Abstract: Determining whether to allow access to a message is disclosed. A message is received from a sender. The message is associated with a first time-to-live (TTL) value. A determination is made that the first time-to-live value has not been exceeded. The determination is made at least in part by obtaining an external master clock time. In response to the determination, access is allowed to the message.

Abstract: A solution for circumventing censorship is disclosed. A first device connects to a first server hosted in a content delivery network (CDN). The CDN routes the first device's connection request to the first server. The first server responds by providing the first device with a configuration file that contains a plurality of secondary servers for the first device to access. Accordingly, the first device disconnects from the first server and hops between one or more of the plurality of secondary servers contained in the configuration file. By distributing the configuration file from a first server hosted in a CDN, the first device is able to obfuscate the true endpoint of the connection. Thus, the first device is able to obtain the configuration file without drawing the ire of censors. By hopping from server-to-server, the first device is able to stay one-step ahead of censors. Accordingly, the present disclosure describes a multi-prong approach to staying a step ahead of eavesdroppers, sniffers, and censors.

Abstract: The present application describes a method, system, and non-transitory computer-readable medium for end-to-end encryption during a secure communication session. According to the present disclosure, a first device receives an invitation to a secure communication session. The invitation includes a token, which the first device transmits to the call initiating device. Next, the first device performs a three-way handshake with the call initiating device to negotiate a first encryption key and a second encryption key for the secure communication session. The first device encrypts first communication data using the first encryption key and transmits the encrypted first communication data to the call initiating device.

Abstract: The present disclosure describes techniques that allow for a client-side application, located on a first client device, to generate a random encryption key and encrypt locally-stored application data with the random encryption key. In order to ensure that the client-device application is unable to decrypt the locally-stored encrypted application data prior to authenticating with an external authentication source (i.e., SSO, IdP), the client-side application divides the random encryption key into at least a first share and a second share according to a secret sharing algorithm. The first share is transmitted to a trusted third party, while the second share is encrypted locally and stored in a secure location on the client device. Upon successful authentication, the trusted third party returns the second share to the first client device. The client-side application derives the random encryption key and decrypts the locally-stored encrypted application data to be used by the client-side application.

Abstract: The present disclosure describes techniques that allow for a client-side application, located on a first client device, to generate a random encryption key and encrypt locally-stored application data with the random encryption key. The random encryption key is used in lieu of a password-derived encryption key. In order to ensure that the client-device application is unable to decrypt the locally-stored encrypted application data prior to authenticating with an external authentication source (i.e., SSO, IdP), the random encryption key is encrypted with a key-encrypting key derived using a pseudorandom function (PRF). By using a PRF, the first device is able to authenticate to the first server and derive a secure key as part of the authentication process. Accordingly, the present disclosure describes techniques for securing data on a client device when credentials are managed by an external authentication system.

Abstract: A digital security bubble encapsulation is disclosed. A public key and a device identifier of at least one recipient is requested from a first server. A message containing one or more components is encrypted using a symmetric key. The symmetric key is encrypted with a public key received in response to the request. The encrypted message, the encrypted symmetric key, and the device identifier are encapsulated in a digital security bubble encapsulation. The digital security bubble encapsulation is transmitted to a second server.

Abstract: The present disclosure describes a system, method, and non-transitory computer readable medium for provisioning multiple instances of a secure communication application on multiple devices. A secure communication application on a first device generates a first set of private keys that are associated with the user and a second set of keys that are associated with the secure communication application executing on the first device. The first set of private keys establishes a set of root identifying keys for the user that are identical for all installations of the secure communication application, while the second set of keys will vary from device to device. In this regard, the first set of root identifying keys must be securely transferred from the first device to any subsequent installations of the secure communication application on one or more second devices.

Abstract: An indication is received from a server that a first pool of public keys should be transmitted to a server. At least one public-private keypair is generated in response to the received indication. The public key portion of the generated keypair is transmitted to the server. A subsequent indication is received from the server that an additional public key should be transmitted to the server.

Abstract: A first public key associated with a first recipient is requested from a server. The first public key is received, as is an associated first key reference value. The first public key is used in conjunction with securing a first message. The first public key is destroyed. A second public key associated with the first recipient is requested from the server. A second public key and an associated second key reference value are received. The second public key is different from the first public key and the first key reference value is different from the second key reference value. The second public key is used in conjunction with the securing of a second message and the second public key is destroyed.

Abstract: The present application describes a method, system, and non-transitory computer-readable medium for exchanging encrypted communications using hybrid cryptography protocol. According to the present disclosure, a first device divides a first communication into at least a first secret and a second secret. The first device encrypts the first secret using a first cipher suite and the second secret using a second cipher suite. The first device generates a first signature of the first encrypted secret and the second encrypted secret according to a first signature generation algorithm associated with the first cipher suite and a second signature of the first encrypted secret and the second encrypted secret according to a second signature generation algorithm associated with the second cipher suite. The first device transmits the first encrypted secret and the second encrypted secret, the first signature, and the second signature to the second device.

Abstract: The present application describes a method, system, and non-transitory computer-readable medium for exchanging encrypted communications using hybrid encryption. According to the present disclosure, a first device receives an encrypted communication from a second device. The encrypted communication includes a first encrypted secret, a second encrypted secret, a first signature, and a second signature. The first device verifies the first signature and the second signature, and, when the first and second signatures are valid, decrypts the first encrypted secret using a first encryption algorithm and the second encrypted secret using a second encryption algorithm. The first device combines the first decrypted secret and the second decrypted secret to recover a first communication and provides the first communication to a user of the first device.

Abstract: Multi-party messaging is disclosed. A plurality of public keys is requested by a first device from a server, wherein the plurality of public keys is associated with a plurality of recipients. A message containing one or more components is encrypted using a symmetric key. The symmetric key is encrypted, using each of the respective public keys, resulting in a plurality of encrypted symmetric keys. The encrypted message and the encrypted symmetric keys are encapsulated in an encapsulation. The encapsulation is transmitted to the server.

Abstract: An indication is received from a server that a first pool of public keys should be transmitted to a server. At least one public-private keypair is generated in response to the received indication. The public key portion of the generated keypair is transmitted to the server. A subsequent indication is received from the server that an additional public key should be transmitted to the server.

Abstract: The present disclosure describes systems and methods for an app provider to deliver information—such as notifications, alerts, messages, and other data—between client devices without the use of a third-party push token. When receivers are connected to the app provider system, the app provider will deliver a notification and the communication to the receivers without the use of a third-party push token. When receivers are not connected to the app provider system, the app provider may cache communications and notifications until the next time the receiver connects to the app provider.

Abstract: The present application describes a method, system, and non-transitory computer-readable medium for end-to-end encryption during a secure communication session. According to the present disclosure, a first device receives an invitation to a secure communication session. The invitation includes a token, which the first device transmits to the call initiating device. Next, the first device performs a three-way handshake with the call initiating device to negotiate a first encryption key and a second encryption key for the secure communication session. The first device encrypts first communication data using the first encryption key and transmits the encrypted first communication data to the call initiating device.

Abstract: Determining whether to allow access to a message is disclosed. A message is received from a sender. The message is associated with a first time-to-live (TTL) value. A determination is made that the first time-to-live value has not been exceeded. The determination is made at least in part by obtaining an external master clock time. In response to the determination, access is allowed to the message.

Abstract: Screen capture mitigation is disclosed. A first finger of a user is detected in a first designated region of a display. Content is displayed when the first finger is detected in the first designated region of the display. Periodically, a determination is made whether the first finger is detected in the first designated region of the display. The content is ceased to be displayed in response to a determination that the first finger is outside the first designated region of the display.

Abstract: The present disclosure describes techniques for storing encrypted files in a secure file repository and transferring those encrypted files to one or more recipients. A user selects a file to upload to a secure file repository. A secure collaboration app on the user's device generates a first encryption key that is used to encrypt the file. The encrypted file is then uploaded to the secure file repository, which provides the secure collaboration app with a random file name and a location of the encrypted file. The secure collaboration app updates locally stored metadata of the first encrypted file. To securely transfer the file, the user generates a second encryption key, encrypts the metadata with the second encryption key, and transmits the encrypted metadata to one or more receivers. The one or more receivers decrypt the encrypted metadata and use the decrypted metadata to retrieve the file and decrypt it.

Abstract: The present disclosure describes a system, method, and non-transitory computer readable medium for provisioning multiple instances of a secure communication application on multiple devices. A secure communication application on a first device generates a first set of private keys that are associated with the user and a second set of keys that are associated with the secure communication application executing on the first device. The first set of private keys establishes a set of root identifying keys for the user that are identical for all installations of the secure communication application, while the second set of keys will vary from device to device. In this regard, the first set of root identifying keys must be securely transferred from the first device to any subsequent installations of the secure communication application on one or more second devices.

Abstract: The present disclosure describes a method, system, and non-transitory computer readable medium that includes instructions that permit users of different secure communication networks to exchange secure communications. A secure communication platform includes a user database that allows users from different secure communication networks to access keys for recipients outside of their network. Additionally, the secure communication platform provides a high degree of trust regarding the sender's identity, allowing the receiving network to trust the sender.