Abstract: A computer-implemented method according to one embodiment includes using a first symmetric key to encrypt a second symmetric key. The first symmetric key is securely loaded inside a hardware security module (HSM) by a key management service before the encryption of the second symmetric key, and a cloud provider only has access to encrypted bits of the first symmetric key. Key data of a key-value-pair of the second symmetric key is used as additional authenticated data (AAD) for the encryption of the second symmetric key. The second symmetric key is used to encrypt value data of the key-value-pair. The method further includes storing the encrypted second symmetric key, the AAD used in the encryption of the second symmetric key, and tag bits created during the encryption of the second symmetric key, to thereafter use for verifying node related data.

Abstract: A computer-implemented method according to one embodiment includes performing an attestation of code of a logic loader in a trusted execution environment (TEE) and receiving a request for the logic loader to load service logic code to the TEE. An integrity check of the service logic code associated with the request is performed. In response to the service logic code associated with the request passing the integrity check, the logic loader is allowed to load the service logic code associated with the request to the TEE. A computer program product according to another embodiment includes a computer readable storage medium having program instructions embodied therewith. The program instructions are readable and/or executable by a computer to cause the computer to perform the foregoing method.

Abstract: Hybrid encryption of imported key material is provided. A request to import key material is received from a user system. In response to the request, two public keys are sent to the user system. The two public keys include a classical cryptography (CC) public key and a quantum-safe cryptography (QSC) public key. At least one public key of the two public keys is retrieved from a hardware security module (HSM). Hybrid-encrypted key material is received from the user system. The hybrid-encrypted key material is key material that has been encrypted using the two public keys. The key material, at least partially encrypted by the at least one public key, is sent to the HSM.

Abstract: Certificate and key management is provided. A signed certificate corresponding to an enterprise is deployed to a plurality of cryptographic communication protocol endpoint proxies located in a heterogeneous distributed computing environment where a private key corresponding to the enterprise is not placed in any of the plurality of cryptographic communication protocol endpoint proxies. Offload of cryptographic communications from the plurality of cryptographic communication protocol endpoint proxies to the hardware security module is received by the hardware security module where the hardware security module verifies connection authenticity for the plurality of cryptographic communication protocol endpoint proxies across the heterogeneous distributed computing environment using the private key corresponding to the enterprise that remains within a security boundary of the hardware security module.

Abstract: Post quantum secure network communication is provided. The process comprises sending, by a client in a first computing cluster, an outbound message to a quantum safe cryptographic (QSC) proxy server in the first computing cluster, wherein the outbound message is addressed to a target server in a second computing cluster. The QSC proxy server initiates a QSC transport layer security (TLS) connection with an ingress controller in the second computing cluster, wherein the ingress controller comprises a QSC algorithm. The QSC proxy server transfers the message to the ingress controller via the QSC TLS connection, and the ingress controller routes the message to the target server in the second computing cluster via a non-QSC connection.

Abstract: Methods and systems for unified HSM and key management services are disclosed. According to certain embodiments, an encryption service request is issued by a client instance to a key management service (KMS) logic in a KMS cloud instance. The KMS logic parses the request to verify authorization for the request, identify the instance ID, and provide additional information to the request needed by hardware security management (HSM) middleware and hardware. A router receives the request from the KMS logic and routes the request to a service based on the instance ID, that transfers the request to HSM middleware. The HSM middleware parses HSM type from the request, translates the request to HSM vendor-specific instructions and routes the translated request to an HSM. The HSM according to certain embodiments is in a cloud computing environment separate from the KMS cloud instance, and in some embodiments the HSM is on-prem at a physical client site.

Abstract: Methods and systems for unified HSM and key management services are disclosed. According to certain embodiments, an encryption service request is issued by a client instance to a key management service (KMS) logic in a KMS cloud instance. The KMS logic parses the request to verify authorization for the request, identify the instance ID, and provide additional information to the request needed by hardware security management (HSM) middleware and hardware. A router receives the request from the KMS logic and routes the request to a service based on the instance ID, that transfers the request to HSM middleware. The HSM middleware parses HSM type from the request, translates the request to HSM vendor-specific instructions and routes the translated request to an HSM. The HSM according to certain embodiments is in a cloud computing environment separate from the KMS cloud instance, and in some embodiments the HSM is on-prem at a physical client site.

Abstract: Certificate and key management is provided. A signed certificate corresponding to an enterprise is deployed to a plurality of cryptographic communication protocol endpoint proxies located in a heterogeneous distributed computing environment where a private key corresponding to the enterprise is not placed in any of the plurality of cryptographic communication protocol endpoint proxies. Offload of cryptographic communications from the plurality of cryptographic communication protocol endpoint proxies to the hardware security module is received by the hardware security module where the hardware security module verifies connection authenticity for the plurality of cryptographic communication protocol endpoint proxies across the heterogeneous distributed computing environment using the private key corresponding to the enterprise that remains within a security boundary of the hardware security module.

Abstract: A method manages cryptographic objects (COs). The method includes accessing an entropy-based random number and instructing to store this random number. The method includes generating one or more COs based on a deterministic algorithm that causes to interact with a security module (SM), such as a hardware security module (HSM), to generate a seed according to both a reference key of the SM and the random number accessed. A random number generator is seeded with the generated seed to generate the desired COs.

Abstract: In a computer-implemented method for providing obfuscated data to users, first, a user request to access data is received; then, an authorization level associated with the request received is identified. Next, obfuscated data is accessed in a protected enclave, which data corresponds to the request received. The data accessed has been obfuscated with an obfuscation algorithm that yields a level of obfuscation compatible with the authorization level identified. Finally, the obfuscated data accessed is provided to the user, from the protected enclave. Related systems and computer program products are also disclosed.

Abstract: The present disclosure relates to a method of managing requests to a key-value database. A non-limiting example of the method includes receiving a request that includes a number of keys. The number of keys can be compared with a first threshold number and second threshold number. If the number of keys exceeds the first threshold number, the request can be split. If the number of keys is smaller than the second threshold number, the request can be merged with at least one previous or subsequent request. Requests resulting from the splitting and merging steps can be submitted to the key-value database for further processing of the submitted requests.

Abstract: A key management system includes a hardware security module (HSM) with a secure memory; an HSM driver implementing an API, interfaced with the HSM to provide handles to cryptographic objects stored on the secure memory of the HSM; and a shim layer interfaced with the HSM driver. The layer is generally configured to enable a client application to interact with the HSM via the driver, i.e., for the HSM to manage cryptographic objects for the client, notwithstanding the layer. External memory storage resides outside the HSM and is interfaced with the layer. The method includes instructing (at the layer) to: (i) encrypt cryptographic objects from the HSM (with the help of the driver) and store the resulting encrypted objects at respective memory locations on the storage, to free up memory space; and (ii) store handles to such cryptographic objects along with references to said respective memory locations, on the storage.

Abstract: The present invention is notably directed to a printed circuit board, or PCB. This PCB has two main surfaces, each delimited by lateral edges, as well as lateral surfaces, each meeting each of the two main surfaces at one lateral edge. The present PCB further comprises a row of solder pads, which extends along a lateral edge of the PCB. Each solder pad is formed directly at the lateral edge and/or directly on a lateral surface (meeting one of the two main surfaces at said lateral edge). I.e., each pad interrupts a lateral edge and/or an adjoining lateral surface. One or more chips, e.g., memory chips, can be mounted on such a PCB to form an IC package. The above solder pad arrangement allows particularly dense arrangements of IC packages to be obtained. The present invention is further directed to related devices and methods of fabrication thereof.

Abstract: A method manages cryptographic objects (COs). The method includes accessing an entropy-based random number and instructing to store this random number. The method includes generating one or more COs based on a deterministic algorithm that causes to interact with a security module (SM), such as a hardware security module (HSM), to generate a seed according to both a reference key of the SM and the random number accessed. A random number generator is seeded with the generated seed to generate the desired COs.

Abstract: Methods and apparatus are provided for managing data flows in a switch connected in a network. Such a method includes monitoring a set of data flows traversing the switch for compliance with a predetermined resource-usage policy, and, in response to detection of a non-compliant data flow, mirroring a set of data packets of that flow to send respective mirror packets to a mirror port of the switch. The method further comprises using the mirror packets sent to the mirror port to construct a non-compliance notification for the non-compliant flow, and sending the non-compliance notification into the network. The resource-usage policy can be defined such that the switch is operable to send a non-compliance notification before occurrence of congestion due to the non-compliant flow.

Abstract: A computer-implemented method manages cryptographic objects in a hierarchical key management system including a hardware security module (HSM), which institutes a key hierarchy extending from a ground level l0. Clients interact with the HSM to obtain cryptographic objects. A request is received from one of the clients for an object at a given level ln of the hierarchy (above the ground level l0). A binary representation of the object is accessed as a primary bit pattern p0, at the HSM and said pattern is scrambled via a bitwise XOR operation. The latter operates, on the one hand, on the primary bit pattern p0 and, on the other hand, on a control bit pattern pc that is a binary representation of an access code of the same length as said primary bit pattern p0. The pattern pc is obtained based on that given level ln of the hierarchy.

Abstract: A computing device includes an interface configured to interface and communicate with a communication system, a memory that stores operational instructions, and processing circuitry operably coupled to the interface and to the memory that is configured to execute the operational instructions to perform various operations. The computing device processes an input value (e.g., associated with a key) based on a blinding key (e.g., homomorphic encryption) to generate a blinded value and generates an Oblivious Key Access Request (OKAR). The computing device transmits the OKAR to another computing device (e.g., associated with a Key Management System (KMS) service) and receives a blinded key therefrom that is based on a Partially-Oblivious Pseudorandom Function (P-OPRF). The computing device processes the blinded key based on the blinding key (e.g., homomorphic decryption) to generate the key (e.g., associated with the input value). In some examples, the computing device accesses secure information based on the key.

Abstract: A computing device is configured to divide an Oblivious Pseudorandom Function (OPRF) key to generate a plurality of N partial keys, distribute a respective one of the plurality of N partial keys to a corresponding plurality of N Key Management System (KMS) units. The computing device receives from a threshold number T of KMS units, a plurality T partial blinded keys, wherein the plurality T partial blinded keys are based on processing of a value of a blinded key received by a respective KMS unit and a corresponding stored partial key of the N partial keys, combines the plurality T of partial blinded keys into the blinded key, processes the blinded key based on the blinding key in accordance with an OPRF unblinding operation to generate a key and accesses secure information based on the key.

Abstract: A key management system includes a hardware security module (HSM) with a secure memory; an HSM driver implementing an API, interfaced with the HSM to provide handles to cryptographic objects stored on the secure memory of the HSM; and a shim layer interfaced with the HSM driver. The layer is generally configured to enable a client application to interact with the HSM via the driver, i.e., for the HSM to manage cryptographic objects for the client, notwithstanding the layer. External memory storage resides outside the HSM and is interfaced with the layer. The method includes instructing (at the layer) to: (i) encrypt cryptographic objects from the HSM (with the help of the driver) and store the resulting encrypted objects at respective memory locations on the storage, to free up memory space; and (ii) store handles to such cryptographic objects along with references to said respective memory locations, on the storage.

Abstract: In a computer-implemented method for providing obfuscated data to users, first, a user request to access data is received; then, an authorization level associated with the request received is identified. Next, obfuscated data is accessed in a protected enclave, which data corresponds to the request received. The data accessed has been obfuscated with an obfuscation algorithm that yields a level of obfuscation compatible with the authorization level identified. Finally, the obfuscated data accessed is provided to the user, from the protected enclave. Related systems and computer program products are also disclosed.