Abstract: Embodiments described herein provide cryptographic techniques to enable a recipient of a signed message containing encrypted data to verify that the signer of the message and the encryptor of the encrypted data are the same party, or at the least, have joint possession of a common set of secret cryptographic material. These techniques can be used to harden an online payment system against interception and resigning of encrypted payment information.

Abstract: Encrypting and securely transmitting data between devices is disclosed. After a device obtains a request to purchase a prescription lens, including prescription data, to be inserted into a second electronic device, the prescription data is securely encrypted and transmitted to the lens manufacturer. The lens manufacturer may create a prescription lens and calibration data related to the lens. The calibration data can be encrypted and transmitted to a storage device for storage. The second electronic device can retrieve the encrypted calibration data from the storage device and utilize it to perform a full calibration of the device. The second electronic device can present images, in accordance with the calibration data, using a display through an optical path that include the prescription lens.

Abstract: Embodiments described herein provide a method on a mobile electronic device to facilitate the transmission of encrypted user data to a service provider, such as an emergency service provider. An encrypted data repository stores user data to be transmitted to the service provider. A key to decrypt the encrypted data repository is wrapped using a key associated with a publicly trusted certificate for the service provider. In response a request received at the mobile device to initiate an emergency services request, the mobile device can transmit the encrypted data repository and wrapped cryptographic material to a server that is accessible by the service provider.

Abstract: Embodiments described herein provide a compressed container format that enables the container to be decrypted and decompressed in a streaming manner. One embodiment provides a container format for encrypted archives in which data is compressed and encrypted in a segmented manner. A segment of the archive can be decompressed, decrypted, and checked for integrity before the entire archive is received. Metadata for the encrypted archive is also encrypted to secure details of data stored within the archive.

Abstract: Aspects of the subject technology provide for privacy-preserving electronic publication and subscription. A publisher device may establish a publication channel with a publication server and receive a channel identifier and a channel ownership token for the channel. The publisher device may provide the channel identifier and a key for the publication channel to a subscriber device. The publisher device may publish data encrypted using the key to the publication server, the subscriber device may obtain the encrypted published data from the server using the channel identifier, and may decrypt the published data using the key obtained from the publisher device. The published data may include status information for a user of the publisher device, in some examples.

Abstract: Aspects of the subject technology include receiving, by a first device, a voucher data item, from a second device that is participating in a group communication session with at least a third device and providing, by the first device, the voucher data item to at least the third device to verify that the first device is vouched for by the second device for participation in the group communication session. The voucher data item may include participant information associated with participation of the second device in the group communication session. The voucher data item may also be signed with a key associated with the second device.

Abstract: Aspects of the subject technology include obtaining, by a first device associated with a first user account, one or more item-specific public keys of one or more devices associated with a second user account and generating a data structure representing the one or more devices associated with the second user account based on the one or more item-specific public keys. Aspects may also include providing an identifier of the data structure to a server for association with the item and generating an invitation for the second user account to access the item. Aspects may further include providing the invitation to a second device of the one or more devices associated with the second user account to provide the second device with access to the item via the server based on at least a portion of the data structure and a respective item-specific public key of the second device.

Abstract: Techniques are disclosed relating to secure message exchanges. In some embodiments, a first computing device generates an account key associated with a user account shared by a plurality of computing devices. The first computing device signs a public key of the first computing device with the generated account key to produce a digital signature and sends the public key and the digital signature to a first server system for distributing the public key to a second computing device attempting to send an encrypted message to the first computing device. The first computing device sends the account key to an external storage external usable by others of the plurality of computing devices to obtain the account key and use the account key to sign public keys of the other computing devices. The first computing device receives, from the second computing device, the encrypted message encrypted using the public key.

Abstract: This Application sets forth techniques for establishing a custodial relationship between a user device and a custodian device for recovering access to a user account and/or to encrypted user data with assistance provided by the custodian device to effect access recovery. A server of a cloud network service provides an anonymous identifier to associate with the custodian device and an account recovery key to store at the custodian device. Identity of an account of the cloud network service associated with the custodian device can be hidden from the server. The user device generates a data recovery key and provides a first portion of the data recovery key to the custodian device and a second portion of the data recovery key to the server. Integrity of the stored account recovery key and portions of the data recovery key are checked regularly by the custodian device and the user device.

Abstract: Techniques are disclosed relating to using a device to gain access to another system. In some embodiments, a first mobile device performs a pairing operation with a control unit that controls access to a system, the pairing operation including the first mobile device establishing a first cryptographic key with the control unit. The first mobile device receives a request to enable a second mobile device to communicate with the control unit, and in response to receiving the request, the first mobile device generates a second cryptographic key from the first cryptographic key. The first mobile device provides the second cryptographic key to the second mobile device. The second mobile device is configured to send a beacon including a payload encrypted with the second cryptographic key, and the encrypted payload is usable to authenticate the second mobile device to the control unit.

Abstract: Aspects of the subject technology provide for privacy-preserving electronic publication and subscription. A publisher device may establish a publication channel with a publication server and receive a channel identifier and a channel ownership token for the channel. The publisher device may provide the channel identifier and a key for the publication channel to a subscriber device. The publisher device may publish data encrypted using the key to the publication server, the subscriber device may obtain the encrypted published data from the server using the channel identifier, and may decrypt the published data using the key obtained from the publisher device. The published data may include status information for a user of the publisher device, in some examples.

Abstract: Techniques are disclosed relating to computing security and privacy. In some embodiments, a computing device provides, to a service computing system, a service request that identifies an action and includes an anonymous identifier for a user of the computing device. The computing device receives, from the service computing system, a score request for a trustworthiness score indicative of the user's trustworthiness. In response to receiving the score request from the service computing system, the computing device provides information indicative of the user's identity to a scoring computing system and receives the trustworthiness score and a corresponding score signature from the scoring computing system. In response to receiving the score and the score signature from the scoring computing system, the computing device provides the score to the service computing system.

Abstract: Embodiments described herein provide cryptographic techniques to enable a recipient of a signed message containing encrypted data to verify that the signer of the message and the encryptor of the encrypted data are the same party, or at the least, have joint possession of a common set of secret cryptographic material. These techniques can be used to harden an online payment system against interception and resigning of encrypted payment information.

Abstract: Aspects of the subject technology provide for secure, privacy-preserving access to electronic conferencing. In one or more implementations, a device may obtain a link that corresponds to a call with a second device, encrypt a request to join the call using a key obtained using the link, and send the encrypted request to a server for delivery to the second device. The link may also include information used to identify an alias for an account associated with the second device. The device may send the encrypted request to the server with the alias. The device may receive an encrypted response to the request from the server, obtain an identifier of the call from the encrypted response, and then receive an invitation to join the call associated with the identifier.

Abstract: Embodiments described herein provide cryptographic techniques to enable a recipient of a signed message containing encrypted data to verify that the signer of the message and the encryptor of the encrypted data are the same party, or at the least, have joint possession of a common set of secret cryptographic material. These techniques can be used to harden an online payment system against interception and resigning of encrypted payment information.

Abstract: Embodiments described herein provide a compressed container format that enables the container to be decrypted and decompressed in a streaming manner. One embodiment provides a container format for encrypted archives in which data is compressed and encrypted in a segmented manner. A segment of the archive can be decompressed, decrypted, and checked for integrity before the entire archive is received. Metadata for the encrypted archive is also encrypted to secure details of data stored within the archive.

Abstract: Embodiments described herein provide cryptographic techniques to enable a recipient of a signed message containing encrypted data to verify that the signer of the message and the encryptor of the encrypted data are the same party, or at the least, have joint possession of a common set of secret cryptographic material. These techniques can be used to harden an online payment system against interception and resigning of encrypted payment information.

Abstract: One embodiment provides for an electronic device, comprising a network interface, a memory coupled with the network interface, at least one application processor coupled with the memory, the at least one processor to execute instructions stored in the memory, and a secure processor including a cryptographic engine, wherein the cryptographic engine is to generate a sealed encrypted message to be transmitted via the network interface, the sealed encrypted message encrypted on behalf of the at least one application processor and includes a signature to enable integrity verification of the sealed encrypted message, the signature generated based on an identity key of the electronic device and data including ciphertext of the encrypted message and a public key of a recipient of the sealed encrypted message.

Abstract: Embodiments described herein provide a method on a mobile electronic device to facilitate the transmission of encrypted user data to a service provider, such as an emergency service provider. An encrypted data repository stores user data to be transmitted to the service provider. A key to decrypt the encrypted data repository is wrapped using a key associated with a publicly trusted certificate for the service provider. In response a request received at the mobile device to initiate an emergency services request, the mobile device can transmit the encrypted data repository and wrapped cryptographic material to a server that is accessible by the service provider.

Abstract: Techniques are disclosed relating to using a device to gain access to another system. In some embodiments, a first mobile device performs a pairing operation with a control unit that controls access to a system, the pairing operation including the first mobile device establishing a first cryptographic key with the control unit. The first mobile device receives a request to enable a second mobile device to communicate with the control unit, and in response to receiving the request, the first mobile device generates a second cryptographic key from the first cryptographic key. The first mobile device provides the second cryptographic key to the second mobile device. The second mobile device is configured to send a beacon including a payload encrypted with the second cryptographic key, and the encrypted payload is usable to authenticate the second mobile device to the control unit.