Abstract: Provided is a process that affords out-of-band authentication based on a secure channel to a trusted execution environment on a client device. The authentication process includes one or more authentication steps in addition to verifying any credentials provided by a client device. A notification may be transmitted by a server to a device other than the client device attempting to access the asset. That device may be a mobile device with a trusted execution environment storing user credential information, and the server may store representations of those credentials. The mobile device collects user input credentials and transmits representations for matching the previously stored representations and signed data for verification by the server that received data originated from the mobile device. The access attempt by the client is granted based in part on the result of authenticating the data received from the mobile device in a response to the notification.

Abstract: An encryption method and apparatus based on homomorphic encryption using a composition of functions. The encryption method includes generating a ciphertext by encrypting data, and bootstrapping the ciphertext by performing a modular reduction based on a composition of a function for a modulus corresponding to the ciphertext.

Abstract: Generating a private key recovery seed based on random words extracted from an input memory of a user and using the recovery seed to recover the private key. An input that is related to a specific memory of a user is received. The specific memory was previously entered and used to generate random words that are related to each other by being included in the specific memory. The random words are extracted from the received input. The random words are associated with a first private key recovery mechanism for recovering a private key. The random words are input into the first private key recovery mechanism to generate a recovery seed. The recovery seed is input into a second private key recovery mechanism. The second private key recovery mechanism generates a recovered private key upon performing a recovery operation on the private key recovery seed.

Abstract: Systems and methods for threshold authenticated encryption are provided. A collection of cryptographic devices may encrypt or decrypt a message, provided that a threshold number of those devices participate in the encryption process. One cryptographic device may generate a commitment message and transmit it to the other selected devices. Those devices may each perform a partial computation using the commitment message, and transmit the partial computations back to the encrypting or decrypting device. The encrypting or decrypting device may use those partial computations to produce a cryptographic key, which may then be used to encrypt or decrypt the message.

Abstract: A hardware accelerator for accelerating the zero knowledge succinct non-interactive argument of knowledge (zk-SNARK) protocol by reducing the computation time of the cryptographic verification is disclosed. The accelerator includes a zk-SNARK engine having one or more processing units running in parallel. The processing unit can include one or more multiply-accumulate operation (MAC) units, one or more fast Fourier transform (FFT) units; and one or more elliptic curve processor (ECP) units. The one or more ECP units are configured to reduce a bit-length of a scalar di in an ECP algorithm used for generating a proof, thereby the cryptographic verification requires less computation power.

Abstract: A homomorphic operation accelerator includes a plurality of circuits and a homomorphic operation managing circuit. The plurality of circuits may perform homomorphic operations. The homomorphic operation managing circuit may receive cipher text data, homomorphic encryption information and homomorphic operation information from an external device. The homomorphic operation managing circuit may activate or deactivate each of a plurality of enable signals applied to the plurality of circuits based on the homomorphic encryption information and the homomorphic operation information. The homomorphic operation managing circuit may activate or deactivate each of the plurality of circuits based on the plurality of enable signals. The homomorphic encryption information may be associated with a homomorphic encryption algorithm used to generate the cipher text data. The homomorphic operation information may be associated with the homomorphic operations to be performed on the cipher text data.

Abstract: Transaction ID information corresponding to proof certificate-verifying transaction information is transmitted to a block chain retention server if a request for proof certificate information is sensed, when the proof certificate-verifying transaction information generated by using the proof certificate information, to be provided to a customer, is recorded in a block chain retention server and the transaction ID information is managed. The proof certificate-verifying transaction information corresponding to the transaction ID information is acquired from the block chain retention server. A proof certificate index hash value used for comparison, acquired from the proof certificate information to be provided to a customer and corresponding to a request, is compared with a proof certificate-verifying index hash value acquired from the proof certificate verifying-transaction information.

Abstract: An automated system configured for streamed contents, to be self-aware in preventing fraudulent tactics, during real-time and offline usages, while communicating with its owner for accurate decision making, comprising: a content player module, and a content streaming service module; configured using a codec module to embed logic, encryptions, heuristics data, associated meta data, and management data into the content format; configured to use symmetric encryption keys, public keys, biometrics, and payload data; configured to authenticate the user and content owner; configured to request, receive, send, stream content, and analytics through a secure communication; configured to provide secure virtual communications between users and content owners; configured to use a call-home data, to enable the content and content owner to communicate and update one another securely; Configured to provide real-time, and offline, fraud prevention heuristics using artificial intelligence.

Abstract: This application claims the benefit of Belgian Application No. BE2016/5964 filed 22 Dec. 2016, Belgian Application No. BE2016/5965 filed 22 Dec. 2016, Belgian Application No. BE2016/5966 filed 22 Dec. 2016, PCT/IB2017/056624 filed 25 Oct. 2017 and PCT/EP2017/082803 filed Dec. 14, 2017, International Publication No. WO 2018/114587 A1, which are hereby incorporated by reference in their entirety as if fully set forth herein.

Abstract: Embodiments disclosed herein are directed to methods and systems of password-based threshold authentication, which distributes the role of an authentication server among multiple servers. Any t servers can collectively verify passwords and generate authentication tokens, while no t?1 servers can forge a valid token or mount offline dictionary attacks.

Abstract: Techniques for determining whether a public encryption key is vulnerable as the result of deficiencies in pseudorandom number generation algorithms are provided. In some embodiments, a system may compile a database of cryptographic information received from a plurality of sources, including databases, and network traffic monitoring tools. RSA public keys extracted from the cryptographic information may be stored in an organized database in association with corresponding metadata. The system may construct a product tree from all unique collected RSA keys, and may then construct a remainder tree from the product tree, wherein each output remainder may be determined to be a greatest common divisor of one of the RSA keys against all other unique RSA keys in the database. The system may then use the greatest common divisors to factor one or more of the RSA keys and to determine that the factored keys are vulnerable to being compromised.

Abstract: Systems and methods are described for orchestrating a security object, including, for example, defining and storing a plurality of policies in a database coupled to a policy engine and receiving, by the policy engine, the security object and at least one object attribute associated with the security object. In addition, the policy engine determines the acceptability of the security object based, at least in part, on the at least one object attribute and at least one of the plurality of policies corresponding to the at least one object attribute. The security object to at least one communication device associated with the policy engine is distributed when the security object is determined to be acceptable. The at least one communication device establishes communication based, at least in part, on the security object.

Abstract: A device implementing a system for authenticating an identity document includes at least one processor configured to receive, from a service provider, a request associated with verifying an integrity of an identity document, and capture, responsive to receiving the request, image data of the identity document. The at least one processor is further configured to generate a representation based on the image data, the representation comprising form factor data of the identity document, and compare the representation with a prior representation of the identity document, the prior representation comprising prior form factor data of the identity document. The at least one processor is further configured to provide, to the service provider, a response to the request based on comparing the representation with the prior representation.

Abstract: Provided is a non-transitory computer readable medium. The non-transitory computer readable medium storing program code that, when is executed by a processor, causes the processor to calculate a message, based on a first cipher text, a second cipher text, and a private key, to compare a coefficient of the message with a reference value based on a prime number, to decide a coefficient of a modified message, based on a comparison result between the coefficient of the message and the reference value, and to decrypt the modified message.

Abstract: A methods for payment authorization (10) on mobile devices (DM) such as smartphones, tablets or any others available, which may be offline; the method for payment authorization (10) comprises the compilation of sequential steps of method (M1) of the payer (20) with method (M2) of the operational system (50) or application that constitutes a logical structure for alignment with the method (M3) of the payee (30), resulting in authenticated payment (PG) of financial transactions (TF) with assurance of “non-repudiation” through generation of a private key (51) and public key (52), as well as association of positive identification (21a) and personal identification (21b) of the payer (PG) with the mobile device (DM); said methods (M1), (M2) and (M3) are executed on mobile devices (DM) with enough processing capacity for execution of encryption algorithms and which may be used for issuing payment orders (PG), on-site or otherwise, carried out with financial resources (RF) or credit limits (LC) such as bonuses, point

Abstract: A method may include generating word string vectors for word strings in a document, obtaining encrypted word string vectors by encrypting the word string vectors, generating a search vector for a search query, obtaining an encrypted search vector by encrypting the search vector, calculating encrypted distances between the encrypted word string vectors and the encrypted search vector, obtaining a decrypted distance by decrypting an encrypted distance, and using the decrypted distance, determining a semantic match between the search query and the document.

Abstract: A method or system for authentication and access control in for network device management is disclosed. The method or system may include establishing a communication channel between a user device and a network device and receiving, by the network device, a public-key certificate including a specified identity of the user device. The method or system may include determining whether the public-key certificate is valid against a root certificate stored in the network device, and determining an actual identity of the user device. The method or system may include indicating that the user device is authentic and authorized when the received public-key is valid against the root certificate and when the actual identity of the user device matches the specified identity in the public-key certificate.

Abstract: A method of recordation request of a compound transaction to a blockchain distributed network, comprising steps of: the first node constituting the distribution network signing a compound transaction in which a plurality of sources of assets exist by a secret key of the node, when there is a remaining source by which the compound transaction needs to be signed, the first node transmitting the compound transaction to a second node constituting the distributed network, and when there is no remaining source by which the compound transaction needs to be signed, the first node transmitting the compound transaction to a third node constituting the distributed network to request recordation to the distributed network.

Abstract: Embodiments are directed to countermeasures for side-channel attacks on protected sign and key exchange operations. An embodiment of storage mediums includes instructions for commencing a process including an elliptic curve scalar multiplication (ESM) operation including application of a secret scalar value; splitting the secret scalar value into two random scalar values; counting a number of leading ‘0’ bits in the scalar value and skipping the number of leading ‘0’ bits in processing; performing an ESM iteration for each bit of the secret scalar value beginning with a most significant ‘1’ bit of the scalar value including a Point Addition operation and a Point Double operation for each bit on randomized points; performing ESM operation dummy iterations equal to the number of leading ‘0’ bits; and returning an output result for the ESM operation.

Abstract: A virtual payment system for paying for goods, services and content ordered over an internetwork is disclosed. The virtual payment system includes a commerce gateway. Buyers and sellers becomes registered participants by applying for virtual payment buyer and seller accounts. Once an account is established with the commerce gateway, a digital certificate is stored on the registered participant's computer. A buyer can then order a product, i.e., goods, services or content from a seller and charge it to the virtual payment account. When the product is shipped, the seller notifies the commerce gateway, which applies the charges to the buyer's virtual payment account. The buyer can settle the charges using a prepaid account, a credit account, or by using reward points earned through use of the virtual payment account. A buyer may create sub-accounts.

Abstract: Embodiments of a method and/or system of transmitting and/or receiving data is disclosed.

Abstract: A system, software application and method that allows a customer to protect their proprietary database of compounds and substances while utilizing a retrosynthesis software application is disclosed. The customer's proprietary database is encrypted prior to being provided to the retrosynthesis system. This encrypted is performed using a hash and optionally a salt. The retrosynthesis algorithm then creates synthons as is traditionally done. However, after their creation, the synthons are hashed so that they may be compared to the entries in the customer's proprietary database. In this way, the actual contents of the customer's database are never made available to the retrosynthesis system or software application.

Abstract: Systems, methods, and storage media, for enforcing transaction permissions delegation in a computing environment are disclosed. Exemplary implementations may: receive a permissions request, from a requesting computing system for a permissions certificate; transmit a login request to a user computing system associated with a user; receive an acceptance from the user in response to the login request; generate a permissions certificate data structure in response to the acceptance; and return the permissions certificate to the requesting computing system whereby the requesting computing system will be permitted to accomplish the transaction with a transacting party in place of the issuer computing system based on possession of the permissions certificate paired with a cryptographic signature based on a private cryptographic key associated with the requesting computing system.

Abstract: A computer implemented method, device and computer program device are provided including one or more processors and an input to collect credential related content including a first network resource identifier related to a first one of multiple network resources, the credential related content further including a master password that is associated with the first network resource identifier and that is associated with network resource identifiers for a remainder of the multiple network resources. Responsive to execution of the program instructions, the processor converts the master password and the first network resource identifier into a first hash code to receive a temporary credential token from the authentication service in connection with the first hash code.

Abstract: An operating method of a memory controller includes generating a random value using a seed, generating encrypted intermediate data by encrypting plaintext data using the random value, and storing the seed and the intermediate data in a memory device. Ciphertext data is generated using the seed and the intermediate data based on Ring Learning with Error (RLWE).

Abstract: Systems and methods for developing a novel public/private key pair having unique properties are disclosed, whereby standard data security operations in existing data security infrastructures return a data integrity validation result—but do not provide the intended data security of such infrastructures. These novel keys are referred to as degenerate keys and may be used to replace the public and private keys in existing public/private key cryptosystems. Because degenerate key data integrity validation may leverage existing data security infrastructures that are already widely-implemented, such examples may be applied immediately and configured to seamlessly transition from integrity only modes back to secure modes. In some instances, the degenerate key examples described herein may be employed during a software testing and/or factory validation stage of product development to allow for data integrity validation before burning in a developer's active (i.e.

Abstract: The present disclosure describes techniques that allow for a client-side application, located on a first client device, to generate a random encryption key and encrypt locally-stored application data with the random encryption key. The random encryption key is used in lieu of a password-derived encryption key. In order to ensure that the client-device application is unable to decrypt the locally-stored encrypted application data prior to authenticating with an external authentication source (i.e., SSO, IdP), the random encryption key is encrypted with a key-encrypting key derived using a pseudorandom function (PRF). By using a PRF, the first device is able to authenticate to the first server and derive a secure key as part of the authentication process. Accordingly, the present disclosure describes techniques for securing data on a client device when credentials are managed by an external authentication system.

Abstract: Techniques are disclosed to automate TLS certificate rotation. For example, a certificate rotation event may be detected from a certificate management tool. The certificate rotation event may be associated with a first certificate and may indicate that the first certificate is to be updated with a second certificate. An application server that is running on a host and to which the first certificate is bound may be identified. A certificate identifier for the second certificate may be provided to one or more agents running on the host. A distribution service may obtain certificate information, e.g., a public key, a private key, or a certificate identifier for the second certificate, from the certificate rotation tool. Some or all of the certificate information for the second certificate may be obtained by the one or more agents running on the host. The one or more agents may instruct the application server to bind the second certificate.

Abstract: An authentication method includes RFID tags authenticating RFID readers. A tag sends a tag identifier and a reader challenge to a reader in response to one or more commands from the reader. The reader then either derives a response to the reader challenge itself or has a verification authority derive the response. The response may be derived from parameter(s) in the reader challenge, and may be derived using a cryptographic key. The reader then sends the response to the tag along with one or more commands. The tag verifies the response before executing action(s) associated with the command(s).

Abstract: The present invention relates to a computer-implemented method for the collective signing of a file, preferably a PDF-based document, by a plurality of users, said method comprising the sequential realization of the following set of steps for each of said plurality of users: (a) providing the user with said file, and optionally with one or more existing identification strings belonging to said file; (b) determining an identification string belonging to said file based on at least said file and optionally based on said one or more existing identification strings; (c) establishing a document signature based on at least both said identification string belonging to said PDF-based document and a private key belonging to the user; (d) registering said document signature in a blockchain.

Abstract: Systems and methods are disclosed for traffic filtration by content providers. One method includes receiving a content request from a device of a user; determining whether one or more container tags are associated with requested content; determining, prior to responding to the content request, whether the content request is by a user based on the content request and the one or more container tags; generating, prior to responding to the content request, an ad request based on the content request and the one or more container tags; determining, prior to responding to the content request, an ad request recipient based on the generated ad request and the one or more container tags; transmitting the ad request to the determined ad request recipient; and transmitting, over the electronic network to the device, a response to the content request when the content request is determined to be by a user.

Abstract: Use of a trusted execution environment (TEE) as a safe build environment. A build task is initiated in a TEE of a compute instance. The build task generates a first software component.

Abstract: Online ordering systems allow a user to submit sensitive information such as payment card information to a merchant in encrypted form. A payment card processor server may be used to provide the user's web browser with code for an encryption function, a cryptographic key, and a key identifier. The web browser may encrypt the payment card information by executing the encryption function and using the key. The encrypted payment card information may be supplied to the merchant over the internet. A key identifier that identifies which cryptographic key was used in encrypting the payment card information may be provided to the merchant without providing the merchant with access to the key. The merchant can forward the encrypted payment card information to the credit card processor server with the key identifier. The processor server can use the key identifier to obtain the key and decrypt the payment card information for authorization.

Abstract: Functional data for use in one or more digital transactions are secured by using an encapsulated security token (EST). In certain embodiments, the EST is created by encapsulating digital data including the functional data using at least two cryptographic systems of two parties. The encapsulation and subsequent de-encapsulation can utilize cryptographic systems of the parties that involve a private key for signing and decryption and a public key for encryption and signature verification. If constructed carefully over a series of rigorous events, the resulting EST can be practically impossible to counterfeit. In addition, a propagation of rights can be tracked for auditing and rights can be easily terminated or modified.

Abstract: Methods and apparatuses for providing cryptographic authentication within a voice channel are disclosed. The methods and apparatuses can provide cryptographic authentication solely within a voice channel or can use a combination of a voice channel and another data channel. A method for providing cryptographic authentication within a voice channel can operate between telephonic systems and be suitable for operating over G.711/PCMu, AMR and SPEEX™ codecs, and suitable for operating over mobile, PSTN, and VOIP networks. The method can include providing a modem that is codec agnostic and suitable for executing a TLS-based authentication protocol. The method can include using frequency-shift modulation within a frequency range of 300-3400 Hz.

Abstract: The techniques described herein may provide an efficient and secure two-party distributed signing protocol, for example, for the IEEE P1363 standard. For example, in an embodiment, method may comprise generating, at a key generation center, a first partial private cryptographic key for a user ID and a second partial private cryptographic key for the user ID, transmitting the first partial private cryptographic key to a first other device, transmitting the second partial private cryptographic key to a second other device, and generating a distributed cryptographic signature for a message using the first partial private cryptographic key and the second partial private cryptographic key.

Abstract: Example configurations herein include a media player that initiates playback of content (e.g., play back of a movie in a web browser). Based on input from a respective user, the media player receives selections of playback commands (e.g., play, pause, stop, rewind, fast forward, etc.) applied to the content being played back by the media player. Based on the selections, the media player creates a log report. The log report records the selections of the playback commands applied to the content and indicates, for example, a corresponding time when the playback commands were applied. According to one configuration, the media player initiates distribution of the log report to notify a publisher associated with the content which playback commands were selected during playback of the content on the media player.

Abstract: Systems, devices, and methods for secure data management and transfer for secure data transactions are provided. For example, disclosed herein are secure & tamper resistant smart cards configured to immutably store data and securely exchange at least a portion of the data via, for example, wireless networks and/or peer-to-peer networks. The smart cards comprise a plurality of dedicated hardware circuit blocks electrically coupled via a bus interconnection, the plurality of dedicated hardware circuit blocks configured to authenticate users, verify trust amongst the smart card and external devices, and encrypt sensitive data for secure transmission.

Abstract: Instructions and logic provide for a Single Instruction Multiple Data (SIMD) SM4 round slice operation. Embodiments of an instruction specify a first and a second source data operand set, and substitution function indicators, e.g. in an immediate operand. Embodiments of a processor may include encryption units, responsive to the first instruction, to: perform a slice of SM4-round exchanges on a portion of the first source data operand set with a corresponding keys from the second source data operand set in response to a substitution function indicator that indicates a first substitution function, perform a slice of SM4 key generations using another portion of the first source data operand set with corresponding constants from the second source data operand set in response to a substitution function indicator that indicates a second substitution function, and store a set of result elements of the first instruction in a SIMD destination register.

Abstract: In one embodiment, an apparatus includes: a processing circuit to execute instructions; and a host controller coupled to the processing circuit to perform a key exchange with a second device to couple to the apparatus via a bus to which a plurality of devices may be coupled, and in response to a successful completion of the key exchange, enable secure communication with the second device. Other embodiments are described and claimed.

Abstract: The present application relates to a blockchain system based on Ethereum, including a master node configured to receive a transaction request transmitted by a client terminal, perform transaction processing by calling a smart contract deployed in a consortium blockchain according to the transaction request to obtain transaction data; and use the transaction data to generate a block, and broadcast the block is to the plurality of backup nodes; backup node configured to receive the block and verify the transaction data of the block; the master node is further configured to generate a first-stage certificate using complete block information, and transmit the first-stage certificate to the plurality of backup nodes; the backup node is further configured to respectively generate a second-stage certificate and a third-stage certificate according to a block hash value in the first-stage certificate, and the second-stage certificate and the third-stage certificate are respectively used to negotiate on the block to ob

Abstract: A digital media authentication system comprises a media processing application executed by a mobile electronic device that computes a robust image hash for media data acquired by the mobile electronic device; a location attestation system that validates a location context of the media data, the location context determined in response to an object scene in a field of view of the mobile electronic device captured for conversion to the media data; and a blockchain network that maintains a ledger entry that includes the robust image hash, an immutable timestamp, and a location certificate validating the location context of the media data.

Abstract: An encryption device includes hardware processors to: acquire a public key including an identification polynomial f(t) and a multivariable indeterminate equation X having elements of a ring Fp[t]/g(t) as coefficients; disperse and embed a message m as coefficients of plaintext polynomial factors mi having, as coefficients, polynomials with a limited degree among the elements of the ring; generate a plaintext polynomial M by multiplying the plaintext polynomial factors mi; randomly generate a random polynomial r having as a coefficient an element of the ring; randomly generate a noise polynomial e having as coefficients polynomials with a limited degree among the elements of the ring; and generate a ciphertext by encryption processing of performing an operation including adding, subtracting, or multiplying the identification polynomial f(t), the random polynomial r, the noise polynomial e, and the multivariable indeterminate equation X to, from, or by the plaintext polynomial M.

Abstract: Multiple systems may determine neural-network output data and neural-network parameter data and may transmit the data therebetween to train and run the neural-network model to predict an event given input data. A data-provider system may perform a dot-product operation using encrypted data, and a secure-processing component may decrypt and process that data using an activation function to predict an event. Multiple secure-processing components may be used to perform a multiplication operation using homomorphic encrypted data.

Abstract: The present disclosure provides a trusted execution environment-based key burning system. After a terminal device is enabled, a normal operating system is started, the normal operating system acquires key data to be burned and outputs a switching signal and the key data to be burned, a microprocessor receives the switching signal in a monitor mode and the microprocessor is switched to the secure operating system from the normal operating system, the secure operating system receives the key data to be burned and decrypts the data to be burned according to preset key data, to acquire and write the corresponding original key data into a secure storage area of the secure operating system. Due to the use of the trusted execution environment-based key burning, the key is burned, stored and used safely. In addition, the cryptography protects the key from unexpected damage in transmission and keeps the key integral.

Abstract: An information processing device includes: a non-volatile storage; a communication interface; a processor; and a memory. The non-volatile storage is configured to store a private key. The memory stores computer-readable instructions therein. The computer-readable instructions, when executed by the processor, cause the information processing device to perform: acquiring the private key from the non-volatile storage; acquiring a certificate from a specific external device via the communication interface, the certificate including a public key corresponding to the private key, and the specific external device being different from the information processing device; converting specific data using the private key to generate converted specific data, the converting including one of encrypting the specific data and decrypting the specific data encrypted using the public key; and outputting the certificate.

Abstract: The present invention relates to a computer-implemented method for recording a location of a file by a user in a blockchain; said location comprising one or more location alternatives; said method comprising the following steps: (a) receiving, from said user, at least said file and said location; (b) calculating a file hash based on said file by means of a cryptographic function; (c) optionally, evaluating a uniqueness of said file hash and/or said location and/or a further characteristic with respect to the blockchain, in which a non-uniqueness leads to a corresponding action; (d) composing a location reference comprising said location and said file hash; (e) registering said location reference In said blockchain.

Abstract: A method for performing an operation according to one embodiment includes performing a homomorphic operation using one or more ciphertexts that are homomorphically encrypted based on an encryption key, determining a count value for a ciphertext generated through the homomorphic operation based on count values for each of the one or more ciphertexts, requesting a key management apparatus, which holds the encryption key and a decryption key corresponding to the encryption key, to re-encrypt the generated ciphertext based on the determined count value, acquiring, from the key management apparatus, a ciphertext generated by re-encrypting the generated ciphertext through decryption based on the decryption key and encryption based on the encryption key; and determining a count value for the acquired ciphertext to be a preset initial value.

Abstract: Disclosed herein are systems and methods for determining trust levels of files on a computing device. In one aspect, an exemplary method comprises, selecting file names which are stable, generating at least one group of files from at least two files of the selected file names, the at least two files being components of a same application, searching for a presence of a dominant developer such that at least one private key of the dominant developer has been used to sign at least one file of the group of files that is generated, when a dominant developer is found, determining a trust level for all files of the group in accordance with verdicts associated with the dominant developer, and when the dominant developer is not found, determining the trust level for all the files of the group based on verdicts of outside services that have been assigned to the files of the group.

Abstract: A storage device can include processing and cryptographic capability enabling the device to function as a hardware security module (HSM). This includes the ability to encrypt and decrypt data using a cryptographic key, as well as to perform processing using such a key, independent of whether that processing involves data stored on the device. An internal key can be provided to the drive, whether provided before customer software access or received wrapped in another key, etc. That key enables the device to perform secure processing on behalf of a user or entity, where that key is not exposed to other components in the network or environment. A key may have specified tasks that can be performed using that key, and can be discarded after use. In some embodiments, firmware is provided that can cause a storage device to function as an HSM and/or processing device with cryptographic capability.