Abstract: A database stores a document as a plurality of encrypted records, where each record is indicative of an incremental change to the state of the document, and encrypted using a document key. The document key is stored with encryption decryptable using a group key, and the group key is stored with encryption decryptable using a first access key. In response to a request to rotate from the first access key to a second access key, the database decrypts the group key using the first access key, a stores a group key re-encrypted with the second access key.

Abstract: A system and method for inspecting encrypted disks for a cybersecurity object using a custom key are disclosed. The method includes detecting an encrypted disk in a cloud computing environment, the cloud computing environment including a security policy service; authorizing a key policy on the security policy service for a custom key of an inspector account, wherein the key policy is a policy authorized to decrypt the encrypted disk; generating a second encrypted disk based on the encrypted disk; inspecting the second encrypted disk for a cybersecurity object with the custom key; and releasing a resource allocated to the second encrypted disk in response to completing the inspection.

Abstract: A camera is provided that stores an encryption key locally and transmits the encryption key using near field communication (NFC) when the encryption key is requested by the user. In one embodiment, the camera includes a lens for recording video and an encryption engine for encrypting the video. The camera further includes a security chip for storing an encryption key locally in the camera. Additionally, the camera includes a near field communication (NFC) module that provides a bridge between the security chip of the camera and the device at which the user is viewing the images recorded by the lens. The NFC module includes memory for temporarily storing the encryption key and an NFC transceiver for sending the encryption key from the memory of the NFC module to the device at which the user is viewing the images recorded by the lens of the camera.

Abstract: Disclosed is a system and a method for information distribution. The system comprises: a server for generating a group key and its corresponding key deriving parameter, wherein the server encrypts sensitive contents by using the group key to obtain encrypted information; and terminals configured to receive the encrypted information through an open channel, extract the group key, then decrypt the encrypted information by using the group key to obtain the original content. In the group forming process, each terminal encrypts its private identifier using the public key and submits the ciphertext to the server. In information distribution process, the server transmits the ciphertext of sensitive contents and the key deriving parameter to the terminals via open channel Because private information available only to respective group members is required for calculating the group key, this mechanism ensures that the sensitive content can be transmitted securely on the open channel.

Abstract: Methods, apparatuses, and computer-readable medium for directional security are provided. An example method may include receiving, from a wireless device, a configuration for a set of shared keys. The example method may further include receiving, from a second UE, at least one message or signal including a location of the second UE, the received at least one message or signal being associated with an angle of arrival. The example method may further include configuring a key from the set of shared keys based on at least one of the received configuration, the location of the second UE, the AoA of the received at least one message or signal, or a location of the first UE. The example method may further include generating one or more ranging signals based on the configured key, the one or more ranging signals being directionally secure based on the location of the second UE.

Abstract: A method for improving data transmission security at a user equipment comprises receiving, from a source network node, a connection release message including instructions for computing a hash value for data to be included in a connection request message; computing the hash value based on the instructions included in the connection release message; calculating a token based on the hash value, and sending, to a target network node, the connection request message including the token. The method may further forward the data from the target network node directly to a gateway after the token has been verified. The method may reduce a signaling overhead by having a fixed-size hash value for data. Furthermore, the method may improve a transmission security by including the token in an RRC message, in which the token is calculated based on the hash value representing the data.

Abstract: A system includes processor(s) and memory(s). When encryption key(s) need to be generated to encrypt a key, processor(s): generate encryption key(s); encrypt key using encryption key(s) to generate encrypted key; split encrypted key and encryption key(s) into set(s) of key components, wherein subset of key components can be used to reconstruct encrypted key and encryption key(s); and erase key from memory(s). When encryption key(s) need to be used, processor(s): receive set(s) of key components from subset(s) of users that can be used to reconstruct encrypted key and encryption key(s) used to decrypt key from encrypted key; when set(s) of key components is received from subset(s) of users that can be used to reconstruct encrypted key and encrypted key(s), reconstruct encrypted key and encryption key(s); and when the encrypted key and the encryption key(s) have both been reconstructed, decrypt encrypted key into key using encryption key(s).

Abstract: A computer-implemented method for improving the security of a data record distribution process using a blockchain having a group of input nodes and a group of output nodes, each group having a private-public key pair, but wherein the nodes only have a key share of their respective private key and no node has a full private key. Using threshold signature scheme, secret share joining, and stealth addresses, data records from the input nodes are pooled at a stealth address determined through collaborative action of the input nodes, requiring cooperative determination of their public key, a shared secret, and the stealth address. The public key is copied into the transaction. The output nodes locate the transaction and extract the public key, collaboratively verify its authenticity, and collaboratively determine the shared secret. Having done so, the output nodes may, collectively, sign a second transaction for distributing data records from the stealth address to the output addresses.

Abstract: A device may determine that a first link of the device is active. The device may determine whether a Media Access Control Security (MACsec) session is established on the first link. The device may selectively enable or disable a second link of the device based on determining whether the MACsec session is established on the first link.

Abstract: A method including determining, by a first device for a folder, a folder access key pair including a folder access public key and a folder access private key; determining, by the first device, a sharing encryption key based on the folder access private key and an assigned public key associated with a second device; and encrypting, by the first device, the folder access private key based on utilizing the sharing encryption key; determining, by a second device, a sharing decryption key based on the folder access public key and an assigned private key associated with the second device; decrypting, by the second device, the folder access private key based on utilizing the sharing decryption key; and accessing, by the second device, the folder based on utilizing the folder access private key. Various other aspects are contemplated.

Abstract: Systems and methods for providing a rewards payment form linked directly to a rewards account are described. The system can determine, based on a comparison of a location of a mobile device with a merchant location of a merchant, that the mobile device is at the merchant location. The system can determine that the merchant participates in a rewards promotion and can receive a transaction request associated with a rewards account and a cryptogram. The system can authenticate the transaction request by decrypting the cryptogram and can activate the rewards promotion based on the determination that the mobile device is at the merchant location and the determination that the merchant participates in the rewards promotion.

Abstract: A device, method, and computer readable storage medium generate a biometric public key for an individual based on both the individual's biometric data and a secret, in a manner that verifiably characterizes both while tending to prevent recovery of either by anyone other than the individual. The biometric public key may be later used to authenticate a subject purporting to be the individual, using a computing facility that need not rely on a hardware root of trust. Such biometric public keys may be distributed without compromising the individual's biometric data, and may be used to provide authentication in addition to, or in lieu of, passwords or cryptographic tokens. Various use cases are disclosed, including: enrollment, authentication, establishing and using a secure communications channel, and cryptographically signing a message.

Abstract: An embedded processing system includes processing circuitry, a memory system, and a reprogramming control. The reprogramming control is configured to receive a transaction indicator and user credentials from a reprogramming system, the transaction indicator identifying a type of configuration item to program in the memory system. The reprogramming control is further configured to access user authentication data to authenticate authority of a user to program the memory system based on the transaction indicator and user credentials and receive an encrypted configuration item. The reprogramming control is further configured to decrypt and authenticate the encrypted configuration item as a decrypted and authenticated configuration item responsive to authenticating the authority of the user, and store the decrypted and authenticated configuration item in the memory system.

Abstract: A security accelerator device stores a first credential that is uniquely associated with the individual security accelerator device and represents a root of trust to a trusted entity. The device establishes a cryptographic trust relationship with a client entity that is based on the root of trust, the cryptographic trust relationship being represented by a second credential. The device receives and store a secret credential of the client entity, which is received via communication secured by the second credential. Further, the device executes a cryptographic computation using the secret client credential on behalf of the client entity to produce a computation result.

Abstract: In a method for decrypting persistent user cryptographic keys in a distributed cryptographically secured peer-to-peer filesystem, a primary input value is received from a first user on a first peer device. A symmetric user encryption key UK1 is generated for the first user from the primary input value on the first peer device. An encrypted private key ePrK1 is requested and received from a non-volatile memory of a data persistence server using the first peer device. The encrypted private key ePrK1 is decrypted using the symmetric user encryption key UK1 using a symmetric decryption algorithm on the first peer device, producing a private key PrK1=ESUK1?1(ePrK1). The private key PrK1 is used to reconstruct a distributed file.

Abstract: Embodiments are provided for centralized control of execution of a quantum program. In some embodiments, a system can include a processor that executes computer-executable components stored in memory. The computer-executable components include a synchronization component that causes multiple controller devices remotely located relative to the system to be synchronized with one another and the system. The computer-executable components also include an ingestion component that accesses measurement data resulting from one or more measurements at respective qubit devices. The computer-executable components further include a composition component that generates, using the measurement data, one or more control messages for respective second controller devices of the multiple controller devices.

Abstract: A method for causing sending and receiving of an encrypted file between a sending user terminal and a receiving user terminal connected via a network to be performed in a secret state via a management server is provided. The sending user terminal encrypts an original file and then fragments the original file into a plurality of divided files, creates a plurality of combined files formed by combining a plurality of the divided files, and distributes and saves the combined files to which restoration information for opening the combines files has been added in a plurality of online storages. The receiving user terminal can open the combined files obtained from the online storages by using the restoration information received from the management server to extract the divided files included in the combined files, and can restore the original file from the divided files.

Abstract: A method including transmitting, by an infrastructure device to a distributor device, an invitation link to enable the distributor device to distribute network services; activating, by the distributor device, the invitation link; transmitting, by the infrastructure device to the distributor device, seed information based on verifying that the invitation link was activated by the distributor device; determining, by the distributor device, a distributor key pair including a distributor public key and a distributor private key based on utilizing the seed information; transmitting, by the distributor device to the infrastructure device, an action request related to an action to be performed regarding the network services, a portion of the action request being signed based on utilizing the distributor private key; and validating, by the infrastructure device, the action request based on utilizing the distributor public key to enable performance of the action regarding the network services is disclosed.

Abstract: An intelligent electronic device (IED) includes memory and a processor operatively coupled to the memory. The processor is configured to establish, over a communication network of a power system, a connection association (CA) with a receiving device using a MACsec Key Agreement (MKA). The processor is configured to automatically send device management information via the MKA process.

Abstract: Systems and methods for end to end encryption are provided. In example embodiments, a computer accesses an image including a geometric shape. The computer determines that the accessed image includes a candidate shape inside the geometric shape. The computer determines, using the candidate shape, an orientation of the geometric shape. The computer determines a public key of a communication partner device by decoding, based on the determined orientation, data encoded within the geometric shape. The computer receives a message. The computer verifies, based on the public key of the communication partner device, whether the message is from the communication partner device. The computer provides an output including the message and an indication of the communication partner device if the message is verified to be from the communication partner device. The computer provides an output indicating an error if the message is not verified to be from the communication partner device.

Abstract: The present disclosure provides a method for encryption programming, including: selecting an encrypted programming file that matches the programmer from a target folder; loading the selected encrypted programming file; if a current number of times for programming of the programmer is greater than or equal to a maximum number of times for programming, destroying the selected encrypted programming file and ending programming; otherwise, decrypting the selected encrypted programming file; if the current number of times for programming of the programmer is less than an initial number of times for programming, replacing the current number of times for programming of the programmer with the initial number of times for programming, otherwise, re-encrypting the decrypted encrypted programming file and programing the re-encrypted programming file into a target chip. A programmer is further provided.

Abstract: An asymmetric cryptographic method for securing access to a private key generated and stored in a device is provided. The method includes generating an application password relating to a predetermined level of entropy; generating, within a trusted execution environment relating to a key manager, a user private key secured by using the application password; receiving, from a user via an input device, user entropy relating to a unique identifier for the user; deriving, using a password derivation function, a symmetric key based on the user entropy; encrypting, using an encryption system, the application password by using the symmetric key; and storing, in a memory, a device payload component relating to the application password and the symmetric key in a password management system.

Abstract: A computer-implemented method includes: identifying, by a computing device, private portions and non-private portions of content displayed on a user device; generating, by the computing device, instructions to modify the display of the content on the user device to mask the private portions of the content, group the private portions of the content together, and group and the non-private portions of the content together; and outputting, by the computing device, the instructions to cause the user device to modify the display of the content on the user device such that the masked private portions of the content are grouped together and the non-private portions of the content are grouped together, wherein the non-private portions are exposed and visible.

Abstract: Disclosed herein is a method performed by an apparatus. In the method, a payload information item is obtained that is to be communicated to at least one recipient. An encrypted payload information item is obtained by encrypting said payload information item such that it is decryptable by use of a first decryption key and a second decryption key. Further, a message containing said encrypted payload information item is sent or triggered to be sent to said recipient.

Abstract: Systems and methods are for content security may comprise transmitting a request for authorization to access secured content. A content key for the secured content may be received and stored to a restricted region of a memory. A device security module may have access to the restricted region and may decrypt, based on satisfaction of a use condition and using the content key, the secured content. An encryption key associated with a secure media system authorized to access the secured content may be received. The device security module may encrypt, using the encryption key, the secured content and route the secured content to the secure media system.

Abstract: In overview, methods, computer programs products and devices for securing software are provided. In accordance with the disclosure, a method may comprise attaching a debugger process to a software process. During execution of the software process, operations relevant to the functionality of the code process are carried out within the debugger process. As a result, the debugger process cannot be replaced or subverted without impinging on the functionality of the software process. The software process can therefore be protected from inspection by modified or malicious debugging techniques.

Abstract: A method for distributing multiple cryptographic keys used to access data includes: receiving a data signal superimposed with an access key request, wherein the access key request includes at least a number, n, greater than 1, of requested keys; generating n key pairs using a key pair generation algorithm, wherein each key pair includes a private key and a public key; deriving an access private key by applying the private key included in each of the n key pairs to a key derivation algorithm; generating an access public key corresponding to the derived access private key using the key pair generation algorithm; and electronically transmitting a data signal superimposed with a private key included in one of the n key pairs for each of the n key pairs.

Abstract: A network device includes a transmitter and a receiver to establish a secure connection with one or more network nodes as part of a Autonomic Control Plane (ACP) network. The network device also includes a processor coupled to the transmitter and receiver. The processor receives a request from an application to initiate a connection with a destination network node. The processor also receives packets from the application for transmission toward the destination network node. When the packets from the application are unencrypted, the processor end-to-end encrypts the unencrypted packets without notifying the application. The transmitter then transmits the encrypted packets towards the destination network node across the ACP network.

Abstract: A system and process for performing a touchless key provisioning operation for a communication device. In operation, a key management facility (KMF) imports a public key and a public key identifier uniquely identifying the public key of the communication device. The public key is associated with an asymmetric key pair generated at the communication device during its factory provisioning and configuration. The KMF registers the communication device and assigns a key encryption key (KEK) for the communication device. The KMF then provisions the communication device by deriving a symmetric touchless key provisioning (TKP) key based at least in part on the public key of the communication device, encrypting the KEK with the symmetric TKP key to generate a key wrapped KEK, and transmitting the key wrapped KEK to the communication device for decryption by the communication device.

Abstract: A multi-hop mesh network includes a root network device and a first network device. The first network device is configured to establish a first direct wireless connection with the root network device and negotiate a first shared secret key with the root network device. The multi-hop network further includes a second network device configured to establish a second direct wireless connection with the first network device and negotiate a second shared secret key with the first network device.

Abstract: A system and method for facilitating distributed peer to peer storage of data is disclosed. The method includes receiving a request from a user to securely store one or more files, encrypting the one or more files by using one or more primary encryption keys and splitting each of the encrypted one or more files into an encrypted set of data chunks. The method further includes transmitting the encrypted set of data chunks to one or more trustee devices, encrypting a metadata by using a secondary encryption key and receiving a request to securely access the one or more files. Further, the method includes obtaining the encrypted set of data chunks and the secondary encryption key from the one or more trustee devices and creating the one or more files, such that the user is provided access of the one or more files.

Abstract: A method of sharing a first common secret among a plurality of nodes for enabling secure communication for blockchain transactions. The method comprises determining, for at least one first node a plurality of second common secrets, wherein each second common secret is common to the first node and a respective second node, is determined at the first node based on a first private key of the first node and a first public key of the second node and is determined at the second node based on the first private key of the second node and the first public key of the first node. The method further comprises exchanging encrypted shares of the first common secret among the plurality of nodes to enable each of the plurality of nodes to reach a threshold number of shares of the first common secret to access the first common secret.

Abstract: A P25 radio can be configured to implement a key management facility to thereby manage keysets for and provision the keysets on other P25 radios in a communications system. The P25 radio, as a radio, can directly communicate with the other P25 radios to provision keysets in accordance with the OTAR protocol. The P25 radio may also be configured to function as a key fill device to thereby provision keysets manually on any of the other P25 radios to which it may be physically or wirelessly connected. The P25 radio may also be configured to use the keysets to communicate securely with any of the other P25 radios.

Abstract: Methods, systems, and devices for quantum key distribution (QKD) in passive optical networks (PONs) are described. A PON may be a point-to-multipoint system and may include a central node in communication with multiple remote nodes. In some cases, each remote node may include a QKD transmitter configured to generate a quantum pulse indicating a quantum key, a synchronization pulse generator configured to generate a timing indication of the quantum pulse, and filter configured to output the quantum pulse and the timing indication to the central node via an optical component (e.g., an optical splitter, a cyclic arrayed waveguide grating (AWG) router). The central node may receive the timing indications and quantum pulses from multiple remote nodes. Thus, the central node and remote nodes may be configured to communicate data encrypted using quantum keys.

Abstract: Distributed storage nodes having specialized hardware can be pooled for servicing data requests. For example, a distributed storage system can include a group of storage nodes. The distributed storage system can determine a subset of storage nodes that include the specialized hardware based on status information received from the group of storage nodes. The specialized hardware can be preconfigured with specialized functionality. The distributed storage system can then generate a node pool that includes the subset of storage nodes with the specialized hardware. The node pool can be configured to perform the specialized functionality in relation to a data request.

Abstract: Embodiments of the disclosure relates to signing of an artificial intelligence (AI) model with a watermark for a data processing (DP) accelerator. In one embodiment, in response to a request received by the data processing accelerator, the request sent by an application to embed digital rights protection to an AI model, a system generates a watermark for the AI model based on a watermark algorithm. The system embeds the watermark onto the AI model. The system signs the AI model having the embedded watermark to generate a signature. The system returns the signature and the AI model having the embedded watermark back to the application, where the signature is used to authenticate the watermark and/or the AI model.

Abstract: Example embodiments provide systems and methods for securing a deployed camera. A security apparatus is coupled to the deployed camera and accesses video content from the coupled camera. The security apparatus accesses video content from the coupled camera, splits the video content within a plurality of RTP packets, encrypts payloads of the RTP packets, embeds in a header of the encrypted RTP packets, at least two key identifications for decryption of the encrypted RTP packets, and transmits the plurality of RTP packets over a network to a video management system.

Abstract: A method for implementing zero-knowledge private key management for decentralized applications including receiving an encrypted private key and user identification information, storing the encrypted private key, receiving a session request from a decentralized application, establishing a session, transmitting a response to the session request to the decentralized application, receiving a session approval from the client application, updating the session with the information comprised by the session approval, and transmitting the public key and the blockchain network selection to the decentralized application.

Abstract: An object interface for quick access to object(s) of a communication platform is described. Server(s) of the communication platform can receive, in association with a user interface of the communication platform, a request to associate an object with an object interface associated with a virtual space of the communication platform. The server(s) can cause one or more objects to be presented via the user interface and can receive a selection of a particular object from the one or more objects. The server(s) can cause, in response to the selection, a user interface element representative of the particular object to be associated with the object interface, wherein the user interface element is associated with an actuation mechanism that, when actuated, causes the particular object to be presented via the user interface. Notifications associated with the particular object can be indicated by annotation(s) to the user interface.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: accessing a wrapped key and a cryptographic attribute for the wrapped key from an encrypted memory region, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the deriving consumes computing resources for a duration of time; using the cryptographic key to access program data; and executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time.

Abstract: An information handling system includes a basic input/output system (BIOS), a memory, and a processor. The processor scans a current state of each BIOS attribute in the BIOS, and stores one or more changed attributes in a secure event log in the memory. The processor converts each changed attribute into a different threat event including a first changed attribute into a first threat event. The processor provides a list of threat events to multiple threat chains, each of which determine whether the threat events match threat criteria in a threat chain policy. In response to the threat event matching a threat criterion in the threat chain policy, the threat chain provides a threat state change to the processor, which in turn provides new threat state changes to a threat state change consumer.

Abstract: Techniques for exporting remote cryptographic keys are provided. In one technique, a proxy server receives, from a secure enclave of a client device, a request for a cryptographic key. The request includes a key name for the cryptographic key. In response to receiving the request, the proxy server sends the request to a cryptographic device that stores the cryptographic key. The cryptographic device encrypts the cryptographic key based on an encryption key to generate a wrapped key. The proxy server receives the wrapped key from the cryptographic device and sends the wrapped key to the secure enclave of the client device.

Abstract: A method for securing communications for a given network topology is provided. The method comprises generating by a node N(i) of the network, security parameters for the node N(i); transmitting by the node N(i), said security parameters to a controller for the network; maintaining by the controller said security parameters for the node N(i); receiving by the controller a request from a node N(j) for the security parameters for the node N(i); retrieving by the controller the security parameters for the node N(i); and transmitting by the controller said security parameters to the node N(j).

Abstract: Online retailers may operate a network of computing systems in order to provide an electronic marketplace to customers. The network of computing systems may be responsible for maintaining and providing different data to the customers of the online retailer. When a customer transmits a request to the online retailer the request may be divided into a set of tasks that may be executed in parallel by the computing systems. The data generated by executing the various tasks may be cached for various periods of time. Furthermore, log information may be generated based at least in part on execution of the various tasks. The logs may record data on initial access along with an identifier associated with the cached data. For subsequent tasks requiring cached data the log may include only the identifier associated with the cached data.

Abstract: In various embodiments, there is provide a method for organizing devices in a policy hierarchy. The method includes creating a first node. The method further includes assigning a first policy to the first node. The method further includes creating a second node, the second node referencing the first node as a parent node such that the second node inherits the first policy of the first node.

Abstract: An embedded processing system includes processing circuitry, a memory system, and a reprogramming control. The reprogramming control is configured to authenticate a user associated with a reprogramming operation of the embedded processing system and receive an encrypted configuration item. The reprogramming control is further configured to decrypt and authenticate the encrypted configuration item either for storage of the configuration item in the embedded processing system or for transmission externally as an encrypted and signed entity. These operations are performed only after the user requesting such an operation has been authenticated to have the permission to perform the requested operation.

Abstract: The method comprises: a user terminal initiating an authentication request to a target server and providing device information of the user terminal, and the target server receiving the authentication request and generating a temporary session, and sending a temporary session ID and the device information to a quantum key allocation network; the quantum key allocation network searching for a wearable device bound to the user terminal, and sending the temporary session ID to the wearable device; the wearable device collecting biological recognition information of a user, and sending the biological recognition information to the quantum key allocation network; and the quantum key allocation network matching the biological recognition information with pre-stored biological recognition information, wherein if matching is successful, an authentication result is sent to the target server, and then the target server sends the authentication result to the user terminal.

Abstract: Protecting an encryption key for data stored in a storage system that includes a plurality of storage devices, including: reading, from at least a majority of the storage devices, a portion of an apartment key; reconstructing the apartment key using the portions of the apartment key read by the majority of the storage devices; unlocking the main portion of each of the storage devices utilizing the apartment key; reading, from the main portion of one of the storage devices, a portion of a third-party resource access key; requesting, from the third-party resource utilizing the third-party resource access key, an encryption key; receiving, from the third-party resource, the encryption key; and decrypting the data stored on the storage devices utilizing the encryption key.

Abstract: Techniques for provisioning a key server to facilitate secure communications between a web server and a client by providing the client with a first data structure including information on how the web server may obtain a target symmetric key are presented. The techniques can include: provisioning the key server with a second data structure including information on how the key server may generate the first data structure; receiving a request on behalf of a web server for a third data structure comprising information on how the client may obtain the first data structure from the key server; and obtaining the third data structure, such that the third data structure is published in association with an identification of the web server, and such that the client uses the third data structure to obtain the first data structure and uses the first data structure to communicate with the web server.

Abstract: In one embodiment, a computer-implemented method of a data processing (DP) accelerator obtaining a watermark of an artificial intelligence (AI) model includes receiving, from a host device, the AI model to execute on the DP accelerator, and receiving input data that triggers output from the AI model on the DP accelerator. The DP accelerator calculates AI model output, in response to the received input and provides the output to the host device. The output can be a watermark extracted from the AI model. DP accelerator can call a security unit of the DP accelerator to digitally sign the output. In an embodiment, the security unit digitally signs the output from the AI model using a key that is retrieved from, or is derived from, a key stored in a secure storage on the security unit.