Abstract: Quantum computing methods and systems are described. A computing device receives an encrypted state from another device. The encrypted state is stored on a quantum register, and a sequence of operations is applied to the encrypted state in the quantum register. The sequence of operations includes an operation parameterized by a control message from the other device. Applying the sequence of operations manipulates the state of the quantum register and an auxiliary quantum system. The auxiliary quantum system can be, for example, a qubit selected from four specified quantum states. Applying the sequence of operations produces encryption-key-update information. The computing device may send an encrypted output state and the encryption-key-update message to the other device.

Abstract: In encryption, a random number r is generated to generate a ciphertext C2=M(+)R(r), function values HS(r, C2), a common key K, a ciphertext C(?+1) of the random number r using the common key K, and ciphertexts C(0) and C(?) of the common key K that correspond to function values HS(r, C2). In decryption, a common key K? is decrypted from input ciphertexts C?(0) and C?(?), an input ciphertext C?(?+1) is decrypted by using the common key K? to generate a decrypted value r?, and function values HS(r?, C2?) is generated. If the input ciphertexts C?(0) and C?(?) do not match ciphertexts C?(0) and C?(?) of the common key K? that correspond to the function values HS(r?, C2?), decryption is rejected; if they match, the input ciphertext C2? is decrypted.

Abstract: A combination-based broadcast encryption method includes: assigning by a server a base group of different combinations to each user; producing and sending secret information for each user by using as a base the base group allocated to each user; producing and sending an inverse-base parameter value through calculations with integers used to produce the base group and key value information of one or more privileged users; and deriving a group key by using the key value information of the privileged users, encrypting a session key by using the derived group key, and sending the encrypted session key to each user. Accordingly, each user is assigned a different base through a combination, thereby having security against collusion attacks.

Abstract: A method for key management is disclosed, wherein in adding a new device to a device group, the device group including a plurality of devices, wherein each device in the device group possesses device keys of all other devices in the device group for encryption of messages, except its own device key and wherein the device group includes a group manager device that possesses all device keys of the devices in the device group, the method includes, establishing a secure connection between the new device and the group manager device in the device group; sending, by the group manager device in the device group, the device keys of all devices in the device group to the new device; generating and distributing, a device key of the new device to all other devices in the device group. This approach is also generalized to k-resilient schemes.

Abstract: A method for securely transferring digital content between two electronic devices, comprising an activation phase performed by a management center for generating a common network key, calculating for each device an encrypted network key with a unique device key and transmitting to each device the encrypted network key and a unique device value involving said device key and a unique device secret value, a keys recovering performed by each device for obtaining the device key from both the device value and the secret value of said device and obtaining the network key from both the encrypted network key and the previously obtained device key, and an operating phase performed by each device for generating or obtaining a random value, generating a final key by encrypting the random value with the network key and using said final key for encrypting/decrypting said content.

Abstract: A method of establishing secure communication between a first mobile computing device and a second mobile computing device includes generating a first self-signed key at the first mobile computing device, pairing the first device with a second device, the pairing including receiving user input of a passcode and after receiving the user input sending the first public key to the second mobile computing device and receiving a second public key from the second mobile computing device, storing the second public key in a database of trusted devices, the database of trusted devices being stored in the first mobile computing device, receiving in the first mobile computing device a list of mobile computing devices connected to a mobile network, matching the list of mobile computing device against the database of trusted devices, and establishing secure communication between the first mobile computing device and the second mobile computing device.

Abstract: A Service Key Delivery (SKD) system for delivering a service keys to client devices in a communications network. The delivered service keys are operable to be used to decrypt an encrypted key operable to be used to decrypt an encrypted digital content. The SKD system includes a data input interface for receiving a distribution time frame for the keys and a listing of client device identifications. The SKD system also includes a scheduling module to partition at least part of the distribution time frame into a number of time slots in which the number may be based on a variety of factors. The scheduling module assigns the time slots in the partitioned part of the distribution time frame to the client devices based on the identifications in the listing. The SKD system also includes a message generator configured to send key delivery messages to the client devices.

Abstract: Disclosed is a method including allowing an application server to request setup of a session on behalf of a user terminal, and using mechanisms of a generic peer authentication procedure for procedure for enabling authentication of the application server to an interrogating server, the interrogating server being a network element that is configured to process said request to setup a session on behalf of a user terminal. Also disclosed are related devices, systems and computer programs.

Abstract: The disclosure discloses a method for protecting security of layer-3 mobility user plane data in Next Generation Network (NGN), includes: performing authentication by a terminal with an authentication server; after the authentication is passed, obtaining a shared key material by both the terminal and the authentication server; generating, by the terminal and the authentication server, a mobility data security key according to the shared key material; transmitting, by the authentication server, the generated mobility data security key to a mobility data transmission module; protecting security of the layer-3 mobility user plane data, by the terminal and the mobility data transmission module, by using the mobility data security key. The disclosure also discloses a system for protecting security of layer-3 mobility user plane data in NGN.

Abstract: Mechanisms are provided for generating a master key used to secure key objects associated with data blocks in a data center. A cryptographic node creation request is received. It is determined that a master key can not be obtained from another cryptographic node in the data center. A master key is generated. The master key is included in a key hierarchy used to encrypt a data center key object, the data center key object corresponding to a data block maintained in a storage area network (SAN), where the data center key object includes a unique identifier, an encrypted key, and a wrapper unique identifier. The master key is split into N shares, with M shares required to recreate the master key, wherein M is less than N. The N shares are distributed to different entities.

Abstract: A manageability engine (ME) receives an authentication response from a user during pre-boot authentication and registers the user with a key distribution center (KDC), indicating that the user has successfully authenticated to the PC. The KDC supplies the ME with single-sign-on credentials in the form of a Key Encryption Key (KEK). The KEK may later be used by the PC to obtain a credential used to establish secure access to Enterprise servers.

Abstract: This invention relates to system for securing an information unit and applications thereof. The system comprising at least one encrypting means for applying a first encryption key to the information unit thus provided an encrypted information unit, wherein said at least one encryption means is adapted to apply at least two second information encryption keys to the encrypted information unit, said at least two second encryption keys being calculated so as to decrypt the encrypted information unit when all of said first and second encryption keys have been applied to the information unit, the encryption keys being distributed to chosen users of the system.

Abstract: A backup account recovery authentication of last resort using social authentication is described. The account holder requests trustees who have been previously identified to obtain an account recovery code. The account recovery system sends a communication to the trustee for information to verify the trustee as one of the previously identified trustees. The account recovery system then may transmit a link and code with instructions for the trustee to return the link. The account recovery system then transmits a situational query to the trustee to provide additional security. Finally, if all the communications have been completed for the required level of security, the account recovery code is transmitted to the trustee. The trustee sends the account recovery code to the account holder for access to an account.

Abstract: A group key management approach based on linear geometry is disclosed.

Abstract: A method for control ling information object (102) usage in a network of information (100) wherein information objects (102) are identified by information object identities and locations of the information objects (102) are indicated by location pointing information, the method comprising receiving (5b) an encrypted information object (102), sending (7) to a resolution node (D200) a request for location pointing information of a key issuing node (D300), the request comprising an identity of the received information object (102), receiving (8) the location pointing information of the key issuing node (D300), sending (9) to the key issuing node (D300) a request for an access key (104) for decrypting the encrypted information object (102), the request comprising the identity of the received information object (102), receiving (11) the access key (104), and decrypting (12) the received encrypted information object (102) with the received access key (104).

Abstract: The present invention relates to method for operating a trust center for distributing key material to at least one radio station, comprising the steps of at the trust center, dividing an identifier of the radio station, said identifier being a code word consisting a first number of bits, into a plurality of subidentifiers, and generating for each subidentifier, an keying material function selected out of a set of keying material functions on the basis of the considered subidentifier at the trust center, transmitting to the radio station the identifier and the key material comprising the generated encryption functions.

Abstract: Various embodiments of a system and method for decentralized management of keys and policies are described. Various embodiments may include a computer system configured to receive a request from a remote computer system associated with a recipient of content. Such request may include an encrypted content encryption key that is encrypted with a packaging key utilized by a packaging entity. The request may also include an identifier identifying the packaging entity. In some embodiments, the request may also include policy information specifying one or more usage rights of the content. The computer system may be configured to, in response to determining the recipient is authorized to access the content, generate the packaging key based on the identifier and a secret root seed, utilize the generated packaging key to decrypt the encrypted content encryption key, and provide the decrypted content encryption key to the remote computer system.

Abstract: Method for operating a smart grid including a plurality of smart meters configured to monitor at least one physical measured quantity and to provide measurement results of the at least one physical measured quantity to a central entity, includes the following steps: partitioning the smart grid into groups of smart meters, such that each of the smart meters belongs to exactly one group, all smart meters of one of the groups encrypt their measured value by applying a bihomomorphic encryption scheme and send it to the central entity, one smart meter per group is designated as key aggregator to which all smart meters of that group send their key employed for the encryption, the key aggregator computes the aggregation of all received keys and sends the aggregated key to the central entity, the central entity aggregates all received encrypted measured values and decrypts the aggregation by employing the aggregated key.

Abstract: A method, system and apparatus for authenticating a communication request sent from a client computing device. The communication request is initially blocked by a firewall preventing delivery to a server. A first logging event corresponding to the communication request is created. The communication request and the logging event are stored in a firewall. The server is notified of the first logging event. The communication request corresponding to the first logging event is authenticated. A port in the firewall is enabled if the communication request is authenticated.

Abstract: Apparatus and method for synchronizing encryption keys among a cluster of security appliances and stand alone lifetime key management, LKM, appliances. The cluster includes security appliances where new encryption keys are generated and assigned to an SNS ID with an SNS CTR (counter). The security appliances inside a cluster have local sequence counters and share their keys. One security appliance is a coordinator with which the LKMs will synchronize. Each LKM also has a SNS ID and local sequence counter from which increasing sequence numbers are generated. In each security appliance in a cluster, the up-to-date stored sets of keys are organized with respect to SNS IDs and SNS CTRs associated with the other cluster members. The object keys are stored in the SNS space and a peer map associates a given peer with a given SNS ID, and version numbers are assigned and incremented when a key is modified.

Abstract: A method of facilitating substantially simultaneous receipt of electronic content by a plurality of intended recipients is disclosed. The electronic content is encrypted. The encrypted electronic content is transmitted to the plurality of intended recipients. An acknowledgement packet is received from each of the plurality of intended recipients within a predetermined timeout period. A handicap time is calculated for transmitting a decryption key to each of the intended recipient based on a time associated with the acknowledgement packet last received. Decryption keys are transmitted to the plurality of intended recipients using a delay based on the handicap time, where a decryption key having a smaller handicap time is transmitted prior to a decryption key having a larger handicap time.

Abstract: A cloud computing environment includes a key management server and a cloud computer system running several virtual machines. A virtual machine hosted by the cloud computer system includes an integrity check module for checking the integrity of the virtual machine and getting identity information of the virtual machine. The integrity check module sends a key request to a key management server, which provides key service to different cloud computer systems. The key management server validates the request and, if the request is valid, provides the key to the virtual machine. The key is used to unlock an encrypted file system in the virtual machine.

Abstract: A system enables intermediary communication components to carry out cross enterprise communication. At a first sending enterprise the system comprises: a processor executing code to: receive a signed encrypted message from a sender within a first enterprise; validate the sender; decrypt the message; encrypt the message for receipt by a second enterprise; sign the encrypted message by the first enterprise; and send the re-signed re-encrypted message to a second enterprise. At the second receiving enterprise, the system comprises a processor executing code to: receive a signed encrypted message from a first enterprise; validate that the first enterprise is the sender; decrypt the message; encrypt the message for receipt by recipients at the second enterprise; sign the encrypted message by the second enterprise indicating that the message is from the first enterprise; and send the re-signed re-encrypted message to the recipients of the second enterprise.

Abstract: A media-independent handover key management architecture is disclosed that uses Kerberos for secure key distribution among a server, an authenticator, and a mobile node. In the preferred embodiments, signaling for key distribution is based on re-keying and is decoupled from re-authentication that requires EAP (Extensible Authentication Protocol) and AAA (Authentication, Authorization and Accounting) signaling similar to initial network access authentication. In this framework, the mobile node is able to obtain master session keys required for dynamically establishing the security associations with a set of authenticators without communicating with them before handover. By separating re-key operation from re-authentication, the proposed architecture is more optimized for a proactive mode of operation. It can also be optimized for reactive mode of operation by reversing the key distribution roles between the mobile node and the target access node.

Abstract: Tools are provided for distributing access-restricted content in an internet protocol television (“IPTV”) environment based on portable entitlement keys. Such tools can include a decoder, an encoder, and a network entitlement handler. The decoder may be configured to receive a key associated with entitlement information, and transmit the entitlement information over a network. The encoder may be configured to receive content from content providers, and to encode the content to create IP-compatible content, with access restrictions based on entitlement. The network entitlement handler may be configured to receive a request for requested content from the decoder; receive the access-restricted content including (including the requested content) from the encoder; and transmit the requested content over the network to the decoder using IP, when the decoder is entitled to receive the requested content.

Abstract: Methods and systems are described for secure delivery of a content item from at least a first content distribution network (CDN1) to at least one content receiving entity using a split-key cryptosystem comprising encryption and decryption algorithms E and D, a cipher algorithm for generating encryption and decryption keys e,d on the basis of secret information S and a split-key algorithm using secret information S for splitting e into i different split-encryption keys e1, e2, . . . , ei and/or for splitting d into k different split-decryption keys d1, d2, . . . , dk respectively, such that Ddk(Ddk-1( . . . (Dd2(Dd1(Eei(Eei-1( . . . (Ee2(Ee1(X)) . . . ))=Ddk(Ddk-1( . . . (Dd2(Dd1(Xe1, e2, . . . , e1))=X wherein i,k?1 and i+k>2.

Abstract: Implementations of the present disclosure are directed to sharing data in a supply chain, the data corresponding to an item having a tag associated therewith. Methods include determining a random number from the tag, the random number being unique to the item, selecting a first integer and a second integer, generating a first public key based on the first integer and a semi-public key based on the second integer, generating an identifier based on the first public key and the random number, generating a key based on the semi-public key and the random number, encrypting the data using the key to provide encrypted data, defining a tuple comprising the identifier and the encrypted data, and transmitting the tuple over a network for storage in a persistent storage device.

Abstract: During execution of BIOS at an information handling system, a processor communicates with the storage controller via a command line protocol (CLP) communications channel. Via the channel, the processor obtains identification information for storage devices associated with the storage controller. The processor communicates the identification information to a key management client, which obtains encryption keys based on the identification information from a key management server. The processor receives the encryption keys, and communicates them to the storage controller via the CLP communications channel. The CLP communications channel thus provides a convenient and flexible interface for communication of security information prior to execution of an operating system.

Abstract: A system and method for controlling message attachment handling functions on a mobile device is described herein. An attachment handling control can be set to identify one of a number of selected attachment handling control modes. Depending on the attachment handling control mode identified, a request for the attachment structure that includes a decrypted session key for an encrypted message received at the mobile device may or may not be automatically sent to a remote server. This may provide the user with increased control over the content of an encrypted message that the remote server may access when determining the attachment structure for a message.

Abstract: In one embodiment, the present invention is directed to the use of separate communication pathways over different types of networks to handle bearer and control signaling in connection with a license transaction.

Abstract: A key management protocol (such as KMIP) is extended to provide an extended credential type to pass information from clients to the server to enable the server to deduce pre-provisioned cryptographic materials for the individual clients. Preferably, KMIP client code communicates device information to a key management server in a value in the headers of KMIP requests that flow to the server. In this manner, KMIP requests are associated with pre-provisioned cryptographic materials for particular devices or device groups.

Abstract: A cipher communication method for an encryption apparatus an includes: receiving a second encryption key while performing a cipher communication using a first encryption key; storing encryption key input information on the first and second encryption keys in a static region; copying the stored encryption key input information into a dynamic region; selecting any one of the first and second encryption keys based on the copied encryption key input information and current time information; generating encryption key position information and encryption key selection information on the selected encryption key; and transmitting a cipher text and the encryption key selection information to another encryption apparatus connected to the encryption apparatus through a network such that the another encryption apparatus acquires an encryption key to decrypt the cipher text.

Abstract: An exemplary method includes transmitting, by a software application subsystem, a request to an encryption services subsystem to route a message generated by an originating software application to a recipient software application through a message broker subsystem, acquiring, by the software application subsystem, data representative of a current encryption configuration of the message broker subsystem from the encryption services subsystem in response to the request, and determining, by the software application subsystem, during a run time of the originating software application whether to encrypt the message before the message is transmitted to the message broker subsystem for routing to the recipient software application, the determination based at least in part on the current encryption configuration of the message broker subsystem. Corresponding methods and systems are also disclosed.

Abstract: Methods and apparatus for protecting user privacy in a shared key system. According to one aspect, a user generates a derived identity based on a key and a session variable, and sends the derived identity to an application. In one embodiment, a key server may be used to receive the derived identity from the application, and return a sub-key to the application to use for encrypting communications with the user.

Abstract: A system and method facilitate the use of a multi-function computer for an examination. An application implementing the method receives a hash input from a user and, upon successful completion of the examination, displays a hash output. The hash output may be displayed as a visual hash. During the examination, the application or system monitors the multi-function computer to determine whether the user has activated, viewed, or launched any prohibited functions or applications on the multi-function computer. If the user views a prohibited function or application, the examination application does not display the hash output. The system and application implement various security measures to prevent spoofing or duplication of the hash output or tampering with the application.

Abstract: A system and method for verifying ownership of an electronic receipt in a communication system providing a public key infrastructure, the verification arising out of a series of messages being sent and received between a first party and a verifying party, the method comprising the steps of receiving a proof message from the first party, the proof message being derived from at least a first public key based on a secret owned by the first party and wherein the secret is associated with at least the secret of a further public key of the first party and an electronic receipt that has been issued by electronically signing a request message with a second public key, determining whether or not the proof message was derived from the second public key.

Abstract: A method and system for server-side key generation for non-token clients is described.

Abstract: The present invention discloses a key distribution method and system, and the method includes: a card issuer management platform generating initial keys of a supplementary security domain corresponding to an application provider, importing the initial keys and a Trust Point's public key for external authentication to the supplementary security domain, and sending the information of the supplementary security domain and the initial keys to the application provider management platform (202); the application provider management platform receiving the information of the supplementary security domain and the initial keys, and selecting the supplementary security domain of the smart card by a service terminal according to the information of the supplementary security domain and the initial keys (204); the application provider management platform generating a public key and a private key of the supplementary security domain as well as a certificate of the supplementary security domain, and encrypting the public key

Abstract: A first cryptographic device generates plaintext information characterizing at least one key or other secret value associated with that device. The first cryptographic device releases portions of the plaintext information to a second cryptographic device over respective time intervals. The portions of the plaintext information are configured by the first cryptographic device such that the second cryptographic device must receive at least a designated minimum number of the portions in order to determine the secret value from those received portions. By way of example, the portions of the plaintext information may be wirelessly transmitted by the first cryptographic device, such that the second cryptographic device must be in wireless contact with the first cryptographic device for at least a designated minimum amount of time in order to receive the designated minimum number of portions required to determine the secret value.

Abstract: In an embodiment, a key sharing device connects to external devices with paths, and includes a key storage unit, a determining unit, a first generating unit, an encrypting unit, and a first transmitting unit. The key storage unit stores cryptographic keys to be shared. The determining unit determines a path for reaching a first device via a second device when a number of the cryptographic keys out of the cryptographic keys stored in the key storage unit is a predetermined threshold or smaller. The first generating unit generates an initial key that is a new cryptographic key to be shared with the first device. The encrypting unit encrypts the initial key by using the cryptographic key. The first transmitting unit transmits the encrypted initial key to the second device with addressing the first device as destination.

Abstract: Embodiments are directed towards enabling cryptographic key rotation without disrupting cryptographic operations. If key rotation is initiated, a transitional key may be generated by encrypting the current key with a built-in system key. A new key may be generated based one at least one determined key parameter. Next, the new key may be activated by the one or more key holders. If the new key is activated, it may be designated as the new current key. The new current key may be employed to encrypt the transitional key and store it in a key array. Each additional rotated key may be stored in the key array after it is encrypted by the current cryptographic key. Further, in response to a submission of an unencrypted query value, one or more encrypted values that correspond to a determined number of rotated cryptographic keys are generated.

Abstract: Techniques are presented for secure broadcasting and multicasting. Communications for multicasting and broadcasting are encrypted and decrypted using a secure communication key. The secure communication key is represented in a broadcast value that is sent to selected parties. The broadcast value represents the product of unique prime numbers and an additional number plus the secure communication key. Each party is represented by one of the unique prime numbers. Each party can acquire the secure communication key by dividing the broadcast value by its particular prime number to obtain a remainder, which is the secure communication key.

Abstract: A method of authentication between first (QNodeX) and second (QNodeY) network nodes within a network suitable for implementing quantum cryptography comprises steps in which the first and second nodes each generate a cryptographic hash ([MXY]AI, [MYX]AJ) of a message ([MXY], [MYX]) using respective authentication keys (AI, AJ) shared with a third network node (QNodeW). The messages may be those exchanged between the first and second nodes during agreement of a quantum key to be used between the nodes. An authentication key to be shared by the first and second nodes may be established using the quantum key. The invention therefore allows an authentication key to be established and shared between the first and second network nodes without direct physical intervention. Networks having large numbers of network nodes may be re-keyed following replacement or maintenance of a network node much more quickly and easily than is the case where re-keying is achieved by physically supplying shared authentication keys.

Abstract: A system and method for securely distributing PKI data, such as one or more private keys or other confidential digital information, from a PKI data generation facility to a product in a product personalization facility that is not connected to the PKI data generation facility and is assumed to be a non-secure product personalization facility. The system includes a PKI data loader for securely transmitting the encrypted PKI data transferred from the PKI data generator to a PKI server at the product personalization facility. The PKI server then transfers the PKI data to the product of interest, typically via a PKI station acting as a proxy between the PKI server and the product. In each communication step, PKI data being transferred is encrypted multiple times and the system is designed such that if any intermediate node is compromised with all of its keys, the overall system has not yet been compromised.

Abstract: Method and system for transferring encrypted content from a server to a storage device are provided. The method includes encrypting the content using a first key, wherein the server encrypts the content; establishing a secure communication channel between the server and the storage device using a random session key; sending the first key to the storage device via the secure communication channel; replacing the random session key with the first key; sending the encrypted content to the storage device after the random session key is replaced with the first key; decrypting the encrypted content using the first key, wherein the storage device decrypts the encrypted content; re-encrypting the decrypted content using a second key generated by the storage device; and storing the re-encrypted content at the storage device.

Abstract: Method for granting a plurality of electronic communication devices access to a local area network (LAN) via an access point using a single cryptographic key to secure communications exchanged through the LAN. The method comprising an activation phase performed once at initialization of the LAN and an operating phase wherein the electronic communication devices accesses the LAN. The activation phase comprising: providing the cryptographic key in a digital form by the access point; transferring the cryptographic key to a master device, switching the access point into a secure mode in which any further communication with the access point is secured with the cryptographic key. The operating phase comprising: transferring the cryptographic key from the master device to the electronic communication devices. The cryptographic key is converted from its digital form into a graphic form and then transferred in the graphic form to the electronic communication devices during the operating phase.

Abstract: A method of key distribution from a first entity to a second entity including the first entity communicating with a moveable key device so as to share a secret data with said moveable key device, relocating said moveable key device to a location having a quantum link with said second entity, transmitting a quantum signal from said moveable key device to said second entity on said quantum link, the quantum signal being based on said secret data; and said first entity and said second entity undertaking key agreement based on the quantum signal received by the second entity. Such a method allows the principles of quantum key distribution to be applied even in the absence of a suitable quantum communications link between the first and second entities.

Abstract: There is provided a system and method for a universal file packager for use with an interoperable key chest. There is provided a method for distributing media contents to distributors, comprising obtaining a first key, a second key and a content, encrypting the second key using the first key to generate an encrypted second key, encrypting the content using the second key to generate an encrypted content, generating a key information file including the encrypted second key, generating a universal file including the encrypted content and a first network address for a central key repository (CKR), providing the key information file for storage in the CKR, and providing the universal file to the distributors. The universal file can then be provided to users for digital e-commerce and transferred across different distributors with the CKR negotiating key access for granting new interoperable DRM licenses.

Abstract: An apparatus and method for generating a key for a broadcast encryption. The apparatus includes a node secret generator for managing a user that receives broadcast data in a tree structure and for generating a unique node secret for each node in the tree structure. The apparatus also includes an instant key generator for temporarily generating an instant key used at all nodes in common in the tree structure, and a node key generator for generating a node key for each node by operating the node secret generated at the node secret generator and the instant key generated at the instant key generator. Thus, key update can be efficiently achieved.

Abstract: A non-transient computer usable medium has computer usable instructions embodied thereon, the computer usable instructions configured to cause a computer device to perform the steps of receiving an intermediate program code prior to execution of the intermediate program code; recognizing data storage commands within the intermediate program code; modifying the intermediate program code such that, during execution of the intermediate program code, the data is encrypted before it is stored; recognizing data retrieval commands within the intermediate program code; modifying the intermediate program code such that, during execution of the intermediate program code, the data is decrypted after it is retrieved; and providing the modified intermediate program code for execution.