Abstract: Mechanisms are provided for computing resource access security in which a credential of a user agent is authenticated to determine if the user agent is associated with an entity for which an attribute based encryption (ABE) key is to be generated. If so, an ABE key is generated and provided which corresponds to a set of attributes of the entity. Token issuance logic receives a token request and the ABE key from a relying party computing device and executes a decryption operation on locking metadata associated with at least one attribute value based on the ABE key. The token issuance logic, in response to the decryption operation successfully decrypting the locking metadata, issues a generated token to the relying party computing device based on the at least one attribute value. The relying party computing device accesses the computing resources using the generated token.

Abstract: A mitigation system protects data in a data store that is not yet encrypted by a successful ransomware attack against encryption. Data is stored in the data store as a set of versions identified in a data tree, and a version can only be updated by writing a new version to the tree. Access controls to prevent modification of the tree are also in place. Following an attack, a restore function is executed to attempt recovery. This function computes an entropy delta that compares an entropy of an encrypted version, with an entropy of versions of the data not yet encrypted. Based on the computed entropy deltas, the restore function identifies a latest clear version of the data, and a restore operation is then is initiated with respect to this version.

Abstract: An approach is provided for token-based authorization for a remote login using attribute-based encryption (ABE). A request from a Secure Shell Protocol (SSH) client is received for establishing a session between the SSH client and a SSH server. A message is sent from the SSH server indicating the SSH client is required to obtain an ABE token. Responsive to sending a request for creating the ABE token, creating the ABE token by a token service (TS), receiving the ABE token from the TS, and sending the ABE token to the SSH server, the ABE token is received by the SSH server from the SSH client. The SSH server determines that the ABE token can be used to successfully decrypt an encrypted blob associated with a set of attributes of the SSH server. In response, the SSH server authorizes the session and an establishment of the session is completed.

Abstract: Described are techniques for a multi-factor authentication (MFA) protocol that encrypts a factor using a public key of an identity certificate issued to a user. The techniques include receiving a request for a factor of an MFA protocol from a user-device. The techniques further include generating an encrypted factor using a public key of an identity certificate issued to a user of the user-device. The techniques further include sending the encrypted factor to the user-device to allow the user-device to obtain the factor by decrypting the encrypted factor using a private key that corresponds to the public key. The techniques further include receiving the factor from the user-device and verifying that the factor received from the user-device is a same factor used to generate the encrypted factor.

Abstract: A computer-implemented method, in accordance with one embodiment, includes receiving, by a token service, an Attribute Based Encryption (ABE) authorization code having environmental attributes encoded therein. At least one test is performed, by the token service, on the ABE authorization code using ABE decryption for determining whether the ABE authorization code satisfies a predefined policy that is based on the environmental attributes. In response to determining that the ABE authorization code satisfies the predefined policy, a token is issued by the token service.

Abstract: A method to facilitate a permitted access to a protected resource associated with a service provider (SP). The method begins by the SP establishing a root of trust to a third party via an attribute-based encryption (ABE) master secret key, and a set of one or more public parameters. Once vetted by the entity, the SP receives a binary object from the third party that encodes the policy as a cryptographic payload. When a client application desires to enroll with and interoperate with the service provider, the SP receives a request for a credential. The request has an associated (ABE) user key generated by the third party according to the policy. The service provider determines whether the binary object obtained during the initial vetting process can be decrypted using the ABE user key and the public parameters and the ABE user key. If so, and provided it has obtained any other necessary permission, the service provider issues the credential to the client application.

Abstract: Mechanisms are provided for computing resource access security in which a credential of a user agent is authenticated to determine if the user agent is associated with an entity for which an attribute based encryption (ABE) key is to be generated. If so, an ABE key is generated and provided which corresponds to a set of attributes of the entity. Token issuance logic receives a token request and the ABE key from a relying party computing device and executes a decryption operation on locking metadata associated with at least one attribute value based on the ABE key. The token issuance logic, in response to the decryption operation successfully decrypting the locking metadata, issues a generated token to the relying party computing device based on the at least one attribute value. The relying party computing device accesses the computing resources using the generated token.

Abstract: Session resumption for cryptographic communications is provided. Session data and encrypted early data are received from a client. A key is derived using the session data and a one-time pad. The early data is decrypted using the derived key.

Abstract: Session resumption for cryptographic communications is provided. Session data and encrypted early data are received from a client. A key is derived using the session data and a one-time pad. The early data is decrypted using the derived key.

Abstract: Resource user authentication and authorization is provided. An authentication code is generated based on using a retrieved attribute-based encryption user key as a secret key for a keyed-hash message authentication code digital signature over a set of header fields of a protected resource access request received from a client device of a resource user via a network. The generated authentication code is compared with an authentication code read within an embedded header field of the protected resource access request. It is determined whether a match exists between the generated authentication code and the authentication code read within the embedded header field. In response to determining that a match does exist, the resource user is authenticated. Decryption of an encrypted protected resource corresponding to the protected resource access request is performed using the retrieved attribute-based encryption user key corresponding to the resource user in response to authentication of the resource user.

Abstract: A computer-implemented method for secure policy distribution to a cloud system. The method includes defining an access policy for a set of resources on a cloud computing system, where the access policy includes rules to allow access to the set of resources. The method further includes creating, based on the access policy, an activation function and attribute metadata in the cloud computing system, where the attribute metadata includes a set of access attributes for each resource of the set of resources. The method also includes, receiving a request to access a first resource of the set of resources, where the request includes a set of credentials. The method includes comparing, by the activation function, the set of credentials to the set of access attributes. The method further includes processing, based on the comparing, the request the access the first resource.

Abstract: A data packet transits through a series of network nodes (a series of intermediate hops) while being transmitted from a source node to a destination node. A network node (router, gateway, server, or any network device) that handles the data packet, adds new information to the file header of the data packet. The new header information identifies the previous and next network nodes in the transmission path. The network node further validates information provided by a previous node, and generates further new header information that attests as to the validity of the information provided by the previous node. The network node secures and signs the new information cryptographically, and adds the new information to the file header. If a malicious actor attempts to tamper with the data packet, or routing thereof, the secured header information renders such tampering discoverable, enabling performance of a responsive action.

Abstract: A key management service creates a key upon user request. The key management service receives a request for a first cryptographic operation. The key management service performs the first cryptographic operation. The key management service returns results of the first cryptographic operation to a dependent service. The key management service receives a notification of key rotation. The key management service receives a request for a second cryptographic operation. The key management service performs the second cryptographic operation. The key management service returns results of the second cryptographic operation to the dependent service. The key management service returns updated key metadata to the dependent service.

Abstract: Resource user authentication and authorization is provided. An authentication code is generated based on using a retrieved attribute-based encryption user key as a secret key for a keyed-hash message authentication code digital signature over a set of header fields of a protected resource access request received from a client device of a resource user via a network. The generated authentication code is compared with an authentication code read within an embedded header field of the protected resource access request. It is determined whether a match exists between the generated authentication code and the authentication code read within the embedded header field. In response to determining that a match does exist, the resource user is authenticated. Decryption of an encrypted protected resource corresponding to the protected resource access request is performed using the retrieved attribute-based encryption user key corresponding to the resource user in response to authentication of the resource user.

Abstract: A key management service creates a key upon user request. The key management service receives a request for a first cryptographic operation. The key management service performs the first cryptographic operation. The key management service returns results of the first cryptographic operation to a dependent service. The key management service receives a notification of key rotation. The key management service receives a request for a second cryptographic operation. The key management service performs the second cryptographic operation. The key management service returns results of the second cryptographic operation to the dependent service. The key management service returns updated key metadata to the dependent service.

Abstract: A data packet transits through a series of network nodes (a series of intermediate hops) while being transmitted from a source node to a destination node. A network node (router, gateway, server, or any network device) that handles the data packet, adds new information to the file header of the data packet. The new header information identifies the previous and next network nodes in the transmission path. The network node further validates information provided by a previous node, and generates further new header information that attests as to the validity of the information provided by the previous node. The network node secures and signs the new information cryptographically, and adds the new information to the file header. If a malicious actor attempts to tamper with the data packet, or routing thereof, the secured header information renders such tampering discoverable, enabling performance of a responsive action.