Abstract: An electronic device, server and method are disclosed. The electronic device includes a communication module, memory, and a processor. The processor implements one method, including executing authentication and registering of an external electronic device as a sharing target, receiving a selection of at least one service to be shared with the external electronic device, encrypting data including an user identification (ID) and a password associated with the at least one service in response to the selection, transmitting a request for sharing the encrypted data to a server through the communication module to allow the external electronic device to use the at least one service without exposure of the ID and the password, receiving a response to the transmitted request from the server through the communication module, and generating a notification indicating whether the ID and the password are successfully shared for the selected at least one service, based on the received response.

Abstract: Systems and methods are disclosed for online authentication of online attributes. One method includes receiving an authentication request from a rely party, the authentication request including identity information to be authenticated and credential information to be authenticated; determining whether a user account is associated with the received identity information by accessing an internal database; accessing user data of the user account determined to be associated with received identity information; determining authentication data to obtained from a user associated with the user account based on the user data of the user account and the credential information to be authenticated; transmitting a request for authentication data; receiving authentication data associated with the user; transmitting authentication data associated with the user; and receiving an authentication result from the verification data source server for the user associated with authentication data.

Abstract: Implementations provide a computer-implemented method that includes: accessing, by a node of a blockchain network, a first set of data encoding a set of transaction records, wherein the blockchain network comprises a plurality of consensus nodes; at least based on the first set of data, generating, by the node, a transaction hash for the set of transaction; accessing a second set of data encoding a compliance status of the node of the blockchain network; at least based on the second set of data; generating, by the node, a compliance hash for the node of blockchain network; generating, by the node, a root hash that combines the transaction hash and the compliance hash; and submitting, by the node and to the plurality of consensus nodes of the blockchain network, a block that includes the root hash for entry into the blockchain.

Abstract: A secure enclave is hosted by an untrusted host. To securely persist data on the untrusted host, the secure enclave generates or updates a persistent file system, wherein the persistent file system is a collection of logical files. The secure enclave segments the persistent file system into a plurality of sectors. The secure enclave provides a key specification to a key derivation enclave. The secure enclave obtains an encryption key dynamically generated based on the key specification. The secure enclave cryptographically protects each of the plurality of sectors using the key and causes the host to write a plurality of encrypted sectors to a disk as a single physical file.

Abstract: A cache service provides applications in a containerized, multi-tenant cloud-computing system low-latency access to secrets. The cache service may operate as a cluster-level service or a sidecar service. The cache service may store copies of secrets (which are located in one or more absolute stores) in a cache storage. The cache service and the cache storage may be closer to the applications than the one or more absolute stores are to the applications. The cache service may aggregate secrets associated with multiple entities in a single cache storage. The cache service may support isolation between secrets such that secrets of a first entity are isolated from secrets of a second entity. The cache service may enforce granulated access controls such that it can apply different access controls to secrets of a first entity than to secrets of a second entity.

Abstract: Methods and systems are presented for providing a framework for facilitating offline cryptocurrency transactions. A first application executed in a first secure enclave of a first device can register itself with a cryptocurrency computer network for initiating offline cryptocurrency transactions and reserve a denomination of cryptocurrency for the offline cryptocurrency transactions based on a token. The first application initiates an offline cryptocurrency transaction with a second application executed in a second enclave of a second device by transmitting a request comprising the token via a peer-to-peer connection. The second application verifies the request based on the token and attributes associated with the first application and the first secure enclave. Upon accepting the request, the second application stores the token in the second secure enclave.

Abstract: Multi-factor authentication systems and methods are provided that include receiving a request to authenticate a user of a mobile device. The request for authentication may include credential information associated with the user and vehicle data. A determination may be made regarding whether the vehicle data was obtained from a vehicle via the mobile device. The received vehicle data and received credential information may be compared to stored data. When there is a match between the received vehicle data and received credential information and corresponding stored data, a notification may be provided to the user device indicating that the user has been authenticated.

Abstract: A system may be configured to identify VPN traffic. Some embodiments may: obtain a plurality of default port numbers and/or protocol types; obtain information continually updated to indicate at least one of a predetermined host or DNS; and detect VPN traffic based on a used port number and/or used protocol type, the VPN traffic being generated based on user-interaction at a client device. The detection may be performed by comparing the port number or protocol type against the obtained port numbers or protocol types, the VPN traffic being detected from among a larger set of network traffic. Some embodiments may further: determine that the detected port number or protocol type indicates a higher level of security; filter the larger set of traffic by identifying the detected VPN traffic routed to the predetermined host or DNS; and block or otherwise disrupt the VPN traffic.

Abstract: When personally identifiable information (PII) is to be stored or updated, a system first seeks consent from the user for the PII store or update. If the user grants consent, then the system stores the PII in the user's personal device or updates the PII stored in the user's personal device. The system then retrieves that PII and generates a token representing that PII. Even if the token were taken by a malicious user, it would not be possible for the malicious user to determine the user's actual PII from the token. In this manner, the security of the PII is improved over conventional systems.

Abstract: A method for the digital signing of a message by a sender of the message. A check value based on a symmetrical key pair is ascertained using a secret key as part of a symmetrical key pair and the message. A digital signature is ascertained using a private key as part of an asymmetrical key pair and the check value. The digital signature is provided for transmission, to a method for checking a received, digitally signed message by a receiver.

Abstract: Automated techniques for converting network devices from a Layer 2 (L2) network into a Layer 3 (L3) network in a hierarchical manner are described herein. The network devices may be configured to boot such that their ports are in an initialization mode in which the ports are unable to transmit locally generated DHCP packets. When a network device detects that a neighbor (or “peer”) device has acquired an IP address or has been configured by a network controller, then the port on which the neighbor device is detected can then be transitioned from the initialization mode into a forwarding mode. In the forwarding mode, the port can be used to transmit packets to obtain an IP address. Thus, the network devices are converted from an L2 device to an L3 device in a hierarchical order such that upstream devices are discovered and converted into L3 devices before downstream devices.

Abstract: Examples described herein relate to a Transport Layer Security (TLS) offload engine to: based on detection of encrypted data unassociated with a previously detected data header: search for one or more data headers; identify at least two candidate data headers for validation; and based on receipt of an indication that the at least two candidate data headers are valid, perform decryption of received data in one or more packets. In some examples, the TLS offload engine is to: based on receipt of an indication that one or more of the at least two candidate data headers is not a valid header, search for two or more other candidate data headers.

Abstract: Techniques for time-based network authentication challenges are disclosed. In some embodiments, a system, process, and/or computer program product for time-based network authentication challenges includes monitoring a session at a firewall to identify a user associated with the session, generating a timestamp for an authentication factor associated with the user after the user successfully authenticates for access to a resource based on an authentication profile, intercepting another request from the user for access to the resource at the firewall, and determining whether the timestamp for the authentication factor is expired based on the authentication profile.

Abstract: An attestation service is configured to receive a request to enable attestation for a compute instance according to an attestation policy indicating one or more baseline health measurement values for validating compute instances. The attestation service provides a network endpoint for the compute instance to request attestation. The attestation service receives, via the network endpoint from a compute instance, one or more health measurement values of the compute instance. The attestation service validates the compute instance based at least on a comparison of the one or more current health measurement values and the one or more baseline health measurement values. The attestation service, in response to validating the compute instance, generates an attestation token indicating that the compute instance is authorized to access a secured resource of the provider network.

Abstract: Various aspects of the subject technology relate to systems, methods, and machine-readable media for providing encryption of data with data separation. Various aspects may include performing determining a request payload for a communication from a client device. Aspects may also include creating a first reference data object for a first subset of data fields of the request payload. Aspects may also include creating a second reference data object for a second subset of data fields. Aspects may also include replacing a first value of the first subset with a first reference value. Aspects may include replacing a second value of the second subset with a second reference value. Aspects may include encrypting a response payload with the first reference data object and the second reference data object in an encrypted text-based structured data file format with a cryptographic key.

Abstract: The present invention discloses methods and systems for providing UICC/eUICC related response information to information requests at a cellular router. The method includes receiving an information request from a wireless communication module, and determining whether a response to the information request is cached. When the response information is not cached, forwarding the information request to a massive SIM apparatus (MSA). MSA will then respond to the information request. A response based on the MSA's response will then be sent to the wireless communication module for the information request. When the response information is cached, retrieve the response information and send it to the wireless communication module.

Abstract: Methods and systems are described herein for facilitating blockchain operations in decentralized applications by offering enhanced efficient when conducting blockchain operations using cryptography-based, digital ledgers through the use of specialized indexing. For example, as opposed to relying on raw blockchain data to power decentralized applications, the methods and systems use a blockchain indexer. The blockchain indexer provides a queryable record of a subset of blockchain operations.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: A computer implemented method includes receiving a request for device validation, reading a genesis record from a device, the genesis record containing a device identification (ID), an original owner ID, a current owner ID, and a first hash of the device ID, an original owner ID, a current owner ID, and validating, by multiple processing entities having replicated copies of a chain that includes the genesis record and a succeeding transfer block, ownership of the device.

Abstract: A method of generating a shared augmented reality payment authentication entry interface includes detecting a first consumer device and a second consumer device; prompting a display of a first augmented reality payment authentication interface at the first consumer device; and prompting a display of a second augmented reality payment authentication interface at the second consumer device.

Abstract: Methods and systems disclosed herein extend an entity's private cloud security model to the entity's public cloud. Public cloud access permissions are defined, in accordance with a security model implemented in the entity's private cloud, for one or more of the entity's public cloud resources. The public cloud permissions are pushed or otherwise provided to an access module within the private cloud. Upon receiving a request to access a public cloud resource, the private cloud access module is invoked to grant or deny the access request in accordance with the public cloud access permissions. Similarly, upon receiving a request to access a private cloud resource, the private cloud access module is invoked to process the access request in accordance with private cloud access permissions, thereby beneficially enabling users to interact with a single access interface regardless of whether the resource reside within the entity's cloud platform.

Abstract: An optical arrangement includes at least one pair of displays, each pair having a first display and a second display configured to generate light in a visible spectral range. For each pair of displays, the optical arrangement includes a first polarizer configured to polarize the light incident from the first display, a second polarizer configured to polarize the light incident from the second display. The optical arrangement also includes first and second polarizing beam splitters for each pair of displays. Each polarizing beam splitter is configured to receive the polarized light from the first and second polarizers. Each polarizing beam splitter is also configured to reflect one of an s-polarized component and a p-polarized component of the received polarized light into at least one field of view (FOV) and transmit the other of the s-polarized component and the p-polarized component of the received polarized light into the subject FOV(s).

Abstract: Methods, systems, and devices for intruder detection are described. A security and automation system may include a camera configured to monitor a zone of a premises. The security and automation system may detect a person in the zone, for example using the camera, a motion sensor, or another sensor. The security and automation system may determine that the person has remained in the zone for a threshold duration. The security and automation system may generate a notification (e.g. an audiovisual notification) based on determining that the person has remained in the zone for the duration. In some examples, the notification may include a verbal message, a flashing light, etc., to indicate to the person that video recording was initiated. The techniques described herein may inform an intruder that video is being recorded, which may discourage an intruder from an intended action (e.g., theft, property damage, etc.), among other benefits.

Abstract: A lightweight attribute-based signcryption (ABSC) method for cloud-fog-assisted Internet-of-things: performing, by a central authority, system initialization to generate a system key pair, and disclosing a public key, the public key including a symmetric encryption algorithm (SEA) and a key derivation function (KDF); generating, by the central authority, a decryption key and an outsourcing decryption key based on a decryption attribute set of a data user, and generating a signature key and an outsourcing signature key based on a signature access structure; calling, by a data owner, a fog node for outsourcing signature, performing symmetric encryption on a plaintext based on a symmetric key, and performing ABSC on the symmetric key based on a defined encryption access structure; and calling, by the data user, a fog node for outsourcing signature verification, calling a fog node for outsourcing decryption, and performing symmetric decryption on a ciphertext based on an outsourcing decryption result.

Abstract: Systems and methods for provisioning secure programmable logic devices (PLDs) are disclosed. An example secure PLD provisioning system includes an external system comprising a processor and a memory and configured to be coupled to a secure PLD through a configuration input/output (I/O) of the secure PLD. The external system is configured to generate a locked PLD comprising the secure PLD based, at least in part, on a request from a secure PLD customer, wherein the request from the secure PLD customer comprises a customer public key; and to provide a secured unlock package for the locked secure PLD. The external system may also be configured to provide an authenticatable key manifest comprising a customer programming key token and a corresponding programming public key associated with the locked secure PLD, wherein the authenticatable key manifest is signed using a programming private key generated by the locked secure PLD.

Abstract: A data transmission method to transmit data contained in k independent data streams to k receivers with a data transmission device, wherein specific data stream identifiers are attached to the independent data streams and then multiplexed into I multiplexed data streams. The multiplexed data streams are then transmitted via I UARTs to k microcontrollers which demultiplex the multiplexed data streams and select one of the contained independent data streams via an allocation protocol. The allocation protocol is identical on all microcontrollers and utilizes the specific data stream identifiers to allocate the k independent data streams to exactly one of the k receivers. The microcontrollers then send their selected independent data stream to an allocated receiver.

Abstract: A technology is disclosed for the browser side capturing of user interaction session data and replay of the session data for a high-fidelity reconstruction of the experience the user perceived. In addition to capturing central structuring and markup documents and browser side updates thereof, additional resource documents that are loaded and used by the browser to render the central documents are captured and added to the session recording data. Identification information is created for resource documents, based on the content of those documents, which allows the capturing system to distinguish different versions of those content documents that share the same name but have different content. The captured session data contains data to identify the correct versions of resource documents during replay. Various measures to reduce the amount of transferred resource content data are applied, that consider already captured resource document versions or the usage frequency of a monitored application.

Abstract: The present disclosure relates to a privacy preserving data storing method, in particular for analyzing a travel behavior of one or more users of mobility-as-a-service (MaaS) transportation services. The method comprises storing at least one user identification, user ID, identifying the one or more users on a trip together with a trip identification, trip ID, identifying the trip in a database entry of a first database and storing trip information on the trip with the trip ID in a database entry of a separate second database. The method further provides for associating the database entries of the first and second databases associated with the same trip ID for an analysis of the travel behavior of the users based on the associated database entries of the first and the second database.

Abstract: The present disclosure is directed to systems and methods for dynamic firewall discovery on a service plane. The method includes the steps of identifying a source data packet for transmission from a source machine at a source site to a destination machine at a destination site, wherein the source data packet corresponds to a request for connection between the source machine and the destination machine over a WAN, inspecting the source data packet at a first firewall associated with the source site, marking the source data packet with a marker to indicate inspection by the first firewall, transmitting the marked source data packet to the destination site, determining at the destination site that the source data packet has been inspected based on the marker, and forwarding the source data packet to the destination machine at the destination site, without inspection of the source data packet by a second firewall associated with the destination site.

Abstract: A method for data exchange on a communication network, operating according to a protocol, and including a transmission bus, a first node and a second node. The first node carries out the steps of: constructing a first and a second data frame which transport first and second information data; calculating a first message authentication code as a function of the first and the second information data; constructing a third data frame which transports the first message authentication code; transmitting all of the data frames thus constructed. The second node carries out the steps of: receiving the first, the second and the third data frames; extracting the first and the second information data and the first message authentication code; calculating a second message authentication code as a function of the first and the second information data extracted; comparing the message authentication code extracted with the message authentication code calculated in order to verify the identity thereof.

Abstract: A computer-implemented method and a computer system are provided for selecting active or passive decryption mode when observing network traffic between a downstream client and an upstream server. The method includes selecting a decryption mode in an initial stage of setting up a secure session based on a determination of a most probable decryption mode based on decryption modes used for similar and/or past secure sessions, wherein the initial stage is when the client initiates a transport layer connection before the transport layer connection or the secure session is established. The method further includes validating the selected decryption mode at least once during the secure session based on whether the selected decryption mode is actually and/or is probably supported based on security algorithms supported by the client and/or server, and switching the decryption mode based on a result of validating the selected decryption mode.

Abstract: A system receives an operation by a trusted node on a blockchain, simulates an execution of the operation, and captures endorsement policy information related to the execution of the operation.

Abstract: Described herein are complete lifecycle management processes for IoT/M2M devices. In an example, devices are commissioned and de-commissioned in a given system without requiring a user/human administrator. A delegated life-cycle management process is described, wherein devices rely upon a delegatee, which may have more computing and battery resources than the devices, to perform complete or partial lifecycle management operations on behalf of the devices. The delegatee may be a trusted entity that may belong to the same domain as the devices. Further, a Trust Enabling Infrastructure (TEI) is described herein, which may belong to a different trusted domain than the given device and its delegatee.

Abstract: Embodiments include performing a host-initiated link reset in a storage area network (SAN). Aspects include identifying, by a host in communication with the SAN, each link in the SAN, wherein each link is defined by a pair of ports. Aspects also include obtaining, by the host, a buffer credit balance for each port in the SAN and obtaining, by the host, a buffer credit for each port in the SAN and causing a reset of a link associated with the port by transmitting a link reset record from the host to a control device of the link based on a determination that the buffer credit of a port in the SAN is below a threshold value.

Abstract: The present disclosure relates to authenticating a first device to a second device, including at least two successive verification operations comprising the following successive steps. The second device generates a first data, and sends the first data to the first device. The first device generates a third data and a fourth data used by the following verification operation and sends the third data to the second device. The second device checks the third data indicating whether the check was successful or not.

Abstract: Systems and methods are described for generating and storing immutable blockchain records with respect to authorized derivative works based on content associated with a non-fungible token (NFT). For example, a first NFT stored on a blockchain may be owned by a first blockchain address, and that owner may cryptographically sign a message indicating or representing that the individual approves of a created or to-be-created second NFT that is based at least in part on content of or associated with the first NFT. The cryptographic signature may be authenticated, and then a system may generate new data for storage in a new blockchain record. The new blockchain record may identify both the first NFT and the second NFT, and also include data proving that the owner of the first NFT approved of the second NFT.

Abstract: Provided is an image display apparatus that projects an image with high contrast by use of a phase modulation technology. An image display apparatus includes a trained neural network model that estimates a phase modulation distribution corresponding to an output target image, a phase modulation section that performs phase modulation on incident light in reference to the phase modulation distribution estimated by the trained neural network model, a luminance modulation section that performs luminance modulation on phase modulated light output from the phase modulation section, and a control section that outputs, to a predetermined position, the incident light subjected to the phase modulation and the luminance modulation.

Abstract: Cryptographic systems, methods and communication network comprising thereof are disclosed, including numerous industry applications. Embodiments of the present invention can generate and regenerate the same symmetric key. The cryptographic systems and methods include a key generator configured to use two or more inputs to reproducibly generate the symmetric key and a cryptographic engine configured to use the symmetric key for encrypting and decrypting data.

Abstract: An automatic teller machine includes a controller and a cash dispenser unit. The controller is in electronic communication with dispense authorization parties. The controller is configured to generate a requested transaction in response to a manual entry of a requested cash value, and send a withdrawal request to a given dispense authorization party. The withdrawal request includes a unique nonce. The controller is configured to receive a withdrawal authorization from the given dispense authorization party. The withdrawal authorization includes a secure dispense token and a dispense nonce. The cash dispenser unit is configured to generate the unique nonce in response to the requested transaction, verify that the secure dispense token and the dispense nonce are valid, and dispense a currency matching the requested cash value in response to the secure dispense token and the dispense nonce being valid.

Abstract: Devices and methods for accessing and for controlling access of a node, called “challenged node”, that has already been authenticated and is provisionally connected to a network of nodes, the network including at least one node, called “challenging node”. The method for controlling access, implemented by a challenging node, includes: defining a personalized test that must be executed by the challenged node; sending the test to the challenged node; receiving, from the challenged node, at least one result of the execution of the test; and authorizing or refusing the access of the challenged node to the network, at least on the basis of the result.

Abstract: A method in a VPN environment, including determining, by a VPN infrastructure device, first and second VPN protocols that are available for providing VPN services to a user device, the first VPN protocol being different from the second VPN protocol; transmitting, by the VPN infrastructure device to the user device, a list indicating first VPN servers that utilize the first VPN protocol and second VPN servers that utilize the second VPN protocol; and establishing, by the user device at substantially the same time, a first parallel VPN connection with a first VPN server from among the first plurality of VPN servers, the first VPN connection configured to utilize the first VPN protocol, and a second parallel VPN connection with a second VPN server from among the second plurality of VPN servers, the second VPN connection configured to utilize the second VPN protocol is disclosed. Various other aspects are contemplated.

Abstract: Provided are a method and device employing a smart contract to realize identity-based key management. The method comprises: running a smart contract, and executing a key management process, wherein the key management process comprises: when a key of a target user requires an update and the target user is not a supervised user, generating a master public key and a master private key pertaining to the target user; acquiring, from a blockchain, identity information of the target user; generating a first target private key according to the master public key and the master private key pertaining to the target user and the identity information of the target user; and replacing a current private key of the target user with the first target private key.

Abstract: Provided is a computer implemented method for performing mutual authentication between an online service server and a service user, including: (a) generating, by an authentication server, a server inspection OTP; (b) generating, by an OTP generator, a verification OTP having the same condition as the server inspection OTP and using the same generation key as an OTP generation key and a calculation condition different from a calculation condition is applied or a generation key different from the OTP generation key is used and the same calculation condition as the calculation condition used for generating the server inspection OTP is applied to generate a user OTP; and (c) generating, by the authentication server, a corresponding OTP having the same condition as the user OTP and comparing whether the generated corresponding OTP and the user OTP match each other to authenticate the service user.

Abstract: A center device includes: a consent request unit that is configured to make a consent request to a plurality of devices for data distribution to a vehicle; a consent determination unit that is configured to judge a consent response from each of the plurality of devices; a distribution control unit that is configured to control the data distribution to the vehicle according to a determination result by the consent determination unit; and a necessity determination unit that is configured to determine whether the consent request to the plurality of devices is needed before the consent request are made to the plurality of devices. The consent request unit is further configured to determine whether to make the consent request to the plurality of devices according to a determination result by the necessity determination unit.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Disclosed are various embodiments for managing security credentials for an authentication management client on a client device. In one non-limiting example, a computing device is configured to receive an authentication request from an authentication management client of a client and determine an affinity of the authentication management client based at least in part on the authentication request. The computing device is configured to determine that the authentication management client is supported based at least in part on the affinity. The computing device is configured to generate a session for the authentication management client based at least in part on a security credential being received from the authentication management client.

Abstract: The service layer may leverage the access network infrastructure so that applications on a device may bootstrap with a machine-to-machine server without requiring provisioning beyond what is already required by the access network.

Abstract: A method, device, and non-transitory computer-readable medium are provided. Responsive to the device determining that a first user is not registered in a node registry upon startup, a public key of the first user and private key of the first user are generated, and the public key is registered in the node registry. Responsive to receiving a lookup request from a securely connected computing device, a public key lookup request for a public key of a second user is sent to the node registry by the device. The device receives the public key of the second user responsive to the sending of the public key lookup request. Responsive to receiving a message for the second user and an encryption request from the computing device, the device encrypts the message using the public key of the second user to produce an encrypted message that is transmitted to the computing device.

Abstract: To enhance tampering detection performance by rendering decipherment of a secret key for electronic signature difficult. A cipher key generation apparatus according to the present technology includes a key generation section adapted to generate a secret key for electronic signature on the basis of a photoelectric random number which is a random number acquired on the basis of photoelectric conversion in an array sensor in which multiple pixels each having a visible or invisible light reception element are arranged one-dimensionally or two-dimensionally.

Abstract: Provided are a method and an apparatus for data processing in an equity incentive system, which are applied in an equity incentive system, such as an Employee Stock Ownership Plan (ESOP) system. A first device obtains a mapping relation that includes a correspondence between at least one data type and at least one encryption scheme, determines a first encryption scheme corresponding to a data type of first data based on the mapping relation, generates a first data packet based on the first encryption scheme, and transmits the first data packet to a second device. In this way, the first device uses different encryption schemes based on different data types, and the second device obtains the first data by decryption based on an encryption identifier That is, according to the present disclosure, different encryption schemes are used for different data types, thereby improving data security without affecting normal use.