Abstract: Session resumption for cryptographic communications is provided. Session data and encrypted early data are received from a client. A key is derived using the session data and a one-time pad. The early data is decrypted using the derived key.

Abstract: Session resumption for cryptographic communications is provided. Session data and encrypted early data are received from a client. A key is derived using the session data and a one-time pad. The early data is decrypted using the derived key.

Abstract: Resource user authentication and authorization is provided. An authentication code is generated based on using a retrieved attribute-based encryption user key as a secret key for a keyed-hash message authentication code digital signature over a set of header fields of a protected resource access request received from a client device of a resource user via a network. The generated authentication code is compared with an authentication code read within an embedded header field of the protected resource access request. It is determined whether a match exists between the generated authentication code and the authentication code read within the embedded header field. In response to determining that a match does exist, the resource user is authenticated. Decryption of an encrypted protected resource corresponding to the protected resource access request is performed using the retrieved attribute-based encryption user key corresponding to the resource user in response to authentication of the resource user.

Abstract: A computer-implemented method for secure policy distribution to a cloud system. The method includes defining an access policy for a set of resources on a cloud computing system, where the access policy includes rules to allow access to the set of resources. The method further includes creating, based on the access policy, an activation function and attribute metadata in the cloud computing system, where the attribute metadata includes a set of access attributes for each resource of the set of resources. The method also includes, receiving a request to access a first resource of the set of resources, where the request includes a set of credentials. The method includes comparing, by the activation function, the set of credentials to the set of access attributes. The method further includes processing, based on the comparing, the request the access the first resource.

Abstract: A data packet transits through a series of network nodes (a series of intermediate hops) while being transmitted from a source node to a destination node. A network node (router, gateway, server, or any network device) that handles the data packet, adds new information to the file header of the data packet. The new header information identifies the previous and next network nodes in the transmission path. The network node further validates information provided by a previous node, and generates further new header information that attests as to the validity of the information provided by the previous node. The network node secures and signs the new information cryptographically, and adds the new information to the file header. If a malicious actor attempts to tamper with the data packet, or routing thereof, the secured header information renders such tampering discoverable, enabling performance of a responsive action.

Abstract: A key management service creates a key upon user request. The key management service receives a request for a first cryptographic operation. The key management service performs the first cryptographic operation. The key management service returns results of the first cryptographic operation to a dependent service. The key management service receives a notification of key rotation. The key management service receives a request for a second cryptographic operation. The key management service performs the second cryptographic operation. The key management service returns results of the second cryptographic operation to the dependent service. The key management service returns updated key metadata to the dependent service.

Abstract: Resource user authentication and authorization is provided. An authentication code is generated based on using a retrieved attribute-based encryption user key as a secret key for a keyed-hash message authentication code digital signature over a set of header fields of a protected resource access request received from a client device of a resource user via a network. The generated authentication code is compared with an authentication code read within an embedded header field of the protected resource access request. It is determined whether a match exists between the generated authentication code and the authentication code read within the embedded header field. In response to determining that a match does exist, the resource user is authenticated. Decryption of an encrypted protected resource corresponding to the protected resource access request is performed using the retrieved attribute-based encryption user key corresponding to the resource user in response to authentication of the resource user.

Abstract: A key management service creates a key upon user request. The key management service receives a request for a first cryptographic operation. The key management service performs the first cryptographic operation. The key management service returns results of the first cryptographic operation to a dependent service. The key management service receives a notification of key rotation. The key management service receives a request for a second cryptographic operation. The key management service performs the second cryptographic operation. The key management service returns results of the second cryptographic operation to the dependent service. The key management service returns updated key metadata to the dependent service.

Abstract: A data packet transits through a series of network nodes (a series of intermediate hops) while being transmitted from a source node to a destination node. A network node (router, gateway, server, or any network device) that handles the data packet, adds new information to the file header of the data packet. The new header information identifies the previous and next network nodes in the transmission path. The network node further validates information provided by a previous node, and generates further new header information that attests as to the validity of the information provided by the previous node. The network node secures and signs the new information cryptographically, and adds the new information to the file header. If a malicious actor attempts to tamper with the data packet, or routing thereof, the secured header information renders such tampering discoverable, enabling performance of a responsive action.