Abstract: A system and method for establishing secure communications over a network based on combined capabilities of classical and quantum computers. The system and method include receiving, by a classical computer via a network, a request for client data associated with a client device. The system and method include encrypting, by the classical computer responsive to the request, the client data using a cryptographic key to generate an encrypted data packet. The system and method include transmitting, by the classical computer via the network, the encrypted data packet to a quantum computer, the encrypted data packet causing the quantum computer to decrypt the encrypted data packet to recover a decrypted data packet.

Abstract: Methods and systems are described for generating and accessing a digital wallet including a random data encryption key (DK) and locked with a wallet password. A method includes the following steps done by a hardware security module (HSM): generating a wallet password based on an identifier (ID) generated by a database server and a keyed-hash message authentication code (HMAC) key element generated by the HSM; generating the digital wallet including the DK; locking the digital wallet with the wallet password; transmitting the digital wallet to the database server without the wallet password; destroying the wallet password and the HMAC key; receiving a password request message including the ID and the encrypted HMAC key from the database server; regenerating the wallet password using the ID and the HMAC key; digitally signing and encrypting the regenerated wallet password; and transmitting the digitally signed and encrypted regenerated wallet password to the database server.

Abstract: Various embodiments relate to a method performed by a processor of a computing system. An example method includes generating a symmetric content encryption key. Content is encrypted using the content encryption key to generate cipher text. A hash of the cipher text is generated. Each of the hash and the content encryption key is signcrypted using each of a signcrypting party public key, a signcrypting party private key and a recipient public key to generate a signcrypted envelope message. The cipher text is embedded in a component of the signcrypted envelope message. The signcrypted envelope message is transmitted to a recipient. The recipient can designcrypt the signcrypted envelope message using each of the recipient public key, a recipient private key, and the signcrypting party public key to retrieve the content encryption key and hash of the cipher text. The recipient can decrypt the cipher text using the content encryption key.

Abstract: Systems and methods for securely sharing and authenticating a last secret. A system includes a dealer computing system and a combining computing system. The dealer computing system includes a public/private key pair, an encryption key established with the combining computing system, and a circuit structured to generate a last secret and a first key controlling access to a secure computing system. The last secret is the last cryptographic element controlling access to the first key. The circuit is structured to split the last secret into first and second splits. The circuit is structured to generate a first and second SigncryptedData messages by signcrypting each of the first split and the second split with the public/private key pair and the encryption key established with the combining computing system. The circuit is structured to transmit the first SigncryptedData message to a first share-holder and the second SigncryptedData message to a second share-holder.

Abstract: Various embodiments relate to a method performed by a processor of a computing system. An example method includes determining a first cryptographic algorithm utilized in a first block of a first blockchain. The first block of the first blockchain has a first unique block identifier. A second cryptographic algorithm utilized in a second block of the first blockchain is determined. The second block of the first blockchain having a second unique block identifier. A first cryptographic algorithm status transition (“CAST”) event is defined if the second cryptographic algorithm is different than the first cryptographic algorithm. A first CAST record is defined upon occurrence of the first CAST event. The first CAST record includes the second cryptographic algorithm and the second unique block identifier. The first CAST record is digitally signed and stored on a second blockchain. The second blockchain may be referenced out-of-band of the first blockchain.

Abstract: Examples described herein relate to systems, apparatuses, methods, and non-transitory computer-readable media for cryptographically determining a loyalty account identifier, including determining a cryptographic key, determining an input parameter, and generating the loyalty account identifier using a cryptography method based on the cryptographic key and the input parameter. The cryptographic key and the input parameter are inputs to the cryptography method. The loyalty account identifier is an output of the cryptography method.

Abstract: Various arrangements relate to a method performed by a processor of a computing system. An example method includes hashing a first salted value to generate a first hashed salted value. The first salted value includes a first salt value and a value. A first tuple is generated. The first tuple includes the first hashed salted value and a first token. The first token is associated with the value. A first BAT message is generated. The first BAT message includes the first salt value. The first BAT message is associated with the first tuple. A second salted value is hashed to generate a second hashed salted value. The second salted value includes a second salt value and a value. A second tuple is generated. The second tuple includes the second hashed salted value and a second token. The second token is associated with the value. A second BAT message is generated.

Abstract: A system and method for extending data protection of data elements of a data packet beyond a TLS tunnel termination point by using encryption keys established when the TLS tunnel was established. The system and method include authenticating a client device to establish a shared secret. The system and method include receiving a data packet comprising a data element and an object identifier associated with the data element, the data element encrypted with a first content-specific key associated with the shared secret, the data packet encrypted with a session key. The system and method include decrypting the data packet using the session key to recover a decrypted data packet. The system and method include determining an existence of an object identifier in the decrypted data packet. The system and method include decrypting the data element of the decrypted data packet using a second content-specific key associated with the object identifier.

Abstract: In one arrangement, a method for a key management server to manage cryptographic key rotation comprises rotating, by the key management server, an initial symmetric key based on a first rotation schedule. Rotating the initial symmetric key comprises rotating bits of the initial symmetric key to create a rotated key, the rotated key being different from the initial symmetric key. The method further comprises enciphering, by the key management server using the rotated key, data sent to a first client server. In another arrangement, a method for a client server to manage cryptographic key rotation comprises rotating, by the client server, an initial symmetric key based on a schedule. The method further comprises deciphering, by the client server, data sent from a key management server using the rotated key and providing the deciphered data to a user.

Abstract: Systems and methods for securely sharing and authenticating a last secret include requesting, by a computing system on a first network node, a seed configured for deriving or recovering the last secret from a cryptographic module on a second network node different than the first network node. The last secret provides access to a secure entity and is the last cryptographic element controlling access to the secure entity. The systems and methods include generating the seed configured for deriving or recovering the last secret, creating an envelope for the seed, and transmitting the seed to the computing system as enveloped data by the cryptographic module. The systems and methods include decrypting the EnvelopedData to recover the seed and deriving or recovering the last secret based on the seed by the computing system. The cryptographic module cannot derive the last secret and excludes the last secret.

Abstract: Systems and methods for protecting user data received by, stored on, and/or requested by third-party computing devices include a data entry computing system on a first network node. The data entry computing system includes a processing circuit configured to: identify user-entered data as sensitive user data, generate a content encryption key (CEK), generate encrypted user data by encrypting the sensitive user data with the CEK, and tag the encrypted user data and the CEK with a tag readable by a database server on a network node different than the data entry computing system. The tag includes information indicative of the user data. The processing circuit is configured to transmit the encrypted user data to the database server, wherein the database server excludes a private key of a key manager on a network node different than the data entry computing system.

Abstract: In one arrangement, a method for using symmetric keys between two entities comprising a device and a host include initiating, by the device, a transaction involving original data, wherein the original data needs to be verified by the host. The method further includes deriving, by the device, a first key based on a previously generated key and a first number, wherein the first key is unique to the transaction, and the first number is randomly generated. The method further includes sending, by the device, the first key to the host for verification.

Abstract: Various arrangements relate to a method performed by a processor of a computing system. An example method includes tokenizing a first value using a tokenization algorithm to generate a first token. The first value and first key are inputs of the tokenization algorithm. A message is generated. The message includes a first value identifier associated with the first value and a first key generation identifier associated with the generation of the first key. The message is associated with the first token. A second key is generated. A second value is tokenized using a tokenization algorithm to generate a second token. The second value and second key are inputs of the tokenization algorithm.

Abstract: Various embodiments relate to a dynamic biometric enrollment system. The dynamic biometric enrollment includes a processor and instructions stored in non-transitory machine-readable media. The instructions are configured to cause the server system to receive at least one biometric authentication sample from the user. The at least one tokenized biometric enrollment sample has been generated by tokenizing at least one biometric enrollment sample captured from a user associated with a unique user identifier. At least one biometric authentication sample captured from the user is retrieved. The at least one tokenized biometric enrollment sample is detokenized to retrieve the at least one biometric enrollment sample. The at least one biometric enrollment sample is processed using a biometric processing algorithm to generate a dynamic biometric reference template. It is determined whether the at least one biometric authentication sample matches with the dynamic biometric reference template.

Abstract: A unique transaction key (Tk) is established amongst multiple entities using a common hardware security module (HSM) with a common HMAC key (HK) and transaction scheme name (T). The transaction key (Tk) can be used for various cryptographic functions (e.g. encryption, MAC, HMAC, key management) with one or more messages at the transaction or session level.

Abstract: Various embodiments relate to a method of receiving an original message, share-holder list, and threshold amount. The original message is tokenized resulting in a tokenized message. A plurality of shares are generated from the tokenized message using a message sharing algorithm of a secret sharing scheme. Each of the plurality of shares is signcrypted using a public key and a private key associated with the shared secret provider computing system and a public key of a respective one of the share-holders included in the share-holders list, resulting in a plurality of signcrypted shares. The plurality of signcrypted shares is distributed to the respective ones of the share-holders according to the public key used to signcrypt the respective signcrypted share. The authenticity and data integrity of each of the plurality of signcrypted shares can be determined by using the public key associated and a public/private key pair associated with the share-holder.

Abstract: Methods and systems are described for enhanced-security database encryption via cryptographic software, where key management is carried out, without exporting or exposing cleartext keys, using an independent key manager coupled to a cryptographic hardware security module (HSM).

Abstract: Examples described herein relate to systems, apparatuses, and methods for using tokens between two entities comprising a client device and a server, including receiving, by the server, a token from the client device, wherein the token is unique to a transaction, deriving, by the server, a server-derived token from the original data based on a transaction count, wherein the transaction count corresponds to a number of times that the original data is involved in transactions, comparing, by the server, the received token with the server-derived token, and responsive to determining that the received token and the server-derived token are same, sending, by the server, a verification message.

Abstract: The methods and system allow for the generation of a signcrypted biometric electronic signature token using a subsequent biometric sample after an enrollment of a biometric reference value in a biometric system. The signcrypted biometric electronic signature token involves simultaneous encryption and digital signature to protect the confidentiality. The system as described herein provides data integrity, origin authentication, and efficiency by performing encryption and digital signature simultaneously. The process allows a signcrypting party to enroll in a biometric service, sign a piece of data or content using a public key, that may be tied to a trusted anchor certificate authority, and submit a biometric sample. Subsequently, the relying party may validate the information on that piece of data or content to confirm the identity of the signcrypting party.

Abstract: A method includes defining a service policy. The service policy is stored in a policy blockchain, which includes a plurality of blocks. A first of the blocks includes a first version of the service policy and a second of the blocks includes an update to the first version. A plurality of compliance event logs are captured over a first time period for a plurality of subscribers of the blockchain facilitator. Each of the logs includes a plurality of field-level components. Each of the components are time stamped via a trusted time stamp token. The components are selectively encrypted based on permissions associated with each of the subscribers, and are stored in an event blockchain. The policy blockchain and the components related to a first of the subscribers are accessible by the first subscriber to evaluate compliance of the blockchain facilitator to the service policy regarding the first subscriber.