Abstract: Systems and methods for securely sharing and authenticating a last secret. A system includes a dealer computing system and a combining computing system. The dealer computing system includes a public/private key pair, an encryption key established with the combining computing system, and a circuit structured to generate a last secret and a first key controlling access to a secure computing system. The last secret is the last cryptographic element controlling access to the first key. The circuit is structured to split the last secret into first and second splits. The circuit is structured to generate a first and second SigncryptedData messages by signcrypting each of the first split and the second split with the public/private key pair and the encryption key established with the combining computing system. The circuit is structured to transmit the first SigncryptedData message to a first share-holder and the second SigncryptedData message to a second share-holder.

Abstract: Various embodiments relate to a method performed by a processor of a computing system. An example method includes determining a first cryptographic algorithm utilized in a first block of a first blockchain. The first block of the first blockchain has a first unique block identifier. A second cryptographic algorithm utilized in a second block of the first blockchain is determined. The second block of the first blockchain having a second unique block identifier. A first cryptographic algorithm status transition (“CAST”) event is defined if the second cryptographic algorithm is different than the first cryptographic algorithm. A first CAST record is defined upon occurrence of the first CAST event. The first CAST record includes the second cryptographic algorithm and the second unique block identifier. The first CAST record is digitally signed and stored on a second blockchain. The second blockchain may be referenced out-of-band of the first blockchain.

Abstract: Examples described herein relate to systems, apparatuses, methods, and non-transitory computer-readable media for cryptographically determining a loyalty account identifier, including determining a cryptographic key, determining an input parameter, and generating the loyalty account identifier using a cryptography method based on the cryptographic key and the input parameter. The cryptographic key and the input parameter are inputs to the cryptography method. The loyalty account identifier is an output of the cryptography method.

Abstract: Systems and methods relating to an extension of a group signature scheme certificate that allows group users to conduct anonymous transactions in public, with the ability to subsequently audit and confirm signer identity. Auditing and confirmatory functions may include group signature openers that are configured to reveal the identity of a signer that is a member of a group by their signature. Auditing and confirmatory functions may also include group signature linkers that are configured to link two signatures to the same signer using a linking key or linking base.

Abstract: Various arrangements relate to a method performed by a processor of a computing system. An example method includes hashing a first salted value to generate a first hashed salted value. The first salted value includes a first salt value and a value. A first tuple is generated. The first tuple includes the first hashed salted value and a first token. The first token is associated with the value. A first BAT message is generated. The first BAT message includes the first salt value. The first BAT message is associated with the first tuple. A second salted value is hashed to generate a second hashed salted value. The second salted value includes a second salt value and a value. A second tuple is generated. The second tuple includes the second hashed salted value and a second token. The second token is associated with the value. A second BAT message is generated.

Abstract: Systems and applications are described that use group signature technology to allow for anonymous and/or semi-anonymous feedback while allowing for the application of rules and parameters. The use of group signature technology may serve to potentially mitigate or prevent malicious identification of individuals or entities providing a communication such as feedback. Feedback may range from constructive feedback all the way to the ‘whistleblower’ variety. It may be desirable to identify the individuals as belonging to a particular group or having a particular status or position while maintaining the anonymity of the individuals within the particular group.

Abstract: A system and method for extending data protection of data elements of a data packet beyond a TLS tunnel termination point by using encryption keys established when the TLS tunnel was established. The system and method include authenticating a client device to establish a shared secret. The system and method include receiving a data packet comprising a data element and an object identifier associated with the data element, the data element encrypted with a first content-specific key associated with the shared secret, the data packet encrypted with a session key. The system and method include decrypting the data packet using the session key to recover a decrypted data packet. The system and method include determining an existence of an object identifier in the decrypted data packet. The system and method include decrypting the data element of the decrypted data packet using a second content-specific key associated with the object identifier.

Abstract: In one arrangement, a method for a key management server to manage cryptographic key rotation comprises rotating, by the key management server, an initial symmetric key based on a first rotation schedule. Rotating the initial symmetric key comprises rotating bits of the initial symmetric key to create a rotated key, the rotated key being different from the initial symmetric key. The method further comprises enciphering, by the key management server using the rotated key, data sent to a first client server. In another arrangement, a method for a client server to manage cryptographic key rotation comprises rotating, by the client server, an initial symmetric key based on a schedule. The method further comprises deciphering, by the client server, data sent from a key management server using the rotated key and providing the deciphered data to a user.

Abstract: Systems and methods for securely sharing and authenticating a last secret include requesting, by a computing system on a first network node, a seed configured for deriving or recovering the last secret from a cryptographic module on a second network node different than the first network node. The last secret provides access to a secure entity and is the last cryptographic element controlling access to the secure entity. The systems and methods include generating the seed configured for deriving or recovering the last secret, creating an envelope for the seed, and transmitting the seed to the computing system as enveloped data by the cryptographic module. The systems and methods include decrypting the EnvelopedData to recover the seed and deriving or recovering the last secret based on the seed by the computing system. The cryptographic module cannot derive the last secret and excludes the last secret.

Abstract: Systems and methods for protecting user data received by, stored on, and/or requested by third-party computing devices include a data entry computing system on a first network node. The data entry computing system includes a processing circuit configured to: identify user-entered data as sensitive user data, generate a content encryption key (CEK), generate encrypted user data by encrypting the sensitive user data with the CEK, and tag the encrypted user data and the CEK with a tag readable by a database server on a network node different than the data entry computing system. The tag includes information indicative of the user data. The processing circuit is configured to transmit the encrypted user data to the database server, wherein the database server excludes a private key of a key manager on a network node different than the data entry computing system.

Abstract: Arrangements of the present disclosure relate to a method for securing data located in a blockchain having a plurality of blocks. The method includes creating a pointer within a block of the plurality of blocks, the pointer pointing to a security vault located external to the blockchain. The method further includes copying the block, storing the copied block in the security vault using the pointer, and securing the security vault.

Abstract: In one arrangement, a method for using symmetric keys between two entities comprising a device and a host include initiating, by the device, a transaction involving original data, wherein the original data needs to be verified by the host. The method further includes deriving, by the device, a first key based on a previously generated key and a first number, wherein the first key is unique to the transaction, and the first number is randomly generated. The method further includes sending, by the device, the first key to the host for verification.

Abstract: Various arrangements relate to a method performed by a processor of a computing system. An example method includes tokenizing a first value using a tokenization algorithm to generate a first token. The first value and first key are inputs of the tokenization algorithm. A message is generated. The message includes a first value identifier associated with the first value and a first key generation identifier associated with the generation of the first key. The message is associated with the first token. A second key is generated. A second value is tokenized using a tokenization algorithm to generate a second token. The second value and second key are inputs of the tokenization algorithm.

Abstract: Various embodiments relate to a dynamic biometric enrollment system. The dynamic biometric enrollment includes a processor and instructions stored in non-transitory machine-readable media. The instructions are configured to cause the server system to receive at least one biometric authentication sample from the user. The at least one tokenized biometric enrollment sample has been generated by tokenizing at least one biometric enrollment sample captured from a user associated with a unique user identifier. At least one biometric authentication sample captured from the user is retrieved. The at least one tokenized biometric enrollment sample is detokenized to retrieve the at least one biometric enrollment sample. The at least one biometric enrollment sample is processed using a biometric processing algorithm to generate a dynamic biometric reference template. It is determined whether the at least one biometric authentication sample matches with the dynamic biometric reference template.

Abstract: A unique transaction key (Tk) is established amongst multiple entities using a common hardware security module (HSM) with a common HMAC key (HK) and transaction scheme name (T). The transaction key (Tk) can be used for various cryptographic functions (e.g. encryption, MAC, HMAC, key management) with one or more messages at the transaction or session level.

Abstract: A system, method, and apparatus for distributed extensible blockchain structures is provided. A system includes a parent blockchain. The parent blockchain includes a first block including first content, the first block stored at a first location, and a second block stored at a second location different than the first location. The second block includes second content and a first SignerInfo element. The first SignerInfo element includes a hash on the second content, a hash on the first content of the first block, a pointer to the first location of the first block, and a first SignatureValue element generated by digitally signing at least the hash on the second content, the hash on the first content, and the pointer to the first location.

Abstract: An example method includes receiving an encrypted biometric enrollment data and user identifier data. The encrypted biometric enrollment data includes at least one biometric enrollment sample from a user encrypted using an encryption key. The encryption key is generated based on a user secret and the user identifier is associated with the user. The user identifier is matched with a stored user secret. A decryption key is generated based on the stored user secret. The encrypted biometric enrollment data is decrypted using the decryption key. The at least one biometric enrollment sample is retrieved from the decrypted biometric enrollment data. The at least one biometric enrollment sample is processed using a biometric processing algorithm to generate a biometric reference template. A biometric reference template identifier uniquely identifying the biometric reference template is generated. An encryption key is generated based on the stored user secret and encrypts an enrollment confirmation message.

Abstract: Systems and methods for using ring usage certificate extensions are described. Some implementations described limit the ability of signers using a ‘ring signature’ from using public key certificates to create the ring signatures without the permission of the creators of those respective public key certificates. An implementation may describe receiving a request to validate, receiving a plurality of digital certificates associated with the request to validate, determining the request to validate requires validation of a ring signature using the plurality of digital certificates, determining one or more of the plurality of digital certificates comprises a ring usage certificate extension, analyzing the ring usage certificate extension to retrieve a value associated with the ring usage certificate extension, and failing validation of the request based on determining the request to validate requires validation of the ring signature and based on the value associated with the ring usage certificate extension.

Abstract: Various embodiments relate to a method of receiving an original message, share-holder list, and threshold amount. The original message is tokenized resulting in a tokenized message. A plurality of shares are generated from the tokenized message using a message sharing algorithm of a secret sharing scheme. Each of the plurality of shares is signcrypted using a public key and a private key associated with the shared secret provider computing system and a public key of a respective one of the share-holders included in the share-holders list, resulting in a plurality of signcrypted shares. The plurality of signcrypted shares is distributed to the respective ones of the share-holders according to the public key used to signcrypt the respective signcrypted share. The authenticity and data integrity of each of the plurality of signcrypted shares can be determined by using the public key associated and a public/private key pair associated with the share-holder.

Abstract: Methods and systems are described for enhanced-security database encryption via cryptographic software, where key management is carried out, without exporting or exposing cleartext keys, using an independent key manager coupled to a cryptographic hardware security module (HSM).