Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.

Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.

Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.

Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.

Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.

Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.

Abstract: A method for providing integrity and consistency of a cloud storage service to a group of mutually trusted clients may be provided. The cloud storage service may offer a set of operations, such as read, write, update, delete in respect to stored data to the clients, whereby each client only executes its own client operations when consuming one of the set of operations of the cloud storage service, and wherein each client detects data correctness of the cloud storage service based on a protocol providing fork-linearizablity.

Abstract: A method for providing integrity and consistency of a cloud storage service to a group of mutually trusted clients may be provided. The cloud storage service may offer a set of operations, such as read, write, update, delete in respect to stored data to the clients, whereby each client only executes its own client operations when consuming one of the set of operations of the cloud storage service, and wherein each client detects data correctness of the cloud storage service based on a protocol providing fork-linearizablity.

Abstract: A computer-implemented method for storing an object includes providing an object, an ordering vector of the object, the ordering vector being associated to a lexicographic order having at least one dimension, and base keys associated to each dimension of the lexicographic order; deriving a key by retrieving the base key associated to the first dimension of the lexicographic order for which the ordering vector has a value different from the smallest value, and applying a one-way function a number of times corresponding to the value of the ordering vector for the last dimension of the lexicographic order; encrypting the object with the key; and storing the object as encrypted.

Abstract: The invention notably relates to a computerized system (301) comprising a storage system (302, 308) storing objects and attribute values associated to the objects. The attribute values are organized according to a set of N attribute types, N?1, such that, for each of said attribute types, an object can be associated with an attribute value. Each of said attribute types is associated to a respective graph. Each node of the respective graph is associated to a key. Said key is wrapped with a key associated to a parent node of said each node except for a root node. Also, said key is associated to one attribute value for the attribute type associated to the respective graph. Each of the objects is stored encrypted based on one or more keys. Each of said one or more keys is associated to one attribute value that is associated with said each of the objects. Such a system improves the deletion of objects stored on a storage system of a computerized system.

Abstract: A system, method apparatus, and computer readable medium for managing renewal of a dynamic set of data items. Each data item has an associated renewal deadline, in a data item management system. A renewal schedule allocates to each data item a renewal interval for renewal of the data item. On addition of a new data item, if a potential renewal interval having a duration required for renewal of the data item, and having an ending at the renewal deadline for that item does not overlap a time period in the schedule during which the system is busy, the renewal schedule is automatically updated by allocating the potential renewal interval to the new data item. If the potential renewal interval does overlap a busy period, the renewal schedule is automatically updated by selecting an earlier renewal interval for at least one data item in the set.

Abstract: A system and method is provided for updating a hash tree in a protected environment. An integrity protection controller is provided for observing one or more system parameters of a storage system and one or more hash tree parameters of the hash trees, and for updating a hash tree in dependence on the storage system parameter and the hash tree parameter.

Abstract: A computer-implemented method for storing an object includes providing an object, an ordering vector of the object, the ordering vector being associated to a lexicographic order having at least one dimension, and base keys associated to each dimension of the lexicographic order; deriving a key by retrieving the base key associated to the first dimension of the lexicographic order for which the ordering vector has a value different from the smallest value, and applying a one-way function a number of times corresponding to the value of the ordering vector for the last dimension of the lexicographic order; encrypting the object with the key; and storing the object as encrypted.

Abstract: A method for automated validation and execution of cryptographic key and certificate deployment and distribution includes providing one or more keys; providing one or more key deployment points; and distributing the one or more keys to the one or more key deployment points in an automated manner based on a matrix or pattern mapping of each of the one or more keys to be distributed to each of the one or more key deployment points.

Abstract: Methods and systems for reading from and writing to a distributed, asynchronous and fault-tolerant storage system. The storage system includes storage nodes communicating with clients. The method includes a first client writing an object to the storage system and a second client reading the object from the storage system. For the first client, previous transient metadata relating to a previously written version of the object is retrieved and a new version of the object together with new transient metadata is stored. For the second client, a set of transient metadata from a third set of nodes amongst storage nodes is retrieved, a specific version of the object as stored on the storage system is determined, and a specific version of the corresponding object from a fourth set of nodes amongst storage nodes is retrieved. Two sets of nodes amongst all sets have at least one node in common.

Abstract: Methods and systems for reading from and writing to a distributed, asynchronous and fault-tolerant storage system. The storage system includes storage nodes communicating with clients. The method includes a first client writing an object to the storage system and a second client reading the object from the storage system. For the first client, previous transient metadata relating to a previously written version of the object is retrieved and a new version of the object together with new transient metadata is stored. For the second client, a set of transient metadata from a third set of nodes amongst storage nodes is retrieved, a specific version of the object as stored on the storage system is determined, and a specific version of the corresponding object from a fourth set of nodes amongst storage nodes is retrieved. Two sets of nodes amongst all sets have at least one node in common.

Abstract: A method for generating a session key on demand in a network among participating network devices, including choosing a private and public key according to a public key encryption scheme, and broadcasting the public key to each other participating network device; choosing a local contribution value from a multiplicative group of size q; encrypting the local contribution value under the received public key to an encrypted contribution value and sending the encrypted contribution value; receiving encrypted contribution values and deriving decrypted contribution values by applying the private key; deriving a blinded session key from the decrypted contribution values and the local contribution value; agreeing on one of the blinded session keys by using an agreement protocol; and deriving the session key from the agreed-on blinded session key by applying one of the decrypted contribution values and the contribution value A corresponding computer program element, computer program product, and computer device.

Abstract: The invention provides methods, apparatus and systems for securely processing an originator request of a customer. This originator request can be sent to at least one first entity.

Abstract: The present invention provides a method for transferring encrypted information from one storage area to other storage area wherein cryptographic data protection scheme having protection attributes are applied on the data. A crypto container having cryptographic properties represents cryptographically protected data. The attributes that have been attached to the container at the time when data is added or removed from the container determine the scheme of data protection being applied. Crypto container can be converted or serialized for storage or transmission, here the conversion spread only to the protected data parts which possibly includes crypto containers in protected form but may not the attached crypto attributes. These attributes must be stored or transmitted in another form.

Abstract: A method for automated validation and execution of cryptographic key and certificate deployment and distribution includes providing one or more keys; providing one or more key deployment points; and distributing the one or more keys to the one or more key deployment points in an automated manner based on a matrix or pattern mapping of each of the one or more keys to be distributed to each of the one or more key deployment points.