Abstract: Systems, methods, and apparatus for a MILS HPC, data storage system (DSS) system architecture that incorporates a multi-crypto module (MCM) to provide end-to-end multi-independent level security (MILS) protection. Configuration of each MCM enables a high performance computing (HPC) resource to compute different security domains with the associated security level keys from a key/node manager. The HPC resource can be dynamically re-allocated to different security level domain(s) by the key/node manager. In one embodiment, the DSS stores encrypted data regardless of the domains.

Abstract: A system includes a security device, configured for cryptographic processing, coupled to receive incoming data from a plurality of data sources (e.g., data from different customers), wherein the incoming data includes first data from a first data source; a controller (e.g., an external key manager) configured to select a first set of keys from a plurality of key sets, each of the key sets corresponding to one of the plurality of data sources, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device.

Abstract: Systems and methods to securely send or write data to a cloud storage or server. In one embodiment, a method includes: establishing a connection to a client using a client-side transport protocol; receiving, over the connection, data from the first client; decrypting, using a client session key, the received data to provide first decrypted data; encrypting the first decrypted data using a stored payload key (that is associated with the client) to provide first encrypted data; encrypting, using a cloud session key, the first encrypted data using a remote-side transport protocol to provide second encrypted data; and sending the second encrypted data to the cloud storage or server.

Abstract: A system includes programmable systolic cryptographic modules for security processing of packets from a data source. A first programmable input/output interface routes each incoming packet to one of the systolic cryptographic modules for encryption processing. A second programmable input/output interface routes the encrypted packets from the one systolic cryptographic module to a common data storage. In one embodiment, the first programmable input/output interface is coupled to an interchangeable physical interface that receives the incoming packets from the data source. In another embodiment, each cryptographic module includes a programmable systolic packet input engine, a programmable cryptographic engine, and a programmable systolic packet output engine, each configured as a systolic array (e.g., using FPGAs) for data processing.

Abstract: In one embodiment, a method includes: receiving, by a first computing device on a first port of a plurality of ports, a data packet, wherein each of the ports corresponds to one of a plurality of security classes, and the first computing device comprises a plurality of cryptographic modules, each module configured to encrypt data for a respective one of the security classes; tagging the data packet, wherein tagging data identifies one of the security classes and the first port; routing, based on at least one header, the data packet to a first cryptographic module of the plurality of cryptographic modules; encrypting the data packet using the first cryptographic module; and storing the encrypted data packet in a first data storage device.

Abstract: Systems and methods to securely send or write data to a cloud storage or server. In one embodiment, a method includes: establishing a connection to a client using a client-side transport protocol; receiving, over the connection, data from the first client; decrypting, using a client session key, the received data to provide first decrypted data; encrypting the first decrypted data using a stored payload key (that is associated with the client) to provide first encrypted data; encrypting, using a cloud session key, the first encrypted data using a remote-side transport protocol to provide second encrypted data; and sending the second encrypted data to the cloud storage or server.

Abstract: A system includes a security device, configured for cryptographic processing, coupled to receive incoming data from a plurality of data sources (e.g., data from different customers), wherein the incoming data includes first data from a first data source; a controller (e.g., an external key manager) configured to select a first set of keys from a plurality of key sets, each of the key sets corresponding to one of the plurality of data sources, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device.

Abstract: Systems and methods for a random number generator including a systolic array to provide a random number output. In one approach, the systolic array can be arranged in two or greater dimensions, and each cell of the array comprises a ring oscillator. Data is read from a random access memory to provide the inputs to the systolic array. A linear feedback shift register receives the random number output as a feedback signal used to address the memory to read data to provide as the inputs to the systolic array.

Abstract: Systems, methods, and apparatus related to transferring encrypted data over a wireless network. In one approach, an encryptor includes a host interface configured to transmit data and commands with a local computing device, a wireless communication interface configured to transmit data and commands over a radio access network, a storage interface configured to interface a local storage medium to store data, and at least one processing device configured to perform operations comprising: encrypting first data from the local computing device to be written into the local storage medium upon receiving a first command from the local computing device; decrypting the encrypted first data from the local storage medium to be read by the local computing device upon receiving a second command from the local computing device; and transmitting the encrypted first data through the wireless communication interface to the radio access network upon receiving a third command.

Abstract: In one embodiment, a method includes: receiving, by a first computing device on a first port of a plurality of ports, a data packet, wherein each of the ports corresponds to one of a plurality of security classes, and the first computing device comprises a plurality of cryptographic modules, each module configured to encrypt data for a respective one of the security classes; tagging the data packet, wherein tagging data identifies one of the security classes and the first port; routing, based on at least one header, the data packet to a first cryptographic module of the plurality of cryptographic modules; encrypting the data packet using the first cryptographic module; and storing the encrypted data packet in a first data storage device.

Abstract: Systems, methods, and apparatus related to transferring encrypted data over a wireless network. In one approach, an encryptor includes a host interface configured to transmit data and commands with a local computing device, a wireless communication interface configured to transmit data and commands over a radio access network, a storage interface configured to interface a local storage medium to store data, and at least one processing device configured to perform operations comprising: encrypting first data from the local computing device to be written into the local storage medium upon receiving a first command from the local computing device; decrypting the encrypted first data from the local storage medium to be read by the local computing device upon receiving a second command from the local computing device; and transmitting the encrypted first data through the wireless communication interface to the radio access network upon receiving a third command.

Abstract: Systems and methods for a random number generator including a systolic array to provide a random number output. In one approach, the systolic array can be arranged in two or greater dimensions, and each cell of the array comprises a ring oscillator. Data is read from a random access memory to provide the inputs to the systolic array. A linear feedback shift register receives the random number output as a feedback signal used to address the memory to read data to provide as the inputs to the systolic array.

Abstract: A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level; a key manager configured to select and tag-identified first set of keys from a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device for storage.

Abstract: Systems, methods, and apparatus related to transferring encrypted data over a wireless network. In one approach, an encryptor includes a host interface configured to transmit data and commands with a local computing device, a wireless communication interface configured to transmit data and commands over a radio access network, a storage interface configured to interface a local storage medium to store data, and at least one processing device configured to perform operations comprising: encrypting first data from the local computing device to be written into the local storage medium upon receiving a first command from the local computing device; decrypting the encrypted first data from the local storage medium to be read by the local computing device upon receiving a second command from the local computing device; and transmitting the encrypted first data through the wireless communication interface to the radio access network upon receiving a third command.

Abstract: Systems, methods, and apparatus for a MILS HPC, data storage system (DSS) system architecture that incorporates a multi-crypto module (MCM) to provide end-to-end multi-independent level security (MILS) protection. Configuration of each MCM enables a high performance computing (HPC) resource to compute different security domains with the associated security level keys from a key/node manager. The HPC resource can be dynamically re-allocated to different security level domain(s) by the key/node manager. In one embodiment, the DSS stores encrypted data regardless of the domains.

Abstract: A system includes a plurality of data input ports, each port corresponding to one of a plurality of different levels of security classification; a security device, configured for cryptographic processing, coupled to receive incoming data from each of the plurality of input ports, wherein the incoming data includes first data having a first classification level; a key manager configured to select and tag-identified first set of keys from a plurality of key sets, each of the key sets corresponding to one of the different levels of security classification, wherein the first set of keys is used by the security device to encrypt the first data; and a common encrypted data storage, coupled to receive the encrypted first data from the security device for storage.

Abstract: Methods and systems are provided that provide a portable, cryptographic hardware-software device allowing balancing of the needed heightened security while maintaining the modified communication device's original features and value. The system comprises a single chip comprising a self-contained security boundary and cryptographic processing, and is enabled to quickly and easily connect to and modify an existing, commercial, off the shelf mobile communication device. The systems may be enabled to modify the existing device by being contained in hardware, for example the battery of a smart phone. Then, the system may be connected to the existing device's interface, for example via a “micro-USB” or other suitable connection, and subsequently provide cryptographic functionality to the existing device.

Abstract: A system includes programmable systolic cryptographic modules for security processing of packets from a data source. A first programmable input/output interface routes each incoming packet to one of the systolic cryptographic modules for encryption processing. A second programmable input/output interface routes the encrypted packets from the one systolic cryptographic module to a common data storage. In one embodiment, the first programmable input/output interface is coupled to an interchangeable physical interface that receives the incoming packets from the data source. In another embodiment, each cryptographic module includes a programmable systolic packet input engine, a programmable cryptographic engine, and a programmable systolic packet output engine, each configured as a systolic array (e.g., using FPGAs) for data processing.

Abstract: A secure end-to-end communication system is implemented via one or more security processing devices. In one embodiment, a method includes: loading, by a key manager, a first set of keys into a security device; encrypting first data with the first set of keys using the security device; and sending, over a network, the encrypted first data to an external site or a mobile device. The method may further include: requesting the encrypted data from the external site or mobile device; receiving, over the network, the encrypted first data; and decrypting the received encrypted first data with the first set of keys using the security device.

Abstract: Systems and methods to securely send or write data to a cloud storage or server. In one embodiment, a method includes: establishing a connection to a client using a client-side transport protocol; receiving, over the connection, data from the first client; decrypting, using a client session key, the received data to provide first decrypted data; encrypting the first decrypted data using a stored payload key (that is associated with the client) to provide first encrypted data; encrypting, using a cloud session key, the first encrypted data using a remote-side transport protocol to provide second encrypted data; and sending the second encrypted data to the cloud storage or server.