Abstract: A method, system, and non-transitory computer readable medium are described for providing a sender a plurality of ephemeral keys such that a sender and receiver can exchange encrypted communications. Accordingly, a sender may retrieve information, such as a public key and a key identifier, for the first receiver from a local storage. The retrieved information may be used to generate a key-encrypting key that is used to generate a random communication encryption key. The random communication encryption key is used to encrypt a communication, while the key-encrypting key encrypts the random communication key. The encrypted communication and the encrypted random communication key are transmitted to the first receiver.

Abstract: The present application describes a method, system, and non-transitory computer-readable medium for end-to-end encryption during a secure communication session. According to the present disclosure, a first device initializes a secure communication session with at least one second device. Initializing the secure communication session includes transmitting an invitation to a secure communication session to the at least one second device. The at least one second device may generate a transmission root key, which may be used to derive a first key for encrypting data transmitted to the first device and a second key for decrypting received data from the first device. The at least one second device may transmit the transmission root key to the first device, which may use the transmission root key to derive a first key to encrypt data transmitted to the at least one second device and a second key to decrypt data received from the at least one second device.

Abstract: Screen capture mitigation is disclosed. It is conveyed to a user that a received content item can be displayed in response to the user placing at least one finger on a display. A first finger in a first screen area of the display is detected. A second finger in a second screen area of the display is detected. The received content item is displayed in response to detecting the first finger in the first screen area and the second finger in the second screen area. A change in location of at least one of the first finger and the second finger is detected. In response to detecting the change, it is determined whether the change in the at least one of the first finger and the second finger is greater than a threshold. When the change is greater than the threshold, displaying the received content item is ceased.

Abstract: The present disclosure describes techniques for configuring and participating in encrypted audio calls, audio conferences, video calls, and video conferences. In particular, a call initiator generates a meeting identifier and a first meeting key, which are encrypted using a first encryption key and distributed to one or more participants of the call. The one or more participants decrypt the meeting identifier and the first meeting key, and use that information to participate in the encrypted call. Further, participants respond to the encrypted communication data by encrypting their reply data with the first meeting key. The call initiator decrypts the reply data using the first meeting key.

Abstract: A solution for circumventing censorship is disclosed. A first device connects to a first server hosted in a content delivery network (CDN). The CDN routes the first device's connection request to the first server. The first server responds by providing the first device with a configuration file that contains a plurality of secondary servers for the first device to access. Accordingly, the first device disconnects from the first server and hops between one or more of the plurality of secondary servers contained in the configuration file. By distributing the configuration file from a first server hosted in a CDN, the first device is able to obfuscate the true endpoint of the connection. Thus, the first device is able to obtain the configuration file without drawing the ire of censors. By hopping from server-to-server, the first device is able to stay one-step ahead of censors. Accordingly, the present disclosure describes a multi-prong approach to staying a step ahead of eavesdroppers, sniffers, and censors.

Abstract: The present application describes a method, system, and non-transitory computer-readable medium for end-to-end encryption during a secure communication session. According to the present disclosure, a first device receives an invitation to a secure communication session. The invitation includes a token, which the first device transmits to the call initiating device. Next, the first device performs a three-way handshake with the call initiating device to negotiate a first encryption key and a second encryption key for the secure communication session. The first device encrypts first communication data using the first encryption key and transmits the encrypted first communication data to the call initiating device.

Abstract: The present disclosure describes techniques that allow for a client-side application, located on a first client device, to generate a random encryption key and encrypt locally-stored application data with the random encryption key. The random encryption key is used in lieu of a password-derived encryption key. In order to ensure that the client-device application is unable to decrypt the locally-stored encrypted application data prior to authenticating with an external authentication source (i.e., SSO, IdP), the random encryption key is encrypted with a key-encrypting key derived using a pseudorandom function (PRF). By using a PRF, the first device is able to authenticate to the first server and derive a secure key as part of the authentication process. Accordingly, the present disclosure describes techniques for securing data on a client device when credentials are managed by an external authentication system.

Abstract: The present disclosure describes techniques that allow for a client-side application, located on a first client device, to generate a random encryption key and encrypt locally-stored application data with the random encryption key. In order to ensure that the client-device application is unable to decrypt the locally-stored encrypted application data prior to authenticating with an external authentication source (i.e., SSO, IdP), the client-side application divides the random encryption key into at least a first share and a second share according to a secret sharing algorithm. The first share is transmitted to a trusted third party, while the second share is encrypted locally and stored in a secure location on the client device. Upon successful authentication, the trusted third party returns the second share to the first client device. The client-side application derives the random encryption key and decrypts the locally-stored encrypted application data to be used by the client-side application.

Abstract: The present disclosure describes a system, method, and non-transitory computer readable medium for provisioning multiple instances of a secure communication application on multiple devices. A secure communication application on a first device generates a first set of private keys that are associated with the user and a second set of keys that are associated with the secure communication application executing on the first device. The first set of private keys establishes a set of root identifying keys for the user that are identical for all installations of the secure communication application, while the second set of keys will vary from device to device. In this regard, the first set of root identifying keys must be securely transferred from the first device to any subsequent installations of the secure communication application on one or more second devices.

Abstract: The present application describes a method, system, and non-transitory computer-readable medium for end-to-end encryption during a secure communication session. According to the present disclosure, a first device receives an invitation to a secure communication session. The invitation includes a token, which the first device transmits to the call initiating device. Next, the first device performs a three-way handshake with the call initiating device to negotiate a first encryption key and a second encryption key for the secure communication session. The first device encrypts first communication data using the first encryption key and transmits the encrypted first communication data to the call initiating device.

Abstract: Screen capture mitigation is disclosed. A first finger of a user is detected in a first designated region of a display. Content is displayed when the first finger is detected in the first designated region of the display. Periodically, a determination is made whether the first finger is detected in the first designated region of the display. The content is ceased to be displayed in response to a determination that the first finger is outside the first designated region of the display.

Abstract: The present disclosure describes techniques for storing encrypted files in a secure file repository and transferring those encrypted files to one or more recipients. A user selects a file to upload to a secure file repository. A secure collaboration app on the user's device generates a first encryption key that is used to encrypt the file. The encrypted file is then uploaded to the secure file repository, which provides the secure collaboration app with a random file name and a location of the encrypted file. The secure collaboration app updates locally stored metadata of the first encrypted file. To securely transfer the file, the user generates a second encryption key, encrypts the metadata with the second encryption key, and transmits the encrypted metadata to one or more receivers. The one or more receivers decrypt the encrypted metadata and use the decrypted metadata to retrieve the file and decrypt it.

Abstract: The present disclosure describes a system, method, and non-transitory computer readable medium for provisioning multiple instances of a secure communication application on multiple devices. A secure communication application on a first device generates a first set of private keys that are associated with the user and a second set of keys that are associated with the secure communication application executing on the first device. The first set of private keys establishes a set of root identifying keys for the user that are identical for all installations of the secure communication application, while the second set of keys will vary from device to device. In this regard, the first set of root identifying keys must be securely transferred from the first device to any subsequent installations of the secure communication application on one or more second devices.

Abstract: A method, system, and non-transitory computer readable medium are described for providing a sender a plurality of ephemeral keys such that a sender and receiver can exchange encrypted communications. Accordingly, a sender may retrieve information, such as a public key and a key identifier, for the first receiver from a local storage. The retrieved information may be used to generate a key-encrypting key that is used to generate a random communication encryption key. The random communication encryption key is used to encrypt a communication, while the key-encrypting key encrypts the random communication key. The encrypted communication and the encrypted random communication key are transmitted to the first receiver.

Abstract: A method, system, and non-transitory computer readable medium are described for providing a sender a plurality of ephemeral keys such that a sender and receiver can exchange encrypted communications. Accordingly, a sender may retrieve information, such as a public key and a key identifier, for the first receiver from a local storage. The retrieved information may be used to generate a key-encrypting key that is used to generate a random communication encryption key. The random communication encryption key is used to encrypt a communication, while the key-encrypting key encrypts the random communication key. The encrypted communication and the encrypted random communication key are transmitted to the first receiver.

Abstract: A method, system, and non-transitory computer readable medium are described for providing a sender a plurality of ephemeral keys such that a sender and receiver can exchange encrypted communications. Accordingly, a sender may retrieve information, such as a public key and a key identifier, for the first receiver from a local storage. The retrieved information may be used to generate a key-encrypting key that is used to generate a random communication encryption key. The random communication encryption key is used to encrypt a communication, while the key-encrypting key encrypts the random communication key. The encrypted communication and the encrypted random communication key are transmitted to the first receiver.

Abstract: A secure chat client is described that allows users to exchange encrypted communications via secure chat rooms, as well as one-to-one communications. In particular, the secure chat client allows users to create, configure, and manage secure chat rooms. Furthermore, the secure chat client provides users with the ability to recover secure messages when they obtain a new device or otherwise lose communications.

Abstract: Digital data sanitization is disclosed. An indication that a data sanitization process should be performed is received. The data sanitization process is performed. Performing the data sanitization process includes determining an amount of free space on a storage device. Performing the data sanitization process further includes performing a set of one or more write operations, where performing the write operations decreases the amount of free space on the storage of the device.

Abstract: The present disclosure describes techniques for configuring and participating in encrypted audio calls, audio conferences, video calls, and video conferences. In particular, a call initiator generates a meeting identifier and a first meeting key, which are encrypted using a first encryption key and distributed to one or more participants of the call. The one or more participants decrypt the meeting identifier and the first meeting key, and use that information to participate in the encrypted call. Further, participants respond to the encrypted communication data by encrypting their reply data with the first meeting key. The call initiator decrypts the reply data using the first meeting key.

Abstract: The present disclosure describes systems and methods for authenticating a called party during the initialization stage of establishing a secure telecommunication channel to provide assurances to the initiator that they are communicating with whom they intended. A first user issues a challenge that includes a nonce to one or more second user devices. The second user's secure collaboration application receives the challenge, signs the nonce included in the challenge, and sends the response with the signed nonce to the first user. The first user receives the response and determines whether the signature of the first nonce is valid. If the signature is not valid, the first user's secure collaboration application terminates the secure telecommunication. However, if the signature received in the response is valid, the first user's secure collaboration application begins exchanging encrypted telecommunication data with the second user over a secure telecommunication channel.