Abstract: The subject disclosure is directed towards secure computations of encrypted data over a network. In response to user desired security settings with respect to the encrypted data, software/hardware library components automatically select parameter data for configuring a fully homomorphic encryption scheme to secure the encrypted data items while executing a set of computational operations. A client initiates the set of computational operations via the library components and if requested, receives secure computation results in return.

Abstract: The present invention comprises an input part for inputting image data, a receiving part for receiving production information relating to production transmitted from another apparatus, a recording part for recording the production information received by the receiving part and image data input by the input part, a detection part for detecting a recording position on a recording medium at an editing point of image data recorded by the recording part, and a transmission part for transmitting information of the recording position detected by the detection part, whereby identification information for identifying image data and voice data is recorded in a recording medium or a recording device, this relieving a burden on a photographer and an editor and facilitating extraction of image data and voice data.

Abstract: An information processing system performing highly secure broadcast authentication while reducing a delay until authentication, a communication amount, and a computation amount is provided. A server (100) generates authentication information for transmission data by combining a tag relating to the transmission data and a chain value associated in a chain with transmission order of the transmission data. The tag relating to the transmission data is generated by using a common key. The chain is generated by using a one-way function. A node (200) verifies whether a chain value associated with transmission order of data received in the past is generated or not by applying the one-way function to a chain value extracted by using a tag relating to the received data and authentication information for the received data. The tag relating to the received data is generated by using the common key.

Abstract: Methods and apparatus for efficiently storing and accessing secure data are disclosed. The method of storing includes encrypting data utilizing an encryption key to produce encrypted data, performing deterministic functions on the encrypted data to produce deterministic function values, masking the encryption key utilizing the deterministic function values to produce masked keys and combining the encrypted data and the masked keys to produce a secure package. The method of accessing includes de-combining a secure package to reproduce encrypted data and masked keys, selecting a deterministic function, performing the selected deterministic function on the reproduced encrypted data to reproduce a deterministic function value, de-masking a corresponding masked key utilizing the reproduced deterministic function value to reproduce an encryption key, and decrypting the reproduced encrypted data utilizing the reproduced encryption key to reproduce data.

Abstract: Systems and methods are provided for self-describing configurations of cloud-based applications for data security providers monitoring communications between a client device and the applications. An application programming interface (API) can be provided that allows the data security provider to inspect entity objects used by the cloud-based application. Data entities can be marked to have protected fields. A token identifier can be generated by the data security provider and sent to the cloud-based application. The cloud-based application can insert the token identifier in communications between the application and a client device allowing the data security provider to protect sensitive data associated with the protected fields.

Abstract: Method for converting an original paper document into an original information object, and for subsequent electronic transmission, storage, and retrieval of verifiable copies of the stored original information object without the Trusted Repository relinquishing control of the original information object. The user first converts the blue-ink-signed paper document into an electronic information object. On deposit of this information object into the Trusted Repository, the user is required to destroy or permanently designate the blue-ink-signed paper document and locally-retained files as copies. The Trusted Repository then requires the user to establish the authenticity of the electronic information object by verifying that it is now the only authoritative and original copy. The Trusted Repository then creates the original authenticated information object by appending a date-time stamp and its digital signature and certificate (signature block).

Abstract: A secure smart card is described. The smart card can include a processor, a memory and a transceiver. The smart card can communicate with various terminals and store a digital signature and other information on the card. Another terminal can validate the information stored on the smart card using the digital signature. In certain embodiments, the terminal can also validate the information by using a blockchain. The advanced design of the smart card obviates the need for a network connection.

Abstract: Embodiments enable a system to determine, authorize, and adjust access, writing, retrieval, and validation rights of users and entities associated with one or more distributed block chain networks. The system is capable of receiving an authorization request from a user to conduct an action associated with the block chain distributed network, determine a security level associated with the user, and either authorize or screen the user from conducting the action based on the determined security level. The system may adjust the security level of the user by requesting and receiving additional authorization credentials from the user. Furthermore, the system may adjust the security level of one or more users based on security or functionality needs of the block chain distributed network.

Abstract: In one exemplary embodiment of the invention, a method for computing a resultant and a free term of a scaled inverse of a first polynomial v(x) modulo a second polynomial fn(x), including: receiving the first polynomial v(x) modulo the second polynomial fn(x), where the second polynomial is of a form fn(x)=xn±1, where n=2k and k is an integer greater than 0; computing lowest two coefficients of a third polynomial g(z) that is a function of the first polynomial and the second polynomial, where g ? ( z ) ? = def ? ? i = 0 n - 1 ? ? ( v ? ( ? i ) - z ) , where ?0, ?1, . . . , ?n-1 are roots of the second polynomial fn(x) over a field; outputting the lowest coefficient of g(z) as the resultant; and outputting the second lowest coefficient of g(z) divided by n as the free term of the scaled inverse of the first polynomial v(x) modulo the second polynomial fn(x).

Abstract: Computerized embodiments are disclosed for keeping personally identifying information within a protected domain environment when interacting with a computerized service environment. In one embodiment, user interface commands are received from a remote computerized system of the protected domain environment at the computerized service environment via computerized network communications. A data residency protection component is generated within the computerized service environment in response to the user interface commands. The data residency protection component is configured to act as a proxy for the computerized service environment, when executed in the protected domain environment by the remote computerized system, to isolate personally identifying information from visibility or storage outside of the protected domain environment.

Abstract: A method is provided for providing unit of work continuity between a client device and a server when the client device initially fails to complete an ongoing unit of work. The method includes temporarily storing, in a temporary storage location in the server, in-doubt messages sent to the server for the ongoing unit of work, when the client device disconnects from the server without committing the ongoing unit of work so that the client device does not have to resend the in-doubt messages to the server. The method further includes utilizing unique hash-codes to identify the in-doubt messages the client device had earlier sent so that the server can retrieve the in-doubt messages from the temporary storage location and include the in-doubt messages as part of the ongoing unit of work to be committed by the client device. The ongoing unit of work is only part of an entire transaction.

Abstract: Disclosed are various embodiments for providing access control to the underlying data of a single machine-readable identifier when read by various reader devices. A client device may receive a first cryptographic key associated with a first device profile and a second cryptographic key associated with a second device profile. Data provided through an ingestion process is formatted into at least a first portion of data and a second portion of data, where the first portion of data is intended for a first reader device and the second portion of data is intended for a second reader device. The first portion of data may be encrypted using the first cryptographic key while the second portion of data is encrypted using the second cryptographic key. A machine-readable identifier may be generated using the first portion of data as encrypted and the second portion of data as encrypted.

Abstract: A processor-implemented method for a secure processing environment for protecting sensitive information is provided. The processor-implemented method may include receiving encrypted data and routing the encrypted data to the secure processing environment. Then the encrypted data may be decrypted and fields containing sensitive information may be found. The method may also include obfuscating the sensitive information and returning, by the secure processing environment, the decrypted data and obfuscated data.

Abstract: Disclosed is a double authentication system (“DAS”) for electronically signing a first data from a user having a smart card, where the smart card has a personal identification number (“PIN”). As an example, the DAS may include a client module, high assurance signing service (“HASS”) module, and hardware security module (“HSM”).

Abstract: A user inspects at least one indicator of an event. The user enables a token corresponding to an account of an aggregating entity to be received by a transaction entity and identifies at least one type of event of interest to be reported by the transaction entity to the aggregating entity. The user obtains and inspects at least one indicator from the account of the aggregating entity, where each obtained indicator is adapted to be created by the aggregating entity based upon an event message received from the transaction entity. The event message comprises the token, which is adapted to be used by the aggregating entity to identify the account and the event message corresponds to an occurrence of an event of at least one type of event of interest to be reported by the transaction entity to the aggregating entity.

Abstract: Systems and methods for reducing latency through motion estimation and compensation techniques are disclosed. The systems and methods include a client device that uses transmitted lookup tables from a remote server to match user input to motion vectors, and tag and sum those motion vectors. When a remote server transmits encoded video frames to the client, the client decodes those video frames and applies the summed motion vectors to the decoded frames to estimate motion in those frames. In certain embodiments, the systems and methods generate motion vectors at a server based on predetermined criteria and transmit the generated motion vectors and one or more invalidators to a client, which caches those motion vectors and invalidators. The server instructs the client to receive input from a user, and use that input to match to cached motion vectors or invalidators. Based on that comparison, the client then applies the matched motion vectors or invalidators to effect motion compensation in a graphic interface.

Abstract: Embodiments relate to systems, devices, and computer-implemented methods for detecting double signing in one-time use signature schemes by receiving a first message, where the first message includes a signature generated using a one-time use private key of a one-time use public/private key pair, determining a one-time use public key of the public/private key pair based on the first message, adding the one-time use public key to a list of public keys, receiving a second message, where the second message includes a signature generated using the one-time use private key of the one-time use public/private key pair, determining the one-time use public key of the public/private key pair based on the second message, determining that the one-time use public/private key pair was used more than once based on the list of public keys; and generating an alert based on determining that the one-time use public/private key pair was used more than once.

Abstract: A data security method including creating a token-including plaintext by including a predefined token into a plaintext, generating a cyphertext by encrypting the token-including plaintext using format-preserving encryption, generating a decrypted cyphertext by decrypting an input text, determining whether the decrypted cyphertext includes a first predefined token, if the decrypted cyphertext includes the first predefined token, recreating the plaintext by removing the first predefined token from the decrypted cyphertext, and if the decrypted cyphertext does not include the first predefined token, using the input text as the plaintext.

Abstract: A hypersphere-based multivariable public key encryption/decryption system may include an encryption module and a decryption module. The encryption module may include a processor and a public key transformation component for transforming plaintext into ciphertext. The decryption module may include a processor, a first affine transformation inversion component, a trapdoor component and a second affine transformation inversion component. The trapdoor component may include a linear equation system construction component and a linear equation system solving component. All components may execute corresponding operations, so that a set of data may be obtained finally, and the set of data may be stored and output as decrypted plaintext. If the decryption module does not produce data, the processor may output warning information about a decryption failure to a user.

Abstract: Ensuring security of electronic transactions between a personal mobile device user and a service provider involves establishing trust between a user and a transaction service provider, authenticating the personal mobile device of the user, establishing a secure communication channel between the user and the service provider, and registering the user with the service provider over the secure communications channel.

Abstract: A system and method anonymously authenticate utilizing multiple pre-shared identification keys with external visual identifier. Two keys are pre shared with a server and are integrated into memory on a controller, and external visual identifiers are affixed to the outside of the controller. The server authenticates the mobile device by checking that the external visual identifiers are appropriately linked to the pre-shared keys within a control memory structure, and a second control memory structure is initiated utilizing the shared key and no user-identifying information.

Abstract: The present disclosure describes systems and methods for authenticating a called party during the initialization stage of establishing a secure telecommunication channel to provide assurances to the initiator that they are communicating with whom they intended. A first user issues a challenge that includes a nonce to one or more second user devices. The second user's secure collaboration application receives the challenge, signs the nonce included in the challenge, and sends the response with the signed nonce to the first user. The first user receives the response and determines whether the signature of the first nonce is valid. If the signature is not valid, the first user's secure collaboration application terminates the secure telecommunication. However, if the signature received in the response is valid, the first user's secure collaboration application begins exchanging encrypted telecommunication data with the second user over a secure telecommunication channel.

Abstract: Ensuring security of electronic transactions between a user and a ticketing service provider involves establishing trust between a user and a transaction service provider, authenticating an electronic transaction facility of the user, establishing a secure communication channel between the user and the ticketing service provider, and registering the user with the ticketing service provider over the secure communications channel.

Abstract: Provided is an information processing apparatus including a message generating unit that generates messages of N times (where N?2) based on a multi-order multivariate polynomial set F=(f1, . . . , fm) defined on a ring K and a vector s that is an element of a set Kn, and calculates a first hash value based on the messages of N times, a message providing unit that provides a verifier with the first hash value, an interim information generating unit that generates third information of N times using first information randomly selected by the verifier and second information of N times, and generates a second hash value based on the third information of N times, an interim information providing unit that provides the verifier with the second hash value, and a response providing unit that provides the verifier with response information of N times.

Abstract: In an embodiment, a system is provided in which the private key is managed in hardware and is not visible to software. The system may provide hardware support for public key generation, digital signature generation, encryption/decryption, and large random prime number generation without revealing the private key to software. The private key may thus be more secure than software-based versions. In an embodiment, the private key and the hardware that has access to the private key may be integrated onto the same semiconductor substrate as an integrated circuit (e.g. a system on a chip (SOC)). The private key may not be available outside of the integrated circuit, and thus a nefarious third party faces high hurdles in attempting to obtain the private key.

Abstract: The disclosed computer-implemented method for secure communications between devices may include (1) receiving, from a control device that is capable of providing instructions to one or more smart devices, a security certificate that identifies the control device and also contains privilege information that indicates how the control device is allowed to interact with the smart devices, (2) receiving, from the control device, a request to interact with a smart device, (3) analyzing the privilege information in the security certificate to determine whether the requested interaction is allowed by the privilege, and (4) controlling the requested interaction based on whether the privilege information indicates that the requested interaction is allowed. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: According to one embodiment, an encryption device encrypts each of numerical values based on an encryption key, and generates encrypted data. On the basis of each of the encrypted data, a computation device generates a primary computation result corresponding to data in which a computation result of an expression that has added and subtracted each of the numerical values is encrypted. On the basis of the primary computation result, a secondary computation key and random numbers, a computation assist device generates a secondary computation result. The computation device generates a tertiary computation result based on the secondary computation result and a tertiary computation key, and decides the magnitude relation between a minuend and a subtrahend in the expression based on the tertiary computation result.

Abstract: In a general aspect, a Merkel signature scheme (MSS) uses subtree data. In some aspects, subtree data is loaded from a non-volatile memory into a volatile memory. The subtree data represents one or more nodes of a subtree of a cryptographic hash tree and a first authentication path portion that includes nodes outside the subtree. The subtree includes a subtree root node at a level below a root node of the cryptographic hash tree and lowest-level nodes of the cryptographic hash tree, which are based on respective verification keys for a one-time signature (OTS) scheme. An OTS is generated using a first signing key associated with a first verification key, which is associated with a lowest-level node in the subtree. The OTS, the first verification key, the first authentication path portion, and a second authentication path portion comprising one or more nodes of the subtree are sent to a recipient.

Abstract: The present disclosure is directed to a system and method of distributing time information to enable synchronization in an authenticated manner via a quantum channel. A source device may transmit a timing signal, T on a communication channel from the source device to a receiver device. The timing signal T may be include a time or times stored in memory or calculated using a previously agreed upon formula. The method may include transmitting a quantum system Q from the source device to the receiver device. The quantum system may be prepared in a randomly chosen state and may be measured by the receiver device in a randomly chosen measurement basis.

Abstract: Disclosed herein is a system for enabling secure data storage into a third party managed electronic vault that provides users with a secure location to store important documents, information, and data including but not limited to various forms of personal identifiable information. The system features an interface that dynamically secures, encrypts, and protects data related to transmission, storage, and retrieval, as well as management components that regulate and authenticate access to the contents of the electronic safe deposit boxes (and subdivisions thereof) in the electronic vault. In addition, the system features comprehensive logic for completing and/or auto-filling forms, tracking and/or facilitating renewals of expiring credentials, providing reminders of important dates and events, managing multi-step processes, automatically adjusting security and authentication requirement based on one or more factors, and guiding and suggesting complimentary activities and considerations for detected user events.

Abstract: Computerized systems and methods for storing data on a cloud-based personal virtual server are disclosed herein. Systems and methods may include a mobile device of a user comprising a processor configured to: receive a user's personal information; receive the first user's password, generate a secret key, a personal public key, and a personal private key for the user; launch a new server instance on a cloud-service provider to create a cloud-based personal virtual server for the first user on the cloud-service provider, the personal virtual server being segregated from other servers on the cloud-service provider; and transmit the personal information, the personal public key, and the password of the first user to the cloud-based personal virtual server for storage.

Abstract: A request to provision a trial service to a user device is received, and the trial service relates to offering a service to the user device during a trial time period. The request is confirmed as originating from the user device by forwarding a confirmation code to the user device, and receiving the confirmation code from the user device. Data regarding the user device is obtained and used to determine whether the user device is eligible to receive the trial service. For example, eligibility of the user device to receive the trial service may be determined based on a service provided to the user device before the request is received, and based on whether the user device has previously received the trial service during a particular time period. When the user device is eligible to receive the trial service, the trial service is provisioned to the user device.

Abstract: Authenticating a user is provided. A decryption key corresponding to an authentication account of the user of a client device and authentication credential data obtained from the user of the client device is received during authentication. Encrypted authentication credential data corresponding to the user is decrypted using the received decryption key corresponding to the authentication account of the user. The decrypted authentication credential data is compared with the received authentication credential data to authenticate the user of the client device.

Abstract: Various embodiments are generally directed to an apparatus, method and other techniques generating one or more polynomial elements for a polynomial function using a node value of a pseudo random number generator tree as a seed value, the polynomial function comprising a secret value and the polynomial elements, and the pseudo random number generator tree at least partially matching at least one other pseudo random number generator tree on another device, generating a plurality of share values based on the one or more polynomial elements and the polynomial function and distributing a share value of the plurality of share values to a device.

Abstract: An infrastructure delivery platform provides a RSA proxy service as an enhancement to the TLS/SSL protocol to off-load, from an edge server to an external cryptographic server, the decryption of an encrypted pre-master secret. The technique provides forward secrecy in the event that the edge server is compromised, preferably through the use of a cryptographically strong hash function that is implemented separately at both the edge server and the cryptographic server. To provide the forward secrecy for this particular leg, the edge server selects an ephemeral value, and applies a cryptographic hash the value to compute a server random value, which is then transmitted back to the requesting client. That server random value is later re-generated at the cryptographic server to enable the cryptographic server to compute a master secret. The forward secrecy is enabled by ensuring that the ephemeral value does not travel on the wire.

Abstract: Techniques are disclosed for efficient computation of consecutive values of one-way chains and other one-way graphs in cryptographic applications. The one-way chain or graph may be a chain of length s having positions i=1, 2, . . . s each having a corresponding value vi associated therewith, wherein the value vi is given by vi=h (vi+1), for a given hash function or other one-way function h. An initial distribution of helper values may be stored for the one-way chain of length s, e.g., at positions given by i=2j for 0?j?log2 s. A given one of the output values vi at a current position in the one-way chain may be computed utilizing a first helper value previously stored for another position in the one-way chain between the current position and an endpoint of the chain. After computation of the given output value, the positions of the helper values are adjusted so as to facilitate computation of subsequent output values.

Abstract: A first login request of a user is received from a first login window. The first login request comprises a login name, a user identifier, and a challenge. The challenge is generated and received from a second login request to a product in a second login window. The user copies and pastes the challenge into the first login window. A central control system determines if the login name and the user identifier are valid. If the login name and user identifier are valid, a response to the challenge is generated based a private key and is displayed in the first login window. The response to the challenge is copied from the first login window and pasted as part of a second step the second login process. The second login process verifies the response to the challenge using a public key to allow the user access to the product.

Abstract: Methods, systems, and computer programs for generating cryptographic function parameters are described. In some examples, a solution to a puzzle is obtained. A pseudorandom generator is seeded based on the solution. After seeding the pseudorandom generator, an output from the pseudorandom generator is obtained. A parameter for a cryptographic function is generated. The parameter is generated from the output from the pseudorandom generator.

Abstract: Technologies for securing communication may include monitoring a secured network connection between a client and a server. The secured network connection may be secured using a symmetric cryptographic key. The technologies may also include detecting a transmission of secured information between the client and the server, copying the transmission, forwarding the transmission to an intended recipient, decrypting the transmission using the symmetric cryptographic key, and determining whether the transmission is indicative of malware.

Abstract: A method begins by a dispersed storage (DS) processing module receiving data for storage and generating a dispersed storage network (DSN) source name for the data. The method continues with the DS processing module determining whether substantially identical data to the data has been previously stored in memory of the DSN. When the substantially identical data has been previously stored in the memory of the DSN, the method continues with the DS processing module generating an object linking file that links the data to the substantially identical data, dispersed storage error encoding the object linking file to produce a set of encoded link file slices, and outputting the set of encoded link file slices for storage in the memory of the DSN.

Abstract: The present disclosure provides a verifying method and device for consistency of forwarding behaviors of router data based on action codes. The verifying method includes following steps of: determining related functions for a number of functional modules of a router; configuring action codes for the function modules of the router, each functional module sending configured action code to control layer after executing the related function; configuring condition codes for the functional modules of the router; combining parts or all of the functional modules according to a preset combination way; constructing a Trie tree, nodes of the Trie tree storing the action codes of the functional modules; detecting whether there is abnormal forwarding behavior in forwarding process of received data packet according to the Trie tree and the received data packet.

Abstract: An information processing apparatus including a message generating unit that generates N sets of messages based on a multi-order multivariate polynomial set F=(f1, . . . , fm) defined on a ring K and a vector s that is an element of a set Kn, a first information selecting unit that inputs a document M and the N sets of messages to a one-way function that selects one piece of first information from among k (where k?3) pieces of first information in response to a set of input information, and selects N pieces of first information, a second information generating unit that generate N pieces of second information, and a signature providing unit that provides a verifier with the N pieces of first information and the N pieces of second information as a digital signature.

Abstract: A method for preventing redundant purchases of limited items includes steps for providing a commerce client to a user, receiving (a) financial information of the user and (b) a device identifier from a device the user is using to run the commerce client, the device identifier being based on one or more of user-configurable and non-user-configurable parameters of the user device, determining whether a previous transaction has been made with the device associated with the received device identifier, and disallowing the device from executing further transactions for a predetermined period of time. The method may be executed by an apparatus such as a computer server or stored as a series of instructions on a computer readable medium.

Abstract: Embodiments of the invention provide systems and methods for using an anti-phishing image. More specifically, embodiments of the present invention provide for using a non-static, location-based anti-phishing image that can, in some cases, include authentication information. According to one embodiment, a user with a trusted mobile device can go to a particular location during enrollment with an online service or application. This location can be detected by the mobile device, e.g., through a Global Positioning System (GPS) receiver and/or other location detection techniques. Once detected, this location can be provided by the mobile device to the service or application with which the user is registering and saved by the service or application as a “secret location.” Also during enrollment, the user can select an anti-phishing image. Once saved, the location information can be used for anti-phishing as well as authentication purposes.

Abstract: A first server device may receive, from a second server device, a unique identifier (ID) relates to content stored by the second server device; determine a policy based on the unique ID; generate a policy tag identifying the determined policy; and output the policy tag to the second server device. Outputting the policy tag may cause the second server device to apply the policy tag to a packet associated with the content, and output the packet towards a requesting user device that requests the content.

Abstract: Disclosed in some examples are methods, systems, and machine readable mediums for secure end-to-end digital communications involving mobile wallets. The result is direct, secure, in-band messaging using mobile wallets that may be used to send messages such as payments, requests for money, financial information, or messages to authorize a debit or credit.

Abstract: A method for encrypting a message by a host device includes requesting, by the host device, a message key from a secure device and generating, by the secure device, the message key using a secret key stored in the secure device and which is not communicated to the host device. The method further includes the prior steps of requesting, by the host device, a token from the secure device and generating the token by the secure device, and transmitting the token to the host device. The requesting, by the host device, of the message key includes transmitting the token. The generating, by the secure device, of the message key is preceded by checking the legitimacy of the token.

Abstract: A system is provided for secure data transmission. The system stores a public master key, private decryption key and secure messaging module for securely transmitting and receiving a digital model data file for transmission via a work order message. For transmitting and receiving the work order message, the system generate public encryption keys using a key generation algorithm in which each of the public encryption keys are unique to a designated message recipient and generated using an input including the public master key, a validity period, and an identifier of the designated message recipient. The system may also store a revocation list that includes identifiers of message recipients that have revoked access to the public master key or private decryption key, and based thereon determine whether or not to encrypt and transmit the work order message, or receive and decrypt the work order message.

Abstract: A client-side user agent operates in conjunction with an identity selector to institute and exercise privacy control management over user identities managed by the identity selector. The user agent includes the combination of a privacy enforcement engine, a storage of rulesets expressing user privacy preferences, and a preference editor. The editor enables the user to direct the composition of privacy preferences relative to user identities. The preferences can be applied to individual cards and to categorized groups of attributes. The engine evaluates the proper rulesets against the privacy policy of a service provider. The privacy preferences used by the engine are determined on the basis of specifications in a security policy indicating the attribute requirements for claims that purport to satisfy the security policy.

Abstract: For a network that includes host machines for providing computing and networking resources and a VPN gateway for providing external access to those resources, a novel method that distributes encryption keys to the hosts to encrypt/decrypt the complete payload originating/terminating at those hosts is described. These encryption keys are created or obtained by the VPN gateway based on network security negotiations with the external networks/devices. These negotiated keys are then distributed to the hosts via control plane of the network. In some embodiments, this creates a complete distributed mesh framework for processing crypto payloads.