by the processor using the second encryption scheme. The processor executing the software code is permitted to access only data from the first and second portions of the virtual memory.

Abstract: Techniques for using short-term credentials using asymmetric session keys are described herein. A request for a short-term credential is received that is digitally signed with a different credential. In response to the request, short-term credential data is generated and populated with a public session key corresponding to a private session key. The short-term credential data is then encrypted with a session encryption key to produce the short-term credential token, which can then be used by the requester as a short-term credential for subsequent requests.