Abstract: A method, a computer program product, and a system for binding post-quantum certificates to traditional certificates. The method includes selecting a traditional certificate in a certificate chain owned by an owner. The method also includes calculating a fingerprint of the traditional certificate. The method further includes generating a post-quantum certificate with identical information fields as the traditional certificate, and populating a serial number of the post-quantum certificate using the fingerprint. The post-quantum certificate acts as an extension of the first traditional certificate providing authentication and validation between a client and a server using post-quantum capable signing algorithms.

Abstract: Establishing secure communications by sending a server certificate message, the certificate message including a first certificate associated with a first encryption algorithm and a second certificate associated with a second encryption algorithm, the first certificate and second certificate bound to each other, signing a first message associated with client-server communications using a first private key, the first private key associated with the first certificate, signing a second message associated with the client-server communications using a second private key, the second private key associated with the second certificate, the second message including the signed first message, and sending a server certificate verify message, the server certificate verify message comprising the signed first message and the signed second message.

Abstract: A method, a computer program product, and a system for embedding a message in a random value. The method includes generating a random value and applying a hash function to the random value to produce a hash value. Starting with the hash value, the method further includes reapplying the hash function in an iterative or recursive manner, with a new hash value produced by the hash function acting as an initial value that is applied to the hash function for a next iteration, until a bit sequence representing a message is produced in a message hash value. The method further includes utilizing the message hash value as a new random value that can be used by an encryption algorithm.

Abstract: A computer-implemented method for identity authentication in a data processing system, including: receiving, by the processor, an authentication request from a user; receiving, by the processor, real-time data from one or more Internet of Things (IoT) devices associated with the user; generating, by the processor, one or more questions based on the real-time data; receiving, by the processor, one or more responses to the one or more questions from the user; comparing, by the processor, the one or more responses from the user with one or more correct answers identified by the processor. If the one or more responses match the one or more correct answers, providing, by the processor, the user with a successful identity authentication.

Abstract: In an approach for securing data, a processor publishes a traditional public key in a traditional certificate and a PQC public key in a PQC certificate. A processor encrypts data with a hybrid shared secret, the hybrid shared secret generated with a key derivation function by using a traditional shared secret based on the traditional public key and a PQC shared secret based on the PQC public key. A processor decrypts the data with the hybrid shared secret based on a traditional private key and a PQC private key. A processor signs the data with a traditional signature followed by a PQC signature.

Abstract: A method, a computer program product, and a system for removing padding oracles in encryption techniques. The method includes padding a plaintext message using a padding scheme producing a padded plaintext message. The method also includes encrypting the padded plaintext message using a block cipher generating an encrypted data block of fixed-size as well as a hash value. The method further includes randomly generating an ephemeral key and an initialization vector. The method also includes prepending the hash value, the ephemeral key, and the initialization vector to the encrypted data block. The method includes performing an encryption technique to the encrypted data block prepended with the hash value, the ephemeral key, and the initialization vector.

Abstract: Extending the useful life of finite lifetime asymmetric cryptographic keys by referencing the number of uses of the keys in conjunction with or instead of the elapsed time since generation of the finite lifetime keys. By integrating asymmetric cryptographic keys into a limited use security scheme, the lifetime of finite lifetime asymmetric cryptographic keys is based on the practical risk of security breach during use rather than an arbitrary duration in which the keys are valid.

Abstract: In an approach for securing data, a processor publishes a traditional public key in a traditional certificate and a PQC public key in a PQC certificate. A processor encrypts data with a hybrid shared secret, the hybrid shared secret generated with a key derivation function by using a traditional shared secret based on the traditional public key and a PQC shared secret based on the PQC public key. A processor decrypts the data with the hybrid shared secret based on a traditional private key and a PQC private key. A processor signs the data with a traditional signature followed by a PQC signature.

Abstract: A method and a system for integrating post quantum cryptographic algorithms into TLS. The method includes transmitting a client hello message to a server including a request for post quantum cryptographic (PQC) mode of operation and a PQC public client key, receiving a server hello message from the server in response to the client hello message including a PQC server key exchange generated from the PQC public client key. The method includes determining the server hello message includes an authorization to operate the PQC mode of operation. The method also includes transmitting a second client hello message to the server including a PQC encrypted client key share. The PQC encrypted client key share is encrypted using a client encryption key. The method includes receiving a second server hello message that includes a PQC encrypted server key share and decrypting the PQC encrypted server key share using a server encryption key.

Abstract: A method, a computer program product, and a system for binding post-quantum certificates to traditional certificates. The method includes selecting a traditional certificate in a certificate chain owned by an owner. The method also includes calculating a fingerprint of the traditional certificate. The method further includes generating a post-quantum certificate with identical information fields as the traditional certificate, and populating a serial number of the post-quantum certificate using the fingerprint. The post-quantum certificate acts as an extension of the first traditional certificate providing authentication and validation between a client and a server using post-quantum capable signing algorithms.

Abstract: Establishing secure communications by sending a server certificate message, the certificate message including a first certificate associated with a first encryption algorithm and a second certificate associated with a second encryption algorithm, the first certificate and second certificate bound to each other, signing a first message associated with client-server communications using a first private key, the first private key associated with the first certificate, signing a second message associated with the client-server communications using a second private key, the second private key associated with the second certificate, the second message including the signed first message, and sending a server certificate verify message, the server certificate verify message comprising the signed first message and the signed second message.

Abstract: Transport Layer Security (TLS) connection establishment between a client and a server for a new session is enabled using an ephemeral (temporary) key pair. In response to a request, the server generates a temporary certificate by signing an ephemeral public key using the server's private key. A certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate, is output to the client by the server, which acts as a subordinate Certificate Authority. The client validates the certificates, generates a session key and outputs the session key wrapped by the ephemeral public key. To complete the connection establishment, the server applies the ephemeral private key to recover the session key derived at the client for the new session. The client and server thereafter use the session key to encrypt and decrypt data over the link. The ephemeral key pair is not reused.

Abstract: A method and a system for integrating post quantum cryptographic algorithms into TLS. The method includes transmitting a client hello message to a server including a request for post quantum cryptographic (PQC) mode of operation and a PQC public client key, receiving a server hello message from the server in response to the client hello message including a PQC server key exchange generated from the PQC public client key. The method includes determining the server hello message includes an authorization to operate the PQC mode of operation. The method also includes transmitting a second client hello message to the server including a PQC encrypted client key share. The PQC encrypted client key share is encrypted using a client encryption key. The method includes receiving a second server hello message that includes a PQC encrypted server key share and decrypting the PQC encrypted server key share using a server encryption key.

Abstract: Transport Layer Security (TLS) connection establishment between a client and a server for a new session is enabled using an ephemeral (temporary) key pair. In response to a request, the server generates a temporary certificate by signing an ephemeral public key using the server's private key. A certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate, is output to the client by the server, which acts as a subordinate Certificate Authority. The client validates the certificates, generates a session key and outputs the session key wrapped by the ephemeral public key. To complete the connection establishment, the server applies the ephemeral private key to recover the session key derived at the client for the new session. The client and server thereafter use the session key to encrypt and decrypt data over the link. The ephemeral key pair is not reused.

Abstract: A method, a computer program product, and a system for removing padding oracles in encryption techniques. The method includes padding a plaintext message using a padding scheme producing a padded plaintext message. The method also includes encrypting the padded plaintext message using a block cipher generating an encrypted data block of fixed-size as well as a hash value. The method further includes randomly generating an ephemeral key and an initialization vector. The method also includes prepending the hash value, the ephemeral key, and the initialization vector to the encrypted data block. The method includes performing an encryption technique to the encrypted data block prepended with the hash value, the ephemeral key, and the initialization vector.

Abstract: A method, a computer program product, and a system for embedding a message in a random value. The method includes generating a random value and applying a hash function to the random value to produce a hash value. Starting with the hash value, the method further includes reapplying the hash function in an iterative or recursive manner, with a new hash value produced by the hash function acting as an initial value that is applied to the hash function for a next iteration, until a bit sequence representing a message is produced in a message hash value. The method further includes utilizing the message hash value as a new random value that can be used by an encryption algorithm.

Abstract: Extending the useful life of finite lifetime asymmetric cryptographic keys by referencing the number of uses of the keys in conjunction with or instead of the elapsed time since generation of the finite lifetime keys. By integrating asymmetric cryptographic keys into a limited use security scheme, the lifetime of finite lifetime asymmetric cryptographic keys is based on the practical risk of security breach during use rather than an arbitrary duration in which the keys are valid.

Abstract: A method, computer system, and a computer program product for secure transport of data is provided. The present invention may include defining a trust relationship based on a secret. The present invention may also include associating a trusted transport key identity (TTKI) based on the defined trust relationship. The present invention may then include receiving a trusted transport key (TTK), wherein the TTK is digitally signed and encrypted with the TTKI. The present invention may further include verifying the digitally signed TTK. The present invention may also include enveloping the secret with the TTK.

Abstract: A method, a computer program product, and a system for transport layer security protocol functions in separate instances. The method includes receiving, by a handshake processor instance, a TLS connection request from a client to a server. The method further includes establishing a TLS connection including connection secrets by the handshake processor instance. Once established, the method proceeds by transmitting the connection secrets to a connection processor instance. The method further includes deleting the connection secrets stored on the handshake processor instance and processing application data by the connection processor instance.

Abstract: A computer-implemented method for identity authentication in a data processing system, including: receiving, by the processor, an authentication request from a user; receiving, by the processor, real-time data from one or more Internet of Things (IoT) devices associated with the user; generating, by the processor, one or more questions based on the real-time data; receiving, by the processor, one or more responses to the one or more questions from the user; comparing, by the processor, the one or more responses from the user with one or more correct answers identified by the processor. If the one or more responses match the one or more correct answers, providing, by the processor, the user with a successful identity authentication.