Abstract: A communication apparatus of the present invention is a communication apparatus that communicates with a plurality of other communication apparatuses, and starts processing for setting an address for the communication apparatus using encrypted communication when encrypted communication with the plurality of communication apparatuses becomes possible by sharing encryption keys for encrypting communication with the other communication apparatuses.

Abstract: Mechanisms are provided for handling a database client request. An encrypted database client request (DCR) is received, by an unsecure access local agent, from a client computing device as part of a session between the client computing device and a database data processing system. The unsecure access local agent retrieves a database session information (DSI) address corresponding to the session and generates a first unique identifiable key (UIK) based on a portion of the encrypted DCR. The unsecure access local agent generates a DSI mapping data structure that maps the first UIK to the DSI address. A secure access local agent of the database data processing system processes the encrypted DCR using the DSI mapping data structure.

Abstract: Disclosed is a method for address privacy protection for a first wireless device sharing a privacy key with a second wireless device. In the method, a first resolution tag is generated at the first wireless device using a pseudo-random function with the seed value and the privacy key as input arguments. The privacy key is only known to the first and second wireless devices. A privacy address is generated for the first wireless device based on the seed value and the first resolution tag. A packet is transmitted from the first wireless device to the second wireless device. The packet includes the privacy address and the first resolution tag.

Abstract: Methods and systems for managing encrypted network traffic using spoofed addresses. One example method includes receiving a request to resolve a domain name; determining that the domain name is included in a predetermined set of domain names; associating a spoofed address with the domain name; sending a response to the request to resolve the domain name, the response including the spoofed address; receiving a secure request for a resource, the secure request directed to the spoofed address; determining that the secure request is directed to the domain name based on the association between the spoofed address and the domain name; and selectively decrypting the secure request based at least in part on determining that the secure request is directed to the domain name.

Abstract: A method of providing security for network access radio systems and associated access radio security systems used with the systems. The method includes connecting an access radio having a radio link to a network; communicating between the access radio and a computer over the network using a ping application having ping commands and unique encrypted codes; and enabling operation of the access radio when the access radio is receiving ping commands. Typically, the access radio and the computer are nodes on the network and the network is a local area network (LAN). The ping application sends packets of information from the computer to the access radio and receives a response from the access radio. The ping application must be functioning (i.e., sending and receiving commands between the computer and the access radio) to enable the access radio to communicate via the radio link with a remote network.

Abstract: According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack.

Abstract: The present invention relates to key management in a secure microcontroller, and more particularly, to systems, devices and methods of automatically and transparently employing logic or physical address based keys that may also be transferred using dedicated buses. A cryptographic engine translates a logic address to at least one physical address, and processes a corresponding data word based on at least one target key. The target key is selected from a plurality of keys based on the logic or physical address. A universal memory controller stores each processed data word in the corresponding physical address within a memory. Each key is associated with a memory region within the memory, and therefore, the logic or physical address associated with a memory region may be used to automatically identify the corresponding target key. A dedicated secure link may be used to transport key request commands and the plurality of keys.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for authenticating a communications source. In one aspect, a method includes decrypting a symbol that was received over a particular communications channel. The symbol is decrypted using a decryption key that is assigned to a particular endpoint that is assigned the particular communications channel. A measure of error is computed for the decrypted symbol. In turn, a determination is made whether the measure of error exceeds a threshold error measure. If the measure of error does not exceed the threshold error measure the decrypted symbol is identified as a valid symbol transmitted by the particular endpoint, and logged as such. If the measure of error exceeds the threshold error measure, the decrypted symbol is identified as a symbol from a different endpoint.

Abstract: A method and apparatus for detecting data modification in a layered operating system is disclosed. Outbound content indicators at different layers are compared to detect potential outbound data modifications. Likewise, inbound content indicators at different layers are compared to detect potential inbound data modifications. Content indicators include checksum, cryptographic hash, signature, and fingerprint indicators. Embodiments of the present invention enable detection of data modifications across an operating system's kernel and user mode spaces, prevention of modified outbound data from reaching a network, prevention of modified input data from reaching a user application, and detection of malware and faults within an operating system.

Abstract: Disclosed is a method for securely processing data in a portable data carrier. Said method is characterized by the following steps: a) the data to be processed is requested; b) the data to be processed is encoded; c) the encoded data is temporarily stored in a buffer storage zone of the data carrier; d) the temporarily stored, encoded data is decoded by means of a decoding key; and e) the decoded data is processed.

Abstract: A method and apparatus cryptographically process data including a plurality of data segments. The cryptographic process includes (a) receiving a plurality of data segments, (b) selecting, for each data segment, a set of encryption information based on data contained in a predetermined portion of the data segment to be encrypted, and (c) encrypting each data segment using the set of encryption information selected for the data segment. At least one of an encryption algorithm, an encryption key, and an encryption parameter may be changed for each data segment based on the data contained in the predetermined portion. The predetermined portion may include a first predetermined portion for selecting a first set of encryption information, and a second predetermined portion for selecting a second set of encryption information, the encryption information including an encryption algorithm, an encryption key, and optionally an encryption parameter.

Abstract: Disclosed are various embodiments for performing stateless verification of communication addresses. Encrypted verification data is generated for a user, including a communication address, an identifier of the user, a verification code, and a timestamp. The encrypted verification data is sent to the user, and the verification code is transmitted to the communication address. The encrypted verification data and the verification code are received from the user. The communication address is verified based at least in part on the verification code received from the user and the encrypted verification data received from the user.

Abstract: A distributed challenge-response protocol is carried out between a verifier and a prover. The verifier comprises servers storing respective shares of a set of challenge-response pairs. A particular challenge of one of the challenge-response pairs is sent to the prover, and a response to the challenge is received from the prover. The received response is authenticated as an appropriate response to the particular challenge based on indications from respective ones of at least a subset of the servers as to whether or not the received response matches respective reconstructed responses computed by those servers. A given one of the servers may be configured to reconstruct the particular challenge using information associated with the share stored in the given server and information associated with at least one other share stored in at least one other server, with the reconstructed challenge being to be sent to the prover as the particular challenge.

Abstract: A data processing device for playing back a digital work reduces the processing load involved in verification by using only a predetermined number of encrypted units selected randomly from multiple encrypted units constituting encrypted contents recorded on a DVD. In addition, the data processing device improves the accuracy of detecting unauthorized contents by randomly selecting a predetermined number of encrypted units every time the verification is performed.

Abstract: A remote access manager in a virtual computing services environment negotiates a time limited NAT routing rule to establish a connection between a remote device and virtual desktop resource providing user computing services. A series of NAT connection rules are revised in a dynamic manner such that a pool of ports is available to connect a plurality of remote users to local virtual compute resources over one or more public IP addresses. Once a connection is established, an entry is made in a firewall state table such that the firewall state table allows uninterrupted use of the established connection. After an entry has been made in the state table, or the routing rule has timed out, the port associated with the original NAT routing rule is removed and the same port can be re-used to establish another connection without disrupting active connections.

Abstract: A method of network joining. A first service node (SN) of SNs in a multi-Personal Area Network including data concentrators (DCs) that communicate with a server over a common communications medium configures a beacon request frame (BRF) including a Media Access Control (MAC) header including a header information element (HIE) or a payload IE (PIE), and a MAC CRC footer. The BRF includes a unique address of a first DC corresponding to the first SN or an encrypted data sequence with a key. The first SN transmits the BRF over the common communications medium. Responsive to receiving the BRF, the first DC processes the BRF to identify the unique address or has the key and applies the key to decipher the encrypted BRF. The first DC transmits a beacon frame over the common communications medium, wherein others of the plurality of DCs do not transmit respective beacon frames.

Abstract: A method of network joining. A first service node (SN) of SNs in a multi-Personal Area Network including data concentrators (DCs) that communicate with a server over a common communications medium configures a beacon request frame (BRF) including a Media Access Control (MAC) header including a header information element (HIE) or a payload IE (PIE), and a MAC CRC footer. The BRF includes a unique address of a first DC corresponding to the first SN or an encrypted data sequence with a key. The first SN transmits the BRF over the common communications medium. Responsive to receiving the BRF, the first DC processes the BRF to identify the unique address or has the key and applies the key to decipher the encrypted BRF. The first DC transmits a beacon frame over the common communications medium, wherein others of the plurality of DCs do not transmit respective beacon frames.

Abstract: A data processing system, a server such as a federated server, a computer system, and like devices, and associated operating methods can be configured to support fine-grained security including resource allocation and resource scheduling. A data processing system can comprise a federated server operable to access data distributed among a plurality of remote data sources upon request from a plurality of client users and applications; and logic executable on the federated server. The logic can be operable to enforce fine-grained security operations on a plurality of federated shared data sets distributed among the plurality of remote data sources.

Abstract: Devices are provided with secret information to indicate which other devices are eligible to establish communication sessions. Information leaks about the eligibility of devices are prevented when no communication sessions are established. Each device makes a set of preference information items publicly available. Each preference information item selects an eligible device in cloaked way. Each protected information item contains protected information such as an encrypted random number that can be decrypted only by the eligible device. When a request to establish a communication is processed by a first and second device, the first and second device indicate which of their preference information items should be used. The devices then each attempt to decrypt the protected information from the other one's indicated preference information item and each combines the result with the protected information used to make the preference information item that it indicated to the other.

Abstract: The present invention concerns the field of broadcast encryptionmethod, i.e. a method to organize the distribution of keys into a group of users so that it is possible to manage the revocation of one member of the group in an efficient way. The proposed solution is a private encryption key ciphertext constant collusion-resistant broadcast encryption. The main idea behind the invention is to mix the notion of efficient tree-based key derivation (also called subset management) with individual and personalized key blinding thus achieving a full collusion-resistant broadcast encryption system. The key de-blinding is performed at the last moment thanks to a cryptographic technique called pairings (also known as bilinear maps) resulting in a global key commonly shared by all authorized (non-revoked) devices.

Abstract: The present invention extends to methods, systems, and computer program products for offloading packet processing for networking device virtualization. A host maintains rule set(s) for a virtual machine, and a physical network interface card (NIC) maintains flow table(s) for the virtual machine. The physical NIC receives and processes a network packet associated with the virtual machine. Processing the network packet includes the physical NIC comparing the network packet with the flow table(s) at the physical NIC. When the network packet matches with a flow in the flow table(s) at the physical NIC, the physical NIC performs an action on the network packet based on the matching flow. Alternatively, when the network packet does not match with a flow in the flow table(s) at the physical NIC, the physical NIC passes the network packet to the host partition for processing against the rule set(s).

Abstract: A method includes: generating object information that indicates an object designated from among a header item, text, and attached information of a received email, or feature amount information based on the object information and a predetermined function, when a source is an address in an internal network, decrypting verification information added to the received email using secret key information shared in the internal network, when the source is an address over an external network, decrypting the verification information using public key information shared with the source, and verifying whether or not the received email is a spoofed mail based on the object information or the feature amount information, and the decrypted verification information.

Abstract: In an encrypted storage system employing data deduplication, encrypted data units are stored with the respective keyed data digests. A secure equivalence process is performed to determine whether an encrypted data unit on one storage unit is a duplicate of an encrypted data unit on another storage unit. The process includes an exchange phase and a testing phase in which no sensitive information is exposed outside the storage units. If duplication is detected then the duplicate data unit is deleted from one of the storage units and replaced with a mapping to the encrypted data unit as stored on the other storage unit. The mapping is used at the one storage unit when the corresponding logical data unit is accessed there.

Abstract: Secure bulk messaging mechanism in which, roughly described, a sender first encrypts a message once. The message can be decrypted with a message decryption key. These can be symmetric or asymmetric keys. For each recipient, the sender then encrypts the message decryption key with the recipient's public key. The sender then sends the encrypted message and the encrypted message decryption keys to a store-and-forward server. Subsequently, one or more recipients connect to the server and retrieve the encrypted message and the message encryption key that has been encrypted with the recipient's public key. Alternatively, the server can forward these items to each individual recipient. The recipient then decrypts the encrypted message decryption key with the recipient's private key, resulting in an unencrypted message decryption key. The recipient then decrypts the message using the unencrypted message decryption key.

Abstract: A mobile communication device registers for data communication through a mobile communication network with a packet-based network. The device may or may not have a mobile device number, and registers using a fully-qualified-domain-name (FQDN) uniquely identifying the device in a domain-name-system (DNS) of the packet-based network. A packet-data-network gateway assigns a packet-based address for the device, and generates a request for registering the address with the FQDN in a DNS server. Alternatively, the device generates the packet-based address based on a received portion of the address, retrieves the FQDN from an identity module, and sends a DNS-Update message to the DNS server including the address and FQDN. Again alternatively, a DNS server receives an encrypted DNS update message including a FQDN and a packet-based address, and decrypts the message prior to registering the address and FQDN in a DNS database.

Abstract: A technique for secure computation obfuscates program execution such that observers cannot detect what instructions are being run at any given time. Rather, program execution and memory access patterns are made to appear uniform. A processor operates based on encrypted inputs and produces encrypted outputs. In various examples, obfuscation is achieved by exercising computational circuits in a similar way for a wide range of instructions, such that all such instructions, regardless of their operational differences, affect the processor's power dissipation and processing time substantially uniformly. Obfuscation is further achieved by limiting memory accesses to predetermined time intervals, with memory interface circuits exercised regardless of whether a running program requires a memory access or not. The resulting processor thus reduces leakage of any meaningful information relating to the program or its inputs, which could otherwise be detectable to observers.

Abstract: A control API controls secret data to be stored in a secret data storage area which is accessible only to the control API. Moreover, the control API controls the file information storing part in the secret data storage area to store (i) storing location information of the stored secret data and (ii) administrative storage location information notified by the web application so that the storing location information and the administrative storage location information are associated with each other. This makes it possible to (i) prevent a leakage of confidential information and (ii) allow an authorized web application to easily use the confidential information.

Abstract: A combination-based broadcast encryption method includes: assigning by a server a base group of different combinations to each user; producing and sending secret information for each user by using as a base the base group allocated to each user; producing and sending an inverse-base parameter value through calculations with integers used to produce the base group and key value information of one or more privileged users; and deriving a group key by using the key value information of the privileged users, encrypting a session key by using the derived group key, and sending the encrypted session key to each user. Accordingly, each user is assigned a different base through a combination, thereby having security against collusion attacks.

Abstract: A packet sending node is employed in a network segment. The packet sending node includes a packet storage module, a packet sending module and a packet accepting module. The packet storage module is configured to store an encryption packet including a network address of the packet sending node. The packet sending module is configured to send the encryption packet to a packet receiving node in the network segment based on the user datagram protocol. The packet accepting module is configured to receive a response packet sent by the packet receiving node according to the network address of the packet sending node in the encryption packet. A server node discovery mechanism and a packet receiving module are also provided.

Abstract: A method is disclosed for quarantining digital content data for a service in a terminal device. In an embodiment, the method includes creating a digital content data item, e.g.

Abstract: Disclosed are various embodiments for performing stateless verification of communication addresses. Encrypted verification data is generated for a user, including a communication address, an identifier of the user, a verification code, and a timestamp. The encrypted verification data is sent to the user, and the verification code is transmitted to the communication address. The encrypted verification data and the verification code are received from the user. The communication address is verified based at least in part on the verification code received from the user and the encrypted verification data received from the user.

Abstract: A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.

Abstract: Embodiments are directed towards providing protection to DNS servers against DNS flood attacks by causing a requesting device to perform multiple DNS lookup requests for resolving a resource record. A request from a network device for a resolution of a domain name may be received by a device interposed between the requesting network device and a DNS server. Upon receiving the request to resolve the domain name, the interposed device may respond with a CNAME that includes a cookie. The requesting device may then send another request that includes the cookie preceded CNAME. The interposed device may then validate the returned cookie returned in the CNAME and if valid, forward the domain name resolution request on to a DNS server. The response may then be forwarded to the requesting device.

Abstract: An embodiment generally pertains to a method of secure address handling in a processor. The method includes detecting an instruction that implicitly designates a target address and retrieving an encoded location associated with the target address. The method also includes decoding the encoded location to determine the target address. Another embodiment generally relates to detecting an instruction having an operand designating an encoded target address and determining a location of a target instruction associated with the target address. The method also includes determining a location of a subsequent instruction and encoding the location of the subsequent instruction. The method further includes storing the encoded location of the subsequent instruction.

Abstract: A method for updating a table of correspondence between a logical address associated to a user unit in a communication network and a unique identification number associated to one of a group of user units managed by a management centre, a method where messages are exchanged between said management centre and a specific user unit of said group by using said communication network, these messages being forwarded to the logical address of the specific user in said network, the method including searching in said table for the logical address of the user unit in said communication network corresponding to the unique identification number of the specific user unit; sending of messages to the user unit having the concerned unique identification number, to the logical address corresponding to said communication network; and if the messages are received incorrectly, sending a request containing an identifier of said specific user unit.

Abstract: A system including a computer and a computer readable hardware storage device containing instructions which, upon being executed by the computer, implements a method for restricting access to information transmitted over a computing network. A resource request for a resource to be located is received. The resource request contains a universal resource locator (URL). The URL is evaluated to determine whether encryption of none, part, or all of the URL is required. It is determined that the requested resource is available and in response, the requested resource contained in the resource request is located. It is determined whether encryption is required for none, part, or all of a return URL of the requested resource that is to be returned to a location of the resource request.

Abstract: A method for providing data on the Internet, comprising calculating, using a microprocessor, a value of a predetermined function for said data, wherein the value depends on the data, determining, using said microprocessor, a uniform resource identifier including said value, and storing, at a resource on the Internet, said data, wherein the resource is accessible by using the uniform resource identifier. Further, a method for accessing data on the Internet is provided, comprising retrieving said data from a resource in the Internet by using a uniform resource identifier, determining, using a microprocessor, a part of the uniform resource identifier, the part corresponding to a value of a predetermined function, calculating, using the microprocessor, a further value for said data based on said predetermined function, wherein the value depends on the data, and determining, using the microprocessor, the integrity of said data by comparing said value and said further value.

Abstract: Disclosed are a logical network separation method and apparatus. The logical network separation method includes generating a first hash key on the basis of address information included in a service request packet, generating hash information on the basis of a transmission property of the service request packet corresponding to the first hash key when the same hash key as the first hash key is not in the hash table, and generating the policy about the reception of the service response packet corresponding to the service request packet on the basis of a destination of the service request packet. Accordingly, it is possible to block a cyber attack such as hacking, a malicious program, etc.

Abstract: Techniques for efficient and secure implementation of network policies in a network interface controller (NIC) in a host computing device operating a virtualized computing environment. In some embodiments, the NIC may process and forward packets directly to their destinations, bypassing a parent partition of the host computing device. In particular, in some embodiments, the NIC may store network policy information to process and forward packets directly to a virtual machine (VM). If the NIC is unable to process a packet, then the NIC may forward the packet to the parent partition. In some embodiments, the NIC may use an encapsulation protocol to transmit address information in packet headers. In some embodiments, this address information may be communicated by the MC to the parent partition via a secure channel. The NIC may also obtain, and decrypt, encrypted addresses from the VMs for routing packets, bypassing the parent partition.

Abstract: A portable digital vault and related methods are disclosed that can provide a digital equivalent to the physical act of lending copyrighted content (such as a book or CD) while also providing security to prevent copying of the content. The vault acts as a self-contained authority that contains permissions relating to actions that can be taken with respect to the vault and vault contents. Vault contents can be moved between vaults, vaults can be moved between computing devices, and a vault and its contents can be moved together as a single unit. A vault can store any type of content, such as digital books, audio and video. In some embodiments, the vault can be issued by a government authority and contain currency note information that allows the vault to be used as cash. A vault can also serve as a receipt of a digital legal contract.

Abstract: A digital rights management retrieval system is provided. In some embodiments, a digital rights management system includes receiving a first notification from a first client device of a first protected content transaction for a first user with a first content distributor, wherein the first notification includes a first network address for the first content distributor; receiving a second notification from the first client device of a second protected content transaction by the first user with a second content distributor, wherein the second notification includes a second network address for the second content distributor; and maintaining a first list of content distributors for the first user, wherein the first list includes a network address for each content distributor from which the first user has downloaded protected content.

Abstract: A secure environment is established within a system on a chip (SoC) without the use of a memory management unit. A set of security parameters is produced by a configuration program executed by a processor within the SoC that is read from a first non-volatile memory within the SoC. A set of stored parameters is created in a committable non-volatile memory within the SoC by writing the set of security parameters into the committable non-volatile memory. The committable non-volatile memory is sealed so that that it cannot be read or written by the processor after being sealed. The stored parameters can then be accessed only by control circuitry. Security circuitry within the SoC is configured using the stored parameters each time the SoC is initialized and thereby enforces the secure environment within the SoC.

Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.

Abstract: Disclosed herein is a system for enhancing the security of wireless networks. In one aspect, a wireless access point that functions as a bridge between two networks is provided. The wireless access point is configured to establish separate associations for itself and each device connected to it. This provides for enhanced security in that each device connected to the wireless access point may be separately authenticated and in that separate encryption tunnels are established for each device connected to the wireless access point.

Abstract: Mechanisms are provided for handling a database client request. An encrypted database client request (DCR) is received, by an unsecure access local agent, from a client computing device as part of a session between the client computing device and a database data processing system. The unsecure access local agent retrieves a database session information (DSI) address corresponding to the session and generates a first unique identifiable key (UIK) based on a portion of the encrypted DCR. The unsecure access local agent generates a DSI mapping data structure that maps the first UIK to the DSI address. A secure access local agent of the database data processing system processes the encrypted DCR using the DSI mapping data structure.

Abstract: A mobile communication device registers for data communication through a mobile communication network with a packet-based network. The device may or may not have a mobile device number, and registers using a fully-qualified-domain-name (FQDN) uniquely identifying the device in a domain-name-system (DNS) of the packet-based network. A packet-data-network gateway assigns a packet-based address for the device, and generates a request for registering the address with the FQDN in a DNS server. Alternatively, the device generates the packet-based address based on a received portion of the address, retrieves the FQDN from an identity module, and sends a DNS-Update message to the DNS server including the address and FQDN. Again alternatively, a DNS server receives an encrypted DNS update message including a FQDN and a packet-based address, and decrypts the message prior to registering the address and FQDN in a DNS database.

Abstract: A communication apparatus transmits data to a plurality of destinations. The apparatus includes a first input unit that inputs an individual setting as to whether the data is encrypted for each of the plurality of destinations for an encryption transmission. The apparatus also includes a second input unit that inputs an individual setting as to whether the data is encrypted for each transmission job. Further, the apparatus includes a transmission control unit that, when the transmission job includes at least two sets of the destinations, if the transmission job is set to be encrypted, performs the encryption transmission for each of the destinations, and, if the transmission job is set to be not encrypted, performs the encryption transmission for each of the destinations to be encrypted and performs a transmission without an encryption for each of the destinations not to be encrypted.

Abstract: A device that includes a first processor, a second processor, and an encryption module in communication with the first processor and the second processor may be used to accept conditions for access to the network. The first processor may receive condition data, and in response, may send an acceptance signal via the encryption module to the second processor. The second processor may receive the acceptance signal and, in response, may send acceptance data to a gatekeeper. The encryption module may block unencrypted data other than the acceptance signal from being communicated from the first processor to the second processor. The encryption module may support type 1 encryption.

Abstract: Embodiments of the invention provide a solution for securing information within a Cloud computing environment. Specifically, an encryption service/gateway is provided to handle encryption/decryption of information for all users in the Cloud computing environment. Typically, the encryption service is implemented between Cloud portals and a storage Cloud. Through the use of a browser/portal plug-in (or the like), the configuration and processing of the security process is managed for the Cloud computing environment user by pointing all traffic for which security is desired to this encryption service so that it can perform encryption (or decryption in the case of document retrieval) as needed (e.g., on the fly) between the user and the Cloud.

Abstract: Described herein are technologies pertaining to preserving privacy of users of mobile computing devices. Two users of two mobile computing devices share a quantization scheme for quantizing location data using a predefined quantization interval. The two users additionally share a private key that is utilized to encrypt locations obtained by the two computing devices that have been quantized using the shared quantization scheme. Encrypted, quantized locations are compared in a cloud computing service in connection with answering location-based queries, where the comparison is undertaken without the cloud computing service decrypting the encrypted, quantized locations.