Abstract: Aspects of the disclosure include methods, apparatuses, and non-transitory computer-readable storage mediums for receiving media data. One apparatus includes processing circuitry that receives a media presentation description (MPD) file that includes an essential property descriptor for session-based dynamic adaptive streaming over hypertext transfer protocol (DASH). The essential property descriptor indicates a session-based description (SBD) file and includes a set of keys for a part of a uniform resource locator (URL) that is used for receiving the media data. The processing circuitry determines a respective value for each of the set of keys based on whether the respective value is included in the SBD file and modifies the URL based on the set of keys and the determined values.

Abstract: An approach for operating at least one touch-sensitive, flat input device of a complete device, the input device being connected via a message-based bus connection to a control device of the complete device, and messages containing touch datasets describing touch data events being transmitted to the control device, which evaluates the messages for input information for an application program implemented by the control device, wherein when a security function in the control device that queries sensitive input information is accessed, the touch datasets are transmitted from the input device to the control apparatus via the bus connection in encrypted form until the associated input process has ended.

Abstract: Methods and systems for contingency communication are disclosed. In one embodiment, a method for providing emergency services may be performed by a base station operating in a communication system in an embodiment, the method for providing emergency services includes transmitting a beacon signal to indicate an emergency status to enable portable devices to operate in a stress mode. A distress signal may be transmitted by a mobile device in response to the beacon signal to the base station, wherein the distress signal carries information at least comprising user identity associated with the mobile device, geolocation of the mobile device, or biometrics of a user of the mobile device.

Abstract: Techniques for modifying queries in a set of nested queries are disclosed. A graphical user interface displays a query detail region alongside a nested query display region. The graphical user interface includes functionality to provide for modification of queries in the nested set of queries. Based on a selection by a user, a query modification tool promotes a query attribute from a child query to one or more parent queries. Based on another selection by a user associated with one query in the set of nested queries, the system deletes an attribute from each query in the set of nested queries. Responsive to a selection to create multiple conditions for a query rule, the system modifies the functionality of the user interface to enable entry of multiple condition characteristics. Based on a further selection, the system creates the multiple conditions for the query rule.

Abstract: A system, method and computer-readable medium provide secure communication between a first and a second computer system based on supersingular isogeny elliptic curve cryptography. The first computer system and the second computer system each determine kernels KA and KB including computing mP+nQ by accessing a lookup table stored in a memory that contains a range of doubles of an end point of the respective kernels, where P and Q are points on the public elliptic curve and m and n are integers. The first computer system and the second computer system compute secret isogenies by determining a respective kernel KBA and KAB using mixed-base multiplicands with a single inversion, including computing the respective kernel KBA and KAB by converting the multiplicands to base 32, and computing scalar multiplications using the base 32 multiplicands.

Abstract: Described embodiments provide systems and methods for establishing an end-to-end cryptographic context. A service node may be located intermediary between a client and server which provides a service to the client. At least one network device may be located intermediary between the service node and the server. The service node may obtain information for validating the service. The service node may establish an end-to-end cryptographic context between the service node and server through the network device(s). A first network device of the network device(s) may share a cryptographic context with the service node, which existed prior to establishment of the end-to-end cryptographic context. The service node may transmit a message to the network device encrypted using the first cryptographic context. The encrypted message may inform the first network device to pass through traffic that is encrypted using the end-to-end cryptographic context.

Abstract: A method including determining an assigned key pair associated with a device, the assigned key pair including an assigned public key and an associated assigned private key; determining an access key pair associated with content to be encrypted, the access key pair including an access public key and an associated access private key; encrypting the access private key using a combination encryption key determined based at least in part on the access private key and the assigned public key; encrypting a randomly generated key by utilizing the access public key; and encrypting the content utilizing the randomly generated key. Various other aspects are contemplated.

Abstract: Techniques for risk evaluation include receiving, from a requesting entity, a request for monitoring target entities specifying a first identifier associated with each target entity and target entity information. The system generates a second identifier and a third identifier for each target entity and stores a mapping of the second identifiers to the first identifiers and the third identifiers, preventing the second identifiers from being provided to the requesting entity. The system monitors a periodically updated data set and determines risk metrics for the target entities, comparing each risk metric to a threshold value to identify target entities whose risk data indicates an insider threat. The system generates a third identifier for the identified target entities and provides the third identifiers to the requesting entity. Responsive to a request for a corresponding first identifier, the system identifies and provides the first and third identifiers to the requesting entity.

Abstract: A system and method for controlling access to a message after communication. A sender sends an encrypted message to a recipient. The sender also sends an encryption key and the identity of the recipient to a services component. The recipient authenticates its access rights with the services component to obtain the encryption key. The key is held for a period of time for the recipient to access the encrypted message. The recipient may re-authenticate with the services component to again obtain the key to subsequently access the message. The sender may revoke or reinstate the receiver's access to the message by updating the service component.

Abstract: Techniques for implementing a key vault as an enclave are presented. The techniques include securely storing, in a key vault enclave, a key for an encryption system according to a key use policy; sending an vault attestation report of a key vault enclave to a vault client; and performing an operation in the key vault enclave with the key. Some embodiments further include receiving, at the key vault enclave, a client attestation report of the vault client wherein the vault client and key vault enclave are hosted on different native enclave platforms.

Abstract: An assigning device (100) for assigning fixed identifiers to fuzzy identifiers, the assigning device comprising a database storing multiple fuzzy identifiers, and a matching unit (130) arranged to determine if a matching fuzzy identifier exists in the database that matches a fuzzy input identifier according to a matching criterion and to determine if a matching fuzzy identifier does not exist in the database according to an absent criterion.

Abstract: Systems and methods for token secured routing are disclosed. An outbound routing table is maintained. A first token state is determined. A token value is determined based on the determined token state. First and second portions of the token value are identified. The first message is encrypted using the second portion of the first token value. A first packet is generated that includes the first portion as a token and includes the encrypted first message. The first packet is sent to the second node based on the second outbound routing entry in the outbound routing table.

Abstract: A system can control access to encrypted data shared by a group of users by the use of a vault key that is associated with a group of users. The encrypted data can include encrypted secret data generated from the secret data using a secret key, an encrypted secret key can be generated from the secret key by the use of a vault key, and an encrypted vault key generated from the vault key by the use of a public key associated with a user of the group of users. The system can allow users to store and access the encrypted data only if the user is a current member of the group. The system can verify the user's membership status from a group manager, such as a system managing a channel or chat session.

Abstract: A method for Multipath Quick User Datagram Protocol (UDP) Internet Connections (MPQUIC) over Quick SOCKS (QSOCKS) in a wireless network is provided. The method includes receiving, by a QSOCKS server, a Client Hello (CHLO) message from a QSOCKS client device using a QSOCKS method tag, wherein the CHLO message comprises a plurality of client-supported SOCKS Authentication (AUTH) procedures, selecting, by the QSOCKS server, a candidate client-supported SOCKS AUTH procedure from the plurality of client-supported SOCKS AUTH procedures, and transmitting, by the QSOCKS server, a reject packet using the QSKM tag to the QSOCKS client device, wherein the reject packet includes information indicating the selected candidate client-supported SOCKS AUTH procedure.

Abstract: A system is provided for facilitating access to data stored in a cloud-based storage service. Data associated with a user account is stored at the cloud-based storage service. A portion of the data is associated with a heightened authentication protocol. A request for an application to receive data that is associated with the heightened authentication protocol is received at the cloud-based storage service. In response to the request, the request is authenticated based on the heightened authentication protocol. In response to authenticating the request, permission is granted for the application to receive the data that is associated with the heightened authentication protocol. In response to a locking of the data that is associated with the heightened authentication protocol, an indication that the data is unavailable is sent to the application.

Abstract: A computer implemented method of generating cryptographic keys for a hardware security module (HSM), the method including generating a plurality of cryptographic keys and storing the cryptographic keys for use by the HSM in providing cryptography functions, wherein the cryptographic keys are generated based on numerical data generated by a hardware random number generator, such that a rate of generation of the cryptographic keys unconstrained by the resources of the HSM, wherein the hardware random number generator operates based on a plurality of statistically random entropy data sources originating from natural phenomena so as to increase a degree of randomness of the numerical data.

Abstract: In example embodiments, systems and methods extract a model of a computer application during load time and store the model in memory. Embodiments may insert instructions into the computer application at run time to collect runtime state of the application, and analyze the collected data against the stored model to perform detection of security events. Embodiments may also instrument an exception handler to detect the security events based on unhandled memory access violations. Embodiments may, based upon the detection of the security events, dynamically respond, such as by modify a computer routine associated with an active process of the computer application. Modification may include installing or verifying an individual patch in memory associated with the computer application.

Abstract: The present disclosure describes techniques for storing encrypted files in a secure file repository and transferring those encrypted files to one or more recipients. A user selects a file to upload to a secure file repository. A secure collaboration app on the user's device generates a first encryption key that is used to encrypt the file. The encrypted file is then uploaded to the secure file repository, which provides the secure collaboration app with a random file name and a location of the encrypted file. The secure collaboration app updates locally stored metadata of the first encrypted file. To securely transfer the file, the user generates a second encryption key, encrypts the metadata with the second encryption key, and transmits the encrypted metadata to one or more receivers. The one or more receivers decrypt the encrypted metadata and use the decrypted metadata to retrieve the file and decrypt it.

Abstract: A device-management system performs processing, such as audio processing, in an instance of a virtual machine corresponding to a functionally limited (local) device. To register the user device, the device-management system receives a registration request that includes device information, encryption data, and an indication of an associated user account. The device-management system then sends this registration data to a service-provider system, which returns a shared encryption key. The device-management system and the user device may use this shared encryption key to securely communicate. The device-management system may de-allocate the instance upon detecting a period of inactivity of the user device and may re-allocate the instance when new activity is detected. The device-management system may further determine when and if audio data to be sent to the user device is encoded using a codec not implemented by the user device.

Abstract: In general, embodiments of the present invention provide systems and computer readable media for implementing a single data integration platform that supports multiple data access interfaces to a single corpus of stored dynamic data collected from multiple data sources. In embodiments, the data integration platform includes a record tables layer that stores a group of data records and supports a CRUD interface for accessing the data records; a resolution mapping layer that stores a set of entities generated by a many-to-one mapping of data records to entities using entity resolution; and an entities layer that stores resolved entities which may be accessed via either a search interface based on search criteria or a hybrid search interface that supports “get via record id” queries.

Abstract: The technology disclosed herein provides an enhanced cryptographic access control mechanism that uses a cryptographic keys that are based on location data. An example method may include: determining location data of a computing device; transforming the location data in view of conversion data associated with the computing device, wherein the conversion data causes a set of alternate location data values to transform to a specific cryptographic value; creating, by a processing device, a cryptographic key in view of the transformed location data; and using the cryptographic key to enable access to a protected resource.

Abstract: The invention relates to an authentication method. The method comprises: collecting, based on a predetermined authentication policy, at least one context data element; constituting, based on the at least one collected context data element, a data packet; generating, by using a predetermined hash type algorithm and the data packet, as input to the predetermined hash type algorithm, a hash; sending the generated hash; generating, as a hash distance generation step, a hash distance between the generated hash and a predetermined reference hash; and authenticating successfully or not based on the generated hash distance, as an authentication step. The invention also relates to corresponding device and system.

Abstract: A method and devices for securely and privately generating a threshold vault address and distributed individual key shares reliant upon individually selected polynomial functions, without revealing the key shares and without ever reconstructing the private key. A digital asset stored at the threshold vault address may be used as an input to a transaction through generating a digital signature corresponding to the threshold vault address. Methods and devices are described for collaboratively generating the digital signature without reconstructing the private key or revealing individual key shares. Methods and devices are described for refreshing the distributed private key shares.

Abstract: An encryption key generating engine includes a random number pool, an entangling string generator, and a control circuit. The random number pool stores a plurality of random bits, and values of the plurality of random bits are generated randomly. The entangling string generator provides an entangling string according to an input key. The control circuit is coupled to the random number pool and the entangling string generator. The control circuit retrieves a sequence of random bits from the plurality of random bits stored in the random number pool according to the input key, receive the entangling string from the entangling string generator, and entangle the entangling string with the sequence of random bits to generate a secret key.

Abstract: Systems and methods for cache optimization are disclosed. A request for a user interface is received from a first user device. The request includes a user key. An interface key corresponding to an interface template of the requested user interface is generated from the user key. The interface template of the requested user interface is loaded. The interface template includes one or more edge side include (ESI) identifiers in the interface template. An element key corresponding to a first ESI element associated with a first of the one or more ESI identifiers is generated from the user key. The first ESI element is loaded and positioned at a location within the interface template identified by the first of the one or more ESI identifiers. A complete user interface is provided to the first user device. The complete user interface includes the interface template having the first ESI element positioned therein.

Abstract: Systems and methods of matching identifiers between multiple datasets are described herein. A system can transmit a first identifier vector to a third party server. The first identifier vector can include a first identifier, first parameters, and second parameters. The system can receive, from the third party server, the first identifier vector encrypted based on a third-party encryption. The system can receive, from the third party server, a second identifier vector encrypted based on the third-party encryption associated with the third party server. The second identifier vector can include a second identifier, third parameters, and fourth parameters. The system can determine a correlation count between the first identifier vector and the second identifier vector. The system can determine that the first identifier corresponds to the second identifier based on the correlation count. The system can generate one identifier key for both the first identifier and the second identifier.

Abstract: Techniques are provided for identifying and encrypting fields of an application object at an application layer in a multi-tenant cloud architecture, using an object metadata structure of the application object. Accordingly, transparent, per-tenant encryption capabilities are provided, while enabling transfer of encrypted object data between the application layer and a storage layer.

Abstract: A system and a method of connecting devices via a Wireless-Fidelity (Wi-Fi) network are provided. The method of communication-connecting an external device to an Access Point (AP) via a Wi-Fi network is performed by a device and includes operations of receiving device information of the external device from the external device that operates in an AP mode, accessing the external device that operates in the AP mode, by using the device information, and providing connection information relating to the AP to the external device, and wherein, when the connection information is provided to the external device, the external device terminates operating in the AP mode, and the external device then accesses the AP based on the connection information.

Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to define a parent application executing on a secure runtime hardware resource. A state snapshot of the secure runtime hardware resource is maintained. A fork request for a child application to be derived from the parent application is received. An updated state snapshot of the state snapshot is formed. The child application is instantiated. Encrypted state is transferred from the parent application to the child application. The encrypted state is used to derive an encryption key shared by the parent application and the child application. The encrypted state in the child application is decrypted using the encryption key to spawn an independent child application operative as an additional secure runtime instance. The parent application on the secure runtime hardware resource and the child application operative as the additional secure runtime instance are executed independently.

Abstract: Embodiments provide a method for facilitating sharing of digital documents between a sharing party and a relying party. The method includes receiving, by a processing system, an access request for accessing at least one attribute of a digital document. The access request is initiated at a relying party interface in a document sharing application. The method further includes sending, by the processing system, the access request to a sharing party interface in the document sharing application for approval of providing access to the at least one attribute of the digital document by the sharing party to the relying party. The method further includes, upon receiving the approval from the sharing party interface, generating a machine-readable encrypted code for the at least one attribute of the digital document. The method further includes sending the machine-readable encrypted code to the relying party interface.

Abstract: The invention relates to systems and methods for distributing market data. In one implementation, the system may generate a new encryption key at each market data update, and use that key to encrypt each market participant's data in that update before it is sent. Among other factors, characteristics of modern computer networks may cause participants to be sent (and to receive) their encrypted data in that update at different times. After the participants have all been sent their data in that update the system may then simultaneously transmit to those participants the key that will enable them to decipher their data. In an implementation, the key may be transmitted via a multicast transport protocol which can be used to ensure all recipients receive it at the same time. In this manner the invention may ensure that although participants receive their data in a given update at different times, they are unable to decipher that data until substantially the same time.

Abstract: Described is a system for maintaining dual-party authentication requirements for data retention compliance in systems with remote access components. When administering a data retention policy, an operating system component may require a dual-party authentication mechanism to prevent data deletion, while a different authentication mechanism may control access to the remote access controller. Access to the remote access controller by a single privileged user, however, may enable overriding or compromising the retention lock compliance implemented by the operating system. Accordingly, the system may tie the dual-party authentication requirement to the remote access controller authentication mechanism.

Abstract: In some aspects, an apparatus for encoding data for delivery to or for decoding data retrieved from a storage medium comprises a memory device and at least one hardware processor. The memory device is configured to store at least one parameter associated with at least one cryptographic protocol, the at least one parameter comprising one or more of a first cryptographic scheme, a first cryptographic key operation, a first cryptographic key length, and first cipher directives. The hardware processor is configured to generate a first frame comprising a first field for one parameter selected from the first cryptographic scheme, the first cryptographic key operation, the first cryptographic key length, and the first cipher directives and excluding fields for non-selected parameters, wherein the first frame is associated with the data delivered to or retrieved from the storage medium.

Abstract: Technologies for accelerated QUIC packet processing include a computing device having a network controller. The computing device programs the network controller with an encryption key associated with a QUIC protocol connection. The computing device may pass a QUIC packet to the network controller, which encrypts a payload of the QUIC packet using the encryption key. The network controller may segment the QUIC packet into multiple segmented QUIC packets before encryption. The network controller transmits encrypted QUIC packets to a remote host. The network controller may receive encrypted QUIC packets from a remote host. The network controller decrypts the encrypted payload of received QUIC packets and may evaluate an assignment function with an entropy source in the received QUIC packets and forward the received QUIC packets to a receive queue based on the assignment function. Each receive queue may be associated with a processor core. Other embodiments are described and claimed.

Abstract: Methods, systems, and devices for data processing are described. Some database systems may support differential privacy for encrypted data. For example, a database may store user data as ciphertext. A system may receive a statistical query for the user data and may identify a relevant differential privacy mechanism. The system may transform the query to operate on encrypted data while including a noisification function based on the mechanism. The system may execute the transformed query at the database, involving adding noise to the query result according to the noisification function without decrypting the data. For example, the system may leverage homomorphic encryption techniques to inject the noise while the data remains encrypted. The database may return the noisified, encrypted query results, which the system may decrypt for statistical analysis. By applying differential privacy on the encrypted data, the system may avoid exposing any private user information throughout the process.

Abstract: A network device may receive network traffic for an application. The network device may determine a first classification for the network traffic according to a first classification technique. The first classification may identify the network traffic as relating to a particular application or an unknown application. The network device may determine a second classification for the network traffic according to a second classification technique. The second classification may identify the network traffic as relating to an unknown application of a particular type and identity. The network device may process, based on whether the first classification identifies the network traffic as relating to the particular application or the unknown application, the network traffic according to a first security policy associated with the particular application or a second security policy associated with the unknown application of the particular type and identity.

Abstract: A method including obtaining a data query request sent by a client terminal; obtaining first query request data based on the data query request; duplicating the first query request data to obtain second query request data; embedding identifier information of the client terminal as watermark information into the second query request data to obtain watermarked query request data; and feeding the watermarked query request data back to the client terminal. The techniques of the present disclosure solve the problem of failure to track leakage during data breach.

Abstract: Systems, methods, and devices for executing a task on database data in response to a trigger event are disclosed. A method includes executing a transaction on a table comprising database data, wherein executing the transaction comprises generating a new table version. The method includes, in response to the transaction being fully executed, generating a change tracking entry comprising an indication of one or more modifications made to the table by the transaction and storing the change tracking entry in a change tracking stream. The method includes executing a task on the new table version in response to a trigger event.

Abstract: A method for hash chain migration includes detecting a version update of an object that includes a hash chain that stores fields of the object. Sub chains are identified from the hash chain. Migration sub chains are generated from the plurality of sub chains using a plurality of processes. Container blocks are generated from the plurality of migration sub chains. A migration chain is generated from the plurality of container blocks. The object is accessed using the migration chain.

Abstract: Providing smart contracts including secrets encrypted with oracle-provided encryption keys using thresholding cryptosystems is disclosed. In one example, a contract creator encrypts sensitive data necessary for executing a smart contract into ciphertext with multiple symmetric cryptographic keys using a threshold cryptosystem, such that a subset of at least size R of the symmetric cryptographic keys are required to decrypt the ciphertext. The symmetric cryptographic keys are encrypted into wrappers using a public cryptographic key of a contract executor. Envelopes are generated using public cryptographic keys of corresponding contract oracles, where the envelopes include the wrappers encrypted using the public cryptographic keys, and policies that specify condition(s) precedent and are authenticated using the public cryptographic keys. The smart contract, including the envelopes, the ciphertext, and R, is then deployed to the contract executor.

Abstract: A processing system includes a first processing circuit including a first PLC configured to receive a red signal, a plurality of first processors operated by the first PLC to process the red signal, and a first hypervisor configured to control operation of the first processors. The processing system includes a second processing circuit physically separated from the first processing circuit that includes a second PLC configured to receive a black signal, a plurality of second processors operated by the second PLC to process the black signal, and a second hypervisor configured to control operation of the second processors. The processing system includes a configuration controller configured to identify an operation to be performed by at least one of the first or second processing circuit and cause at least one of the corresponding first hypervisor or second hypervisor to allocate respective first processors or second processors to perform the operation.

Abstract: For communicating securely between electronic devices using symmetric key encryption, a first electronic device transfers to a second electronic device metadata with positional information which indicates the position of a first cryptographic key in a cryptographic key hierarchy. The second electronic device derives the first cryptographic key by way of a one-way function from a second cryptographic key stored in the second electronic device, using the positional information received from the first electronic device. Subsequently, the first electronic device and the second electronic device communicate data securely with symmetric key encryption using the first cryptographic key.

Abstract: A network appliance can maintain an active set indicating active backends for a load balanced network service. To monitor the health of the backends, the network appliance can transmit a network packet to a backend that is one of the active backends in the active set and can receive a response packet responsive to the network packet. An invariant hash can be calculated from the response packet using fields that are the same when the response is a normal response (e.g. not an error response) from a healthy backend. If the packet indicates an error or is otherwise indicative of a problem, the network appliance can determine, using the invariant hash, that the response packet does not match an expected result associated with the backend. Based on the error, the number of network packets resulting in errors, etc., the backend can be removed from the active set.

Abstract: An access management system (AMS) is disclosed that includes SSO capabilities for providing users secure access to protected resources within an enterprise using encryption keys generated by a client application. The AMS receives a request from a client application for a user to access a protected resource. In certain examples, the request comprises a client application identifier, a session identifier and a client public encryption key. The AMS determines if the session identifier points to a valid session and upon determining that the session identifier corresponds to a valid session, transmits information associated with the valid session to the client application. In certain examples, the information associated with the valid session is encrypted using the client public encryption key. Based on information associated with the valid session received from the client application, the AMS determines whether to grant or deny a user access to a protected resource within the enterprise.

Abstract: Described herein is a computer implemented method for configuring a receiving system to receive data from a sending system. The method comprises receiving an integration creation request from a client application. In response, a specific integration user account is created with credentials which provide access to the receiving system. The credentials are communicated to the client application. In addition, an integration record comprising details in respect of the integration is created, stored, and associated with the specific integration user account.

Abstract: Systems and methods for securing blockchain and other cryptographically signed ledgers are disclosed. Client devices with arrays of physical-unclonable-function devices are respond to challenges from a server. Characteristics of the arrays are stored by the server during a secure enrollment process. Subsequently, the server issues challenges to the clients and receives responses generated by the clients from characteristics of portions of the arrays specified by the challenges. The challenge responses are used to authenticate the clients and are also used as cryptographic private keys for signing transaction blocks. Public keys corresponding to the private keys are generated allowing signed transaction blocks to be validated as well as allowing clients originating the transactions to be authenticated by other clients. Ternary PUF characterization schemes are used to achieve acceptable authentication error rates.

Abstract: The present disclosure relates to a system for providing an anonymous and obfuscated communication over a virtual, modular and distributed satellite communication network.

Abstract: Methods, systems, and devices for wireless communications are described that improve privacy in wireless communications, such as communications by a user equipment (UE), which may in some cases be a vehicle UE. For example, various vehicle-to-everything (V2X) transmissions may be unencrypted, and a vehicle may be expected to periodically change one or more identifiers it uses for various communication services. Privacy may be enhanced, for example, via encryption key roll-over, as well as roll-over of one or more other identifiers associated with a UE that may potentially be used by an observer to track the UE. The UE may transmit a message that includes an updated lower layer identifier (e.g., a layer-2 (L2) identifier) to another UE in a V2X unicast communications link, which may trigger a change in identifiers of a set of identifiers and an updated security context. All or a portion of the message may be encrypted.

Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to receive an original collection of symbols. A single use coding function is applied to the original collection of symbols to form a new collection of symbols. Encryption keys associated with a user are formed. The new collection of symbols is encrypted to form a recoded encrypted symbol file stored at a network accessible memory location. A distributed ledger entry with a data control signature is formed using the single use coding function encrypted with a private key. The distributed ledger entry is written to a distributed ledger. The distributed ledger entry is accessed. The recoded encrypted symbol file is read from the network accessible memory location. The data control signature and a symmetric key are used to convert the recoded encrypted symbol file to the original collection of symbols.

Abstract: A network device may decrypt a record received from a source device and associated with an encrypted session. The network device may process the decrypted record. The network device may encrypt the record to generate an encrypted payload. The network device may store an entry in a retransmission mapping that includes a decryption key used to decrypt the record and an encryption key used to encrypt the record. The network device may transmit the encrypted payload in a first TCP packet toward the destination device. The network device may receive retransmitted data and may determine, based on the record entry, that the retransmitted data is associated with the record. The network device may decrypt, using the decryption key, the retransmitted data and may re-encrypt, using the encryption key, the decrypted record. The network device may transmit, toward the destination device, the encrypted payload in a second TCP packet.