Abstract: A method for securely sharing and authenticating a last secret can include splitting a secret into a first split and a second split, the secret comprising a cryptographic element and controlling access to a first key, the secret comprising at least one of a password, a second key, and a tokenized value, and the first key controlling access to a secure computing system, encrypting the first split by an encryption key established between the dealer computing system and the combining computing system, encrypting the second split by the encryption key established between the dealer computing system and the combining computing system, transmitting the encrypted first split to a first share-holder, transmitting the encrypted second split to a second share-holder, designcrypting the encrypted first split, and designcrypting the encrypted second split.

Abstract: Various embodiments relate to a dynamic biometric enrollment system. The dynamic biometric enrollment includes a processor and instructions stored in non-transitory machine-readable media. The instructions are configured to cause the server system to receive at least one biometric authentication sample from the user. The at least one tokenized biometric enrollment sample has been generated by tokenizing at least one biometric enrollment sample captured from a user associated with a unique user identifier. At least one biometric authentication sample captured from the user is retrieved. The at least one tokenized biometric enrollment sample is detokenized to retrieve the at least one biometric enrollment sample. The at least one biometric enrollment sample is processed using a biometric processing algorithm to generate a dynamic biometric reference template. It is determined whether the at least one biometric authentication sample matches with the dynamic biometric reference template.

Abstract: In a system, computer-readable media and methods for secure ledger assurance tokenization (SLAT), a block content of a first blockchain is audited, which includes accessing, by a request circuit of a SLAT computing system, a retrievably stored cross-reference content and generating an audit result. Generating an audit result includes evaluating, by a SLAT circuit of the SLAT computing system, the cross-reference content such that the audit result is informed at least by the cross-reference content. The audit result is included in a secure ledger assurance token generated by a SLAT generation circuit of the SLAT computing system and stored relationally to the block content of the first blockchain.

Abstract: A method includes receiving an event, the event associated with a digital signature in a first time-based message comprising a first trusted time stamp token generated using a first hash of digitally signed content from a trusted timing authority; generating a first block on a distributed ledger; generating a second hash of the first trusted time stamp token; receiving a second trusted time stamp token from the trusted timing authority in response to transmitting the second hash to the trusted timing authority; and generating a second block on the distributed ledger; wherein verification of data integrity of the digitally signed content is provided via the first hash of the digitally signed content and second hash of the first trusted time stamp token and via the hash of the first block and a hash of the second block.

Abstract: In one arrangement, a non-transitory computer readable media having computer-executable instructions embodied therein that, when executed by at least one processor of a computing system, cause the computing system to process an electronic transaction using a schema. The schema includes a first unique entity object identifier identifying a sender, a second unique entity object identifier identifying a receiver, and a first transaction object identifier identifying the transaction. The first transaction object identifier is located at a top level of a hierarchy of a plurality of transaction object identifiers. The schema further includes transaction information comprising the first unique entity object identifier, the second unique entity object identifier, and the unique transaction object identifier.

Abstract: Methods and systems are described for enhanced-security database encryption via cryptographic software, where key management is carried out, without exporting or exposing cleartext keys, using an independent key manager coupled to a cryptographic hardware security module (HSM).

Abstract: A method for a key management server to manage encryption for data stored by a cloud provider server includes receiving, by the key management server from the cloud provider server, a request for a drop key. The request includes a hash drop identifier that uniquely identifies a cipher drop, and the cipher drop comprises a unit of data stored by the cloud provider server. The method further includes generating the drop key based on at least the hash drop and the drop identifier and encrypting the drop key. A response comprising the encrypted drop key is sent to the cloud provider server.

Abstract: A method, system, and apparatus for managing digital certificates, managing a certificate authority (CA), and cross-referencing CA hierarchies. The method includes receiving, by a processor of a CA computing system, at least one of a digital certificate generation request and a digital certificate revocation from a user via a user computing device, the digital certificate generation request including a user public key and a user identity. The method further includes generating a digital certificate for the user and signing the digital certificate with a CA private key, wherein the CA private key is associated with a known CA public key. The method further includes publishing the digital certificate signed with the CA private key to a digital certificate blockchain, determining a certificate status of the digital certificate, and publishing an update to the digital certificate blockchain to reflect the certificate status of the digital certificate.

Abstract: Systems and methods for securely sharing and authenticating a last secret can include generating, by a cryptographic module on a first network node, a seed configured for deriving or recovering a last secret, the last secret providing access to a secure entity and being a last cryptographic element controlling access to the secure entity, creating, by the cryptographic module, an envelope for the seed, enveloping the seed by the envelope, and transmitting, by the cryptographic module, the seed to a computing system on a second node different than the first node, the computing system being configured to decrypt the envelope of the enveloped seed to recover the seed, and obtain the last secret based on the seed, where the cryptographic module is prevented from deriving the last secret.

Abstract: A method of generating a trusted chain code (“TCC”) message, comprising: receiving a smart contract whose execution causes a transfer of value in response to at least one of an occurrence of an event or a fulfillment of a condition, wherein the smart contract is digitally signed by a first entity private key and a second entity private key; generating a chain code comprising a hash of a chain code of the smart contract, the chain code corresponding to at least one of an occurrence of an event or a fulfillment of a condition of the smart contract; and posting the TCC message to a distributed ledger, wherein an execution of a portion of the chain code in response to at least one of the occurrence of the event or the fulfillment of the condition is validated against corresponding chain code in the chain code manifest.

Abstract: A unique transaction key (Tk) is established amongst multiple entities using a common hardware security module (HSM) with a common HMAC key (HK) and transaction scheme name (T). The transaction key (Tk) can be used for various cryptographic functions (e.g. encryption, MAC, HMAC, key management) with one or more messages at the transaction or session level.

Abstract: Methods and systems are described for enhanced-security database encryption via cryptographic software, where key management is carried out, without exporting or exposing cleartext keys, using an independent key manager coupled to a cryptographic hardware security module (HSM).

Abstract: A method, system, and apparatus for managing digital certificates, managing a certificate authority (CA), and cross-referencing CA hierarchies. The method includes receiving, by a processor of a CA computing system, at least one of a digital certificate generation request and a digital certificate revocation from a user via a user computing device, the digital certificate generation request including a user public key and a user identity. The method further includes generating a digital certificate for the user and signing the digital certificate with a CA private key, wherein the CA private key is associated with a known CA public key. The method further includes publishing the digital certificate signed with the CA private key to a digital certificate blockchain, determining a certificate status of the digital certificate, and publishing an update to the digital certificate blockchain to reflect the certificate status of the digital certificate.

Abstract: Various embodiments relate to a dynamic biometric enrollment system. The dynamic biometric enrollment includes a processor and instructions stored in non-transitory machine-readable media. The instructions are configured to cause the server system to receive at least one biometric authentication sample from the user. The at least one tokenized biometric enrollment sample has been generated by tokenizing at least one biometric enrollment sample captured from a user associated with a unique user identifier. At least one biometric authentication sample captured from the user is retrieved. The at least one tokenized biometric enrollment sample is detokenized to retrieve the at least one biometric enrollment sample. The at least one biometric enrollment sample is processed using a biometric processing algorithm to generate a dynamic biometric reference template. It is determined whether the at least one biometric authentication sample matches with the dynamic biometric reference template.

Abstract: A method includes receiving an event, the event associated with a digital signature in a first time-based message comprising a first trusted time stamp token generated using a first hash of digitally signed content from a trusted timing authority; generating a first block on a distributed ledger; generating a second hash of the first trusted time stamp token; receiving a second trusted time stamp token from the trusted timing authority in response to transmitting the second hash to the trusted timing authority; and generating a second block on the distributed ledger; wherein verification of data integrity of the digitally signed content is provided via the first hash of the digitally signed content and second hash of the first trusted time stamp token and via the hash of the first block and a hash of the second block.

Abstract: Systems and methods for securely sharing and authenticating a last secret can include generating, by a cryptographic module on a first network node, a seed configured for deriving or recovering a last secret, the last secret providing access to a secure entity and being a last cryptographic element controlling access to the secure entity, creating, by the cryptographic module, an envelope for the seed, enveloping the seed by the envelope, and transmitting, by the cryptographic module, the seed to a computing system on a second node different than the first node, the computing system being configured to decrypt the envelope of the enveloped seed to recover the seed, and obtain the last secret based on the seed, where the cryptographic module is prevented from deriving the last secret.

Abstract: Systems and methods for securely sharing and authenticating a last secret. A method includes generating a first key and a last secret. The method includes splitting the last secret into first second splits; signing the splits using a dealer signing key to attach a dealer signature to each of the splits; encrypting the first split using a first key of a first share-holder and encrypting the second split using a first key of a second share-holder; decrypting the first split using the first key of the first share-holder and encrypting the first split using a second key of the first share-holder; decrypting the second split using the first key of the second share-holder and encrypting the second split using a second key of the second share-holder. Encrypting maintains confidentiality of the last secret. The dealer signature can be verified to determine integrity and authenticity of the last secret.

Abstract: A unique transaction key (Tk) is established amongst multiple entities using a common hardware security module (HSM) with a common HMAC key (HK) and transaction scheme name (T). The transaction key (Tk) can be used for various cryptographic functions (e.g. encryption, MAC, HMAC, key management) with one or more messages at the transaction or session level.

Abstract: In one arrangement, a non-transitory computer readable media having computer-executable instructions embodied therein that, when executed by at least one processor of a computing system, cause the computing system to process an electronic transaction using a schema. The schema includes a first unique entity object identifier identifying a sender, a second unique entity object identifier identifying a receiver, and a first transaction object identifier identifying the transaction. The first transaction object identifier is located at a top level of a hierarchy of a plurality of transaction object identifiers. The schema further includes transaction information comprising the first unique entity object identifier, the second unique entity object identifier, and the unique transaction object identifier.

Abstract: A method for gesture-based multi-factor authentication includes mapping a gesture password to a first substitution string, generating a cryptographic key using the first substitution string as an input to a password authenticated key exchange protocol, encrypting a challenge response with the cryptographic key to generate an encrypted challenge response, and transmitting, to a relying party computing system, a first authentication message comprising the encrypted challenge response and a user identifier identifying a user.