Abstract: A method, apparatus, system, or computer-readable medium for performing object-level encryption and key rotations is disclosed. A service platform may store data items organized into one or more asset clusters. A first content encryption key may be set as the active encryption key for an asset cluster. The active encryption key may be encrypted using the master encryption key. A first subset of data items may be encrypted using the active encryption key (e.g., the first content encryption key). After the number of data items encrypted using the active encryption key satisfies a threshold value, the first content encryption key may be set as an inactive encryption key and a second content encryption key may be set as the new active encryption key for the asset cluster. A second subset of the plurality of data items may be encrypted using the active encryption key (e.g., the second content encryption key).

Abstract: A data scrambling method for controlling a code density according to an exemplary embodiment of the present disclosure includes receiving a plain code which is a code to be stored in the non-volatile memory device and a storage address at which the plain code is recorded; determining a rank corresponding to the plain code, using an ET table including appearance frequency rank information corresponding to individual plain code; calculating an adjustment rank corresponding to the plain code, using the rank and a random number that is generated based on the address of storage address; determining a cipher code corresponding to the appearance frequency rank of the plain code, using the adjustment rank and an ECC table including rank information determined by an objective function for individual cipher code; and storing the cipher code in the storage address.

Abstract: Embodiments are provided for verifying physical proximity of counterparties in digital asset transfers. A sender device receives a recipient hash and a recipient address are received, where recipient hash is generated by the recipient device based on each of the associated recipient address and a first set of location parameters. The sender device obtains a second set of location parameters that corresponds to a detected physical location thereof. The sender device employs the obtained second set of location parameters to decipher the recipient hash, and generates a request to transfer a digital token from a sender address associated with the sender device to the recipient address based on a determination that the deciphered recipient hash corresponds to the received recipient address.

Abstract: Method and system for detecting stations in wireless local area networks having at least one access point configured to: upon transmission of an association response to a station, send a radio measurement request to the station performing active scanning of a SSID having a unique identifier univocally associated with a persistent MAC address of the station, upon reception of a probe request, check if the SSID field has a unique identifier univocally associated with a persistent MAC address of a station, and associate the source address of the probe request with the persistent MAC address of the station on a database of known stations; detect stations within the coverage area of the access point based on the information stored on the database of known stations.

Abstract: Various arrangements relate to a method performed by a processor of a computing system. An example method includes tokenizing a first value using a tokenization algorithm to generate a first token. The first value and first key are inputs of the tokenization algorithm. A message is generated. The message includes a first value identifier associated with the first value and a first key generation identifier associated with the generation of the first key. The message is associated with the first token. A second key is generated. A second value is tokenized using a tokenization algorithm to generate a second token. The second value and second key are inputs of the tokenization algorithm.

Abstract: A method can include generating a cryptogram by encrypting, by a hardware security module (HSM), a keyed-hash message authentication code (HMAC) key by a master key encryption key (MK); transmitting, a database server, the cryptogram; destroying the cryptogram at the HSM, in response to the transmitting the cryptogram to the database server; receiving, from the database server, the cryptogram and an ID generated by the database server; generating a wallet password based on the ID and the cryptogram; generating a data encryption key (DK) retrievable via the wallet password; transmitting, to the database server, the DK without the wallet password; destroying the wallet password in response to the transmitting the DK to the database server; decrypting the cryptogram into a decrypted HMAC key; regenerating the wallet password using the ID and the decrypted HMAC key; encrypting the regenerated wallet password; transmitting, to the database server, the encrypted regenerated wallet password.

Abstract: In an example, there is disclosed a computing apparatus having: a network interface to communicate with a second device; a contextual data interface to receive and store contextual data; and one or more logic elements comprising a contextual security agent, operable to: receive a contextual data packet via the network interface; compare the contextual data packet to stored contextual data; and act on the comparing. The contextual data packet may optionally be provided out of band, and may be used to authenticate a substantive data packet, such as a patch or update.

Abstract: A constellation of many satellites provides communication between devices such as user terminals and ground stations. A collaborative constellation management interface (CCMI) provides collaborative interaction capabilities to operators at different locations, facilitating management and operation of the constellation. A lightweight presentation client, such as a browser, handles receiving input data from an operator and presenting output data to the operator. An operator initiates a session that participates in a common session. Limited to the permissions associated with the operator's session, input data is processed by the systems referred to by the common session. Output data for presentation is sent to the participating operator sessions, limited to their respective permissions. As a result, each common session accepts input and presents consistent output, allowing for collaborative interaction by many operators at different locations.

Abstract: An engineering assistant system 1 includes: an engineering server 10 that issues a work list including information related to work necessary for performing the engineering of a process control system 100; and an at least one engineering client 20 that grants work authority for each worker based on the work list issued by the engineering server 10 and makes it possible to perform work on a constituent apparatus that constitutes the process control system 100 within a range of granted work authority.

Abstract: A path is secured from one node to another node of the computing environment. The one node obtains a first encryption key and a second encryption key. A shared key is obtained by the one node from a key server, and the shared key is used to encrypt a message. The encrypted message includes the first encryption key and the second encryption key. The encrypted message and an identifier of the shared key is sent from the one node to the other node, and a response message is received by the one node. The response message at least provides an indication that the other node received the encrypted message and obtained the shared key.

Abstract: Example embodiments facilitate creation of efficient tree structures (and strategic modification of and manipulation of existing tree structures), such that the resulting tree structures enable rapid computing operations, including, but not limited to, rapid relational set operations (e.g., joining trees, comparing tree structures, determining structural similarities of trees, adding tree nodes, removing or replacing tree nodes, accessing tree data, updating tree data, and so on). An example method relates to a method and/or system for creating and manipulating tree data structures (also simply called trees herein) as, for example, in relational databases. One embodiment uses compact bit-wise path encoding that stores structural data related to tree branches to which a current node belongs.

Abstract: Methods and systems are described for generating and accessing a digital wallet including a random data encryption key (DK) and locked with a wallet password. A method includes the following steps done by a hardware security module (HSM): generating a wallet password based on an identifier (ID) generated by a database server and a keyed-hash message authentication code (HMAC) key element generated by the HSM; generating the digital wallet including the DK; locking the digital wallet with the wallet password; transmitting the digital wallet to the database server without the wallet password; destroying the wallet password and the HMAC key; receiving a password request message including the ID and the encrypted HMAC key from the database server; regenerating the wallet password using the ID and the HMAC key; digitally signing and encrypting the regenerated wallet password; and transmitting the digitally signed and encrypted regenerated wallet password to the database server.

Abstract: Aspects of the invention include generation of a secure key exchange (SKE) authentication request by an initiator node of a computing environment. A non-limiting example computer-implemented method includes receiving an initialization response message at an initiator channel on an initiator node from a responder channel on a responder node to initiate a secure communication, the receiving at a local key manager (LKM) executing on the initiator node. A set of cryptographic keys is derived based on a security association payload of the initialization response message. A proposal list is built based on one or more security capabilities supported by the initiator channel. An authentication request message is built based at least in part on the set of cryptographic keys and the proposal list. The authentication request message is sent from the LKM to the initiator channel.

Abstract: According to an aspect, a first digital system splits a cryptography key into a first key part (S1) and a second key part (S2), stores S1 in a policy-controlled storage which permits storage according to access policies and stores S2 in a local storage of the first digital system. Upon identifying a requirement in a second digital system for the cryptography key, the first digital system configures for the policy-controlled storage a first policy permitting access of S1 to the second digital system and then sends S2 directly to the second digital system. The second digital system reconstructs the cryptography key by retrieving S1 from the policy-controlled storage based on the first policy and forming the cryptography key from the retrieved S1 and S2 received from the first digital system. Thus, a cryptography key is securely stored and used, without having any single point of attack.

Abstract: An intelligent gateway device provided at a premise (home or business) for providing and managing application services associated with use and support of a plurality of digital endpoint devices associated with the premises. The device includes a communications and processing infrastructure integrated with a peer and presence messaging based communications protocol for enabling communications between the device and an external support network and between the device and connected digital endpoint devices. A services framework at the gateway device implements the communications and processing infrastructure for enabling service management, service configuration, and authentication of user of services at the intelligent gateway. The framework provides a storage and execution environment for supporting and executing received service logic modules relating to use, management, and support of the digital endpoint devices.

Abstract: An SQL interceptor inserted as a proxy between a database client and the corresponding database server intercepts a constrained application-generated SQL query and composes a new data request. Parameter values in the SQL query determine whether the new data request is sent to a database server or a web service provider. A reserved table name specified in the SQL query triggers a rewrite of the data request. Parameter values in the query are used to select among a plurality of executable modules to use for rewriting the data request. Special data encoding and formats need to be used based on the source of data that will receive and respond to the rewritten data request. For example, communication between a database client and server may use a vendor-specific, non-standard binary encoding, and XML and JSON response data must be reformatted as an SQL response for processing by the database client.

Abstract: Generally described, the presently disclosed technology utilizes managed Wi-Fi networks pre-installed throughout an MDU property to provide user-specific passphrases that can be used to access the single-SSID wireless network at the property and to provide a cloud portal that can enable convenient access to the functionalities (both by the resident and the manager) provided by the Wi-Fi controller and the Wi-Fi access points. By doing so, the Wi-Fi network management solutions described herein allow the users to experience the benefits of a shared Wi-Fi infrastructure, such as not having to set up and maintain their own Wi-Fi routers, while also allowing them to easily change their Wi-Fi settings from their connected devices.

Abstract: An apparatus for reporting node congestion of a queue of an egress port and changing to a different queue is disclosed. The apparatus includes a network node that includes a controller. The controller is configured to determine a level of congestion of a designated queue of an egress port of the network node in a communication pathway between a sending host sending data packets to a receiving host in response to receiving a telemetry packet seeking telemetry data for packets being transmitted between the sending host and the receiving host. The designated queue is designated for queuing data packets for the egress port. The controller is configured to add the level of congestion to the telemetry packet in response to determining that the level of congestion indicates that the designated queue is congested and to transmit the telemetry packet to a next destination on the communication pathway.

Abstract: The authentication method of a block chain authentication module includes: receiving an authentication preparation request; configuring a channel and generating a channel key allocated to the channel; generating a block including an authentication comparison data, the block further including a block key allocated to the block; commonly transmitting the channel key and the block key, and dividing and transmitting the authentication comparison data; transmitting an authentication preparation completion message including the channel key and the block key; receiving an authentication request message including the channel key, the block key, and authentication target data; dividing and transmitting the authentication target data; receiving a result of comparing the divided and transmitted authentication comparison data with the divided and transmitted authentication target; and determining whether the authentication of the terminal succeeds.

Abstract: A semiconductor memory device includes a memory core including a plurality of memory cells, an on-chip processor and a memory security controller. The on-chip processor performs on-chip data processing. The memory security controller decrypts encrypted data provided from the memory core or from a memory controller and to provide the decrypted data to the on-chip processor and encrypts result data from the on-chip processor to provide result-encrypted data to the memory core or the memory controller. Data processing efficiency may be enhanced without degradation of data security by decrypting the encrypted data in the semiconductor memory device to perform the on-chip data processing.

Abstract: A secondary index may be implemented for a distributed data set that is strongly consistent. Updates to a distributed data set that add or remove items from the distributed data set may be reflected in the secondary index as part of performing the update. Pointers to items to be added to a distributed data set may be included in the secondary index as part of processing an insertion request for the new items. Pointers to items removed from a distributed data set may be removed from the secondary index as part of processing a deletion request. Changes to the secondary index may be performed so that the secondary index does not fail to identify items that are present in the distributed data set.

Abstract: A mobile payment system is described that facilitates efficient and secured payment transactions from an electronic wallet on a user portable electronic device with a merchant point of sale terminal over a communication link. In one aspect, a mobile device is configured for transaction operations from a plurality of mobile transaction accounts in an electronic wallet. The mobile device includes a plurality of transaction modules operable to process transaction operations with a respective mobile transaction account, each transaction module configured for transaction operations to be completed after an authentication process using a central authentication module coupled to the plurality of transaction modules, operable to verify a user input passcode and to respond to authentication requests from the plurality of transaction module after the user input passcode is verified.

Abstract: An access point receives from a client a first nonce and a first cryptographic hash for the first nonce, the first cryptographic hash calculated using a first key derived from a second key, the second key input on the client or derived from a passphrase input on the client, derives first keys from each of a stored primary input and at least one stored secondary input valid at the deriving, the stored primary input and the at least one stored secondary input each being one of a second key and a passphrase, verifies the cryptographic hash using each derived first key to find a derived first key that checks the first cryptographic hash, generates a third key and a second cryptographic hash using the derived first key that checks the first cryptographic hash, and sends the third key and the second cryptographic hash to the client.

Abstract: Multi-context authenticated encryption can be used to secure various data objects, where a data object may be transmitted and/or stored using various types of resources. One or more envelope keys can be used to encrypt the body data, and each envelope key can be encrypted with a master key. The envelope keys are also be encrypted using at least a subset of context information available for the data object, as may correspond to one or more of the resource types. The encrypted data object can include at least one header, as well as the encrypted body data and the encrypted envelope key(s). In order to decrypt the data object, a data consumer would need the master key as well as at least a relevant subset of the context data.

Abstract: A novel method of providing virtual private access to a software defined data center (SDDC) is provided. The SDDC uses distributed VPN tunneling to allow external access to application services hosted in the SDDC. The SDDC includes host machines for providing computing and networking resources and a VPN gateway for providing external access to those resources. The host machines that host the VMs running the applications that VPN clients are interested in connecting performs the VPN encryption and decryption. The VPN gateway does not perform any encryption and decryption operations. The packet structure is such that the VPN gateway can read the IP address of the VM without decrypting the packet.

Abstract: Techniques for performing data encryption on data to be stored within a storage system are provided. A client application executing on a host machine may generate a data storage write request to write data to a storage system. A host-side module, executing on the host machine receives the write request. The host-side module is configured to generate one or more fingerprints for the data corresponding to the write request, where the one or more fingerprints are unique identifiers used to identify data blocks that make up the data. The host-side module generates encrypted data by encrypting the data blocks using an encryption technique. The encrypted data is then sent to a storage node within the storage system. Deduplication may be performed on the encrypted data using the one or more generated fingerprints.

Abstract: A new efficient framework based on a Constant-size Ciphertext Policy Comparative Attribute-Based Encryption (CCP-CABE) approach. CCP-CABE assists lightweight mobile devices and storing privacy-sensitive sensitive data into cloudbased storage by offloading major cryptography-computation overhead into the cloud without exposing data content to the cloud. CCP-CABE extends existing attribute-based data access control solutions by incorporating comparable attributes to incorporate more flexible security access control policies. CCP-CABE generates constant-size ciphertext regardless of the number of involved attributes, which is suitable for mobile devices considering their limited communication and storage capacities.

Abstract: A method and system for recording data including content in a recording medium on a computer apparatus. First encrypted data, obtained by encrypting the data using a medium key created for each recording medium, is recorded in a recording medium. Second encrypted data, obtained by encrypting the medium key using a public key, is recorded in the recording medium. A private key corresponding to the public key is not recorded in the recording medium.

Abstract: A method and system for recording data including content in a recording medium on a computer apparatus. First encrypted data, obtained by encrypting the data using a medium key created for each recording medium, is recorded in a recording medium. Second encrypted data, obtained by encrypting the medium key using a public key, is recorded in the recording medium. A private key corresponding to the public key is not recorded in the recording medium.

Abstract: A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.

Abstract: A system for wireless memory device authentication is provided, wherein a communications device receives a certified public key from a wireless memory device. The communications device validates the public key and send a challenge to the wireless memory device. The wireless memory device sends a signature to the communications device and the communications device validates the signature in order to authenticate the wireless memory device.

Abstract: Systems and techniques are provided for per-device authentication. A hardware serial number associated with a hardware component of a computing device may be received. The hardware serial number may be converted to a hardware key check. A hardware key associated with a certificate from the computing device may be received. The hardware key may be compared to the hardware check key to obtain a verification of the certificate. The certificate may be verified when the hardware key check matches the hardware key and the certificate may not be verified when the hardware key check does not match the hardware key. A signature associated with the certificate may be verified. Access to the data processing apparatus by the computing device may be permitted when the certificate is verified and the signature is determined to be authentic.

Abstract: Techniques for providing encryption of individual data objects in a data storage system include realizing data objects in the form of container files stored in a set of file systems, and encrypting individual ones of the data objects by encrypting the container files realizing the data objects using encryption keys associated with the individual data objects. By independently encrypting the container files that realize individual data objects, the disclosed system provides per-data object encryption. Each data object may be encrypted differently, e.g. using a different encryption key, even when multiple data objects are hosted over the same storage device or over a shared set of storage devices.

Abstract: Techniques for performing de-duplication for data blocks in a computer storage environment. At least one chunking/hashing unit receives input data from a source and processes it to output data blocks and content addresses for them. In one aspect, the chunking/hashing unit outputs all blocks without checking to see whether any is a duplicate of a block previously stored on the storage environment. In another aspect, each data block is processed by one of a plurality of distributed object addressable storage (OAS) devices that each is selected to process data blocks having content addresses with a particular range. The OAS devices determine whether each received data block is a duplicate of another previously stored on the computer storage environment, and when it is not, stores the data block.

Abstract: An apparatus for performing secure operations with a dedicated secure processor is described in one embodiment. The apparatus includes security firmware defining secure operations, a processor configured to execute the security firmware and perform a set of operations limited to the secure operations, and a plurality of secure hardware registers, accessible by the processor and configured to receive instructions to perform the secure operations. An apparatus for performing secure operations with a plurality of security assist hardware circuits is described in another embodiment. The apparatus comprises one or more secure hardware registers configured to receive a command to perform secure operations and one or more security assist hardware circuits configured to perform discrete secure operations using one or more secret data objects.

Abstract: In an approach for changing a password. Aspects of an embodiment of the present invention include an approach for changing a password, wherein the approach includes a processor identifies a resource protected by a password. A processor discovers at least one information source containing information relevant to a process for changing the password of the resource. A processor constructs a set of procedures to change the password using the information relevant to the process for changing the password. A processor alters the password of the resource according to the constructed set of procedures.

Abstract: One embodiment is directed to a technique which secures data on a set of storage drives of a data storage system. The technique involves encrypting data from a first tenant using a first tenant key to form first tenant encrypted data and storing the first tenant encrypted data on the set of storage drives. The technique further involves encrypting data from a second tenant using a second tenant key to form second tenant encrypted data and storing the second tenant encrypted data on the set of storage drives, the first tenant being different from the second tenant, and the first tenant key and the second tenant key being per tenant keys which are different from each other. The technique further involves destroying the first tenant key to prevent the first tenant encrypted data stored on the set of storage drives from being decrypted while maintaining the second tenant key to enable decryption of the second tenant encrypted data stored on the set of storage drives.

Abstract: A method for securely updating at least one software application on a target system includes providing a removable computer readable medium containing an installation package that is encrypted using at least one private encryption key, which is resident in an administrator access area of the target system. The removable medium is connected or inserted into the target system. An update mechanism is launched by an operator level user on the target machine. The update mechanism's privileges are elevated to an administrator level by a privilege configuration utility associated with the operating system of the target system. The update mechanism determines if the removable medium contains an expected file and if so, attempts to decrypt the encrypted file on the removable medium using the private encryption key from the target system. If the decryption is successful, the installation package on the removable medium is installed on the target system.

Abstract: One embodiment provides a document management system comprising a storage system to store one or more encrypted documents, at least a first portion of a first encrypted document encrypted using a first encryption key, and an encryption key manager to manage a set of encryption keys for the documents on the storage system, the encryption key manager further to discard the first encryption key to provide secure removal of the portion of the encrypted document.

Abstract: A method and system for recording data including content in a recording medium on a computer apparatus. First encrypted data, obtained by encrypting the data using a medium key created for each recording medium, is recorded in a recording medium. Second encrypted data, obtained by encrypting the medium key using a public key, is recorded in the recording medium. A private key corresponding to the public key is not recorded in the recording medium.

Abstract: A system, comprising includes an orchestration server including a processor, the orchestration server to receive authentication factors. A rules engine connects with the orchestration server, the orchestration to send the authentication factors to the rules engine and to request a decision on authentication from the rules engine. The rules engine to send the decision on authentication to the orchestration server based on the received authentication factors and a rules set.

Abstract: A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree, wherein the path is based on the message, wherein deriving the validator using the path through the key tree comprises computing a plurality of successive intermediate keys starting with a value based on the secret value and leading to the validator, wherein each successive intermediate key is derived based on at least a portion of the message and a prior key. The first device then sends the validator to the second device.

Abstract: Utilizing a non-repeating identifier to encrypt data, including: receiving a request to write data to a storage device; selecting a segment-offset pair where the data will be stored, where the selected segment-offset pair is unique to every other segment-offset pair utilized during the lifetime of the storage device; and encrypting the data in dependence upon an identifier of the segment-offset pair.

Abstract: Techniques for a trust service for a client device are described. In various implementations, a trust service is implemented remotely from a client device and provides various trust-related functions to the client device. According to various implementations, communication between a client device and a remote trust service is authenticated by a client identifier (ID) that is maintained by both the client device and the remote trust service. In at least some implementations, the client ID is stored on a location of the client device that is protected from access by (e.g., is inaccessible to) device components such as an operating system, applications, and so forth. Thus, the client ID may be utilized to generate signatures to authenticate communications between the client device and the remote trust service.

Abstract: The present invention addresses encryption systems and methods in the de-duplication of data in a multi-tenant environment. The system provides isolation between tenants' stored data and the storage system. Tenant keys are assigned to tenants. The storage system stores raw data objects backed up for the tenants and fingerprints, corresponding to the data objects, in a single use key encrypted format. Fingerprints are wrapped with a storage system key held by the storage system. A request is received to retrieve data backed up for a tenant. The request includes fingerprints corresponding to the data objects to retrieve, and a tenant key, the fingerprints being in the single use key encrypted format and wrapped with the tenant key. The received fingerprints are unwrapped using the tenant key to retrieve data objects corresponding to the received fingerprints. The data objects are transmitted to the tenant and the tenant key is removed.

Abstract: A device includes storage hardware to store a secret value and processing hardware coupled to the storage hardware. The processing hardware is to receive an encrypted data segment with a validator and derive a decryption key using the secret value and a plurality of entropy distribution operations. The processing hardware is further to verify, using the received validator, that the encrypted data segment has not been modified. The processing hardware is further to decrypt the encrypted data segment using the decryption key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.

Abstract: A computing device includes a secure storage hardware to store a secret value and processing hardware comprising at least one of a cache or a memory. During a secure boot process the processing hardware loads untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator, retrieves the secret value from the secure storage hardware, derives an initial key based at least in part on an identifier associated with the encrypted data segment and the secret value, verifies, using the validator, whether the encrypted data segment has been modified, and decrypts the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.

Abstract: A method for transmitting digital data to a recipient via a communications network includes providing digital data and digitally signing the digital data using N cryptographic keys. Each of the N cryptographic keys is associated with a same sender of the digital data, and N>1. The recipient receives the digital data and verifies the digital signature using N cryptographic keys associated with the N cryptographic keys used to sign the digital data. In dependence upon verifying the digital signature, the recipient accepts the digital data as being authentic.

Abstract: A system includes an application access manager driver and an operating system (OS) kernel module in a kernel-mode address space of an OS. The system also includes application modules, a public application whitelist, a public application whitelist manager, a user/group application whitelist, and a user/group application whitelist manager in a user-mode address space of the OS. A method includes receiving a request to launch an application, calling a “create process” function in the OS kernel module, calling a pre-registered “create process” callback function to the application access manager driver, and determining whether the application is allowed to execute based on whether the application access manager driver identifies the application as an allowable process in either public application whitelist or user/group application whitelist.

Abstract: A one-time-pad encryption system where encrypted one-time-pad keys can be distributed to users on physical media or on a computer network from a central server. Each one-time-pad key has a key identification number that facilitates key management. Each encrypted data set includes a header specifying an offset within the one-time-pad key for commencement of decryption so that messages can be decrypted in any order. Before encryption begins, the length of remaining unused key is compared to the length of the data set to be encrypted. Encryption control buttons are added to a word processor and other programs as an addition to the user interface.