Abstract: A system and method for protecting user data using a key escrow service. The key escrow service may be hosted by a service provider to integrate Identity Access Management (IAM) solutions, such as Single-Sign-On (SSO) and/or System for Cross-domain Identity Management (SCIM), with a zero-knowledge service, such as a password manager or other service handling sensitive user data. In examples, secure enclave technology may be used to allow the service provider to host and manage the key escrow service without being able to access any cryptographic key used and/or stored within a secure enclave. Accordingly, in some aspects, the service provider may have the ability to store users' secret keys for SSO and sharing keys for SCIM in a trusted, secure storage location without breaking the zero-knowledge principles of the infrastructure.

Abstract: A system and method for providing secure Single-Sign-On (SSO) authentication in a zero-knowledge architecture. A first server component may operate as a first relying party in a first SSO flow. When the user of an application successfully authenticates to a first identity provider, a first part of a secret key may be provided to the application. Additionally, a second server component may operate as a second relying party in a second SSO flow. When the first part of the secret key is received by the application, authentication information may be provided to a second identity provider. Based on a successful authentication, a second part of the secret key may be provided to the application. The first and second parts of the secret key may be combined by the application to generate a final secret key that may be used to decipher encrypted user data.

Abstract: A computer-implemented method, computer program, and device for evaluating timed-based probabilities of failure of sections of a pipe network are provided. To do so, the pipe sections are clustered into classes based on structural and environmental parameters; within each class a sample of pipe sections are selected to be inspected. The scores that are obtained through the inspection are used to train a model of pipe conditions of pipes in a class, in order to estimate the pipe conditions of pipes that have not been inspected. The pipe conditions are used to parameterize a predictive model of pipe failures.

Abstract: Examples of the present disclosure describe systems and methods relating to user-session management in a zero-knowledge environment. When a user authenticates with a computing service to begin a session, a credential-cipher key is used to encrypt the user's authentication credentials, thereby generating session-resume data. The computing service stores the credential-cipher key, such that it is not retained by the user's computing device. Accordingly, when the user resumes the session, a resume request is generated to retrieve the credential-cipher key from the computing service, wherein the request is validated before providing the key. Upon successful validation, the computing service provides the credential-cipher key, which is then used to decrypt the session-resume data and regain access to the user's authentication credentials.

Abstract: Examples of the present disclosure describe systems and methods relating to a zero-knowledge architecture between multiple systems. In an example, multiple systems may provide an application. User data of the application may be encrypted using a cryptographic key to restrict access to the user data. In some examples, the cryptographic key may not be provided to the multiple systems, thereby providing a zero-knowledge architecture. In order to ensure a user may access the cryptographic key, the cryptographic key may be encrypted using a second cryptographic key. The encrypted representation of the cryptographic key may be provided to a first system, while the second cryptographic key may be provided to a second system. As a result, a user computing device may retrieve both the encrypted representation of the cryptographic key and the second cryptographic key from the first and second systems, respectively, in order to encrypt/decrypt user data.

Abstract: Examples of the present disclosure describe systems and methods relating to user-session management in a zero-knowledge environment. When a user authenticates with a computing service to begin a session, a credential-cipher key is used to encrypt the user's authentication credentials, thereby generating session-resume data. The computing service stores the credential-cipher key, such that it is not retained by the user's computing device. Accordingly, when the user resumes the session, a resume request is generated to retrieve the credential-cipher key from the computing service, wherein the request is validated before providing the key. Upon successful validation, the computing service provides the credential-cipher key, which is then used to decrypt the session-resume data and regain access to the user's authentication credentials.

Abstract: Examples of the present disclosure describe systems and methods relating to a zero-knowledge architecture between multiple systems. In an example, multiple systems may provide an application. User data of the application may be encrypted using a cryptographic key to restrict access to the user data. In some examples, the cryptographic key may not be provided to the multiple systems, thereby providing a zero-knowledge architecture. In order to ensure a user may access the cryptographic key, the cryptographic key may be encrypted using a second cryptographic key. The encrypted representation of the cryptographic key may be provided to a first system, while the second cryptographic key may be provided to a second system. As a result, a user computing device may retrieve both the encrypted representation of the cryptographic key and the second cryptographic key from the first and second systems, respectively, in order to encrypt/decrypt user data.