Abstract: Embodiments of the invention relate to efficient methods for authenticated communication. In one embodiment, a first computing device can generate a key pair comprising a public key and a private key. The first computing device can generate a first shared secret using the private key and a static second device public key. The first computing device can encrypt request data using the first shared secret to obtain encrypted request data. The first computing device can send a request message including the encrypted request data and the public key to a server computer. Upon receiving a response message from the server computer, the first computing device can determine a second shared secret using the private key and the blinded static second device public key. The first computing device can then decrypt the encrypted response data from the response message to obtain response data.

Abstract: A secure communication network includes interconnected switches including a source switch, a destination switch, and an intermediate switch. Packets are transferred over the secure communication network from a start node to an end node. The source switch replaces an original payload of each packet with an encrypted payload that combines the original payload and a respective random pad for the packet. The source switch then discards the respective random pad. The source and intermediate switches forward each packet toward the destination switch. The destination switch replaces the encrypted payload of each packet with a decrypted payload, which combines the encrypted payload and the respective random pad so as to match the original payload, discards the respective random pad, and transmits the packet with the decrypted payload to the end node. A controller sends the respective random pad for each packet to the source and destination switches via secure management links.

Abstract: Techniques and systems described below relate to systems and methods to migrate a blockchain account. A blockchain migrate transaction can migrate an existing account from an old address to a new address. A blockchain account migration can be performed in response to a determination that a secret key associated with an address has or has potentially been exposed. Existing digital assets associated with a potentially compromised account may be carried over to a new account as part of a blockchain account migrate transaction.

Abstract: Implementations include actions of providing a first transaction hash including a digital representation of a digital record between a first peer and a second peer within a digital records platform, the platform provided by the first peer as a host peer, and the transaction hash being generated based on one or more documents underlying the digital record, receiving one or more edits to at least one document from the second peer, updating the first transaction hash to provide: a second transaction hash, and a transaction hash history including the first transaction hash and the second transaction hash, receiving approval of the digital record from each of the first peer and the second peer, and executing a consensus protocol by a notary service of a third node to update transaction objects across the first node and the second node, the updating indicating that the transaction objects are consistent.

Abstract: A method includes receiving an indication of a request from a client device. The request is for establishing an access session to perform one or more actions on data of a data processing platform. The method includes receiving data indicative of a context of the access session request and establishing a challenge session associated with the request that indicates one or more challenges required of a user associated with a client device to successfully respond to in order to establish the requested access session, a number or a type of the one or more challenges being determined based on the context, and establishing an access session to enable the user to perform the one or more actions on the data of the data processing platform if responses to all challenges in the challenge session are successful.

Abstract: Methods, systems, and media for protected near-field communications are provided. In some embodiments, the method comprises: receiving, from an NFC tag device, a request for an NFC reader device identifier (ID); transmitting the NFC reader device ID to the NFC tag device; receiving an NFC tag device ID; determining whether the NFC tag device ID matches an NFC tag device ID stored in memory of the NFC reader device; in response to determining that the NFC tag device ID matches the NFC tag device ID, transmitting a password to the NFC tag device; receiving, from the NFC tag device, a shared secret; determining whether the received shared secret matches a shared secret stored in the memory of the NFC reader device; and in response to determining that the received shared secret matches the shared secret, causing an action to be performed by a device associated with the NFC reader device.

Abstract: Systems, methods and computer program products are provided for layered quantum computing (QC) detection. An example system includes QC detection data generation circuitry that generates QC detection data via a first post-quantum cryptographic (PQC) technique. The system also includes cryptographic circuitry configured to generate a pair of asymmetric cryptographic keys including a public cryptographic key and a private cryptographic key via a second PQC technique, generate encrypted QC detection data based on the pair of asymmetric cryptographic keys, and destroy the private cryptographic key. The system further includes data monitoring circuitry configured to monitor a set of data environments for electronic information related to the encrypted QC detection data. In response to detection of the electronic information related to the encrypted QC detection data, the system may monitor a set of data environments for electronic information related to the QC detection data.

Abstract: A first copy of a True Random Number (TRN) pool comprising key data of truly random numbers in a pool of files may be stored on a sender and a second copy of the TRN pool is stored on a receiver. An apparent size of the TRN pool on each device is expanded using a randomizing process for selecting and re-using the key data from the files to produce transmit key data from the first copy and receive key data from the second copy.

Abstract: Embodiments herein relate to new and useful systems and methods for tokenization across code trust boundaries. An embodiment includes a method for securing data across execution contexts in a computing device. The method includes determining that first data is to be passed from a first code in a first execution context to a second code in a second execution context. The method further includes, based on determining that the first data is to be passed, tokenizing the first data to generate tokenized first data, wherein tokenizing the first data comprises substituting the first data with second data that is based on the first data to secure the first data from the second code, the second data being the tokenized first data. The method further includes passing the tokenized first data from the first code to the second code.

Abstract: Systems and methods for dynamically establishing and managing tenancy using templates are disclosed herein. An example method includes receiving a collaboration room template, the collaboration room template including parameters that are used to establish and configure a collaboration room for an entity, establishing the collaboration room for the entity, configuring the collaboration room according to the parameters of the collaboration room template, generating a token for a user, the token specifying permissions for the user for the collaboration room, transmitting an invitation to a user related to the collaboration room, and providing data in the collaboration room for the user according to the permissions specified in the token.

Abstract: Environment type validation can provide a tamper-resistant validation of the computing environment within which the environment type validation is being performed. Such information can then be utilized to perform policy management, which can include omitting verifications in order to facilitate the sharing of policy, such as application licenses, from a host computing environment into a container virtual computing environment. The environment type validation can perform multiple checks, including verification of the encryption infrastructure of the computing environment, verification of code integrity mechanisms of that computing environment, checks for the presence of functionality evidencing a hypervisor, checks for the presence or absence of predetermined system drivers, or other like operating system components or functionality, checks for the activation or deactivation of resource management stacks, and checks for the presence or absence of predetermined values in firmware.

Abstract: An authentication system includes an authentication unit that performs an authentication process between a first communication device and a second communication device when the first communication device and the second communication device communicate. The authentication unit performs the authentication process by transmitting authentication information from one of the first communication device and the second communication device to the other one, calculating the authentication information with an encryption code in each of the first communication device and the second communication device, and evaluating a calculation result. During a processing series in the authentication process, the authentication unit performs a first authentication based on part of the calculation result transmitted between the first and second communication device, and a second authentication based on another part of the calculation result transmitted between the first and second communication device.

Abstract: Object to be solved is to achieve novel information management. In order to solve the above circumstances, the present invention provides an information management system including: a blockchain stored in first and second nodes, in which the first or second node includes an authenticating means that executes an authentication process on a basis of feature data, the first node includes a first signing means that generates a first transaction signature and adds the first transaction signature to an unfinalized block in the blockchain, the second node includes a second signing means that generates a second transaction signature and adds the second transaction signature to the unfinalized block on a basis of a result of the authentication process and the first transaction signature, and the first node includes a chain updating means that hashes the unfinalized block and generates a block on a basis of the second transaction signature.

Abstract: A system, method, and computer program product for self-identification of a device. The disclosure utilizes generation of a public/private key pair, within the device itself, and completes at least a portion of an authentication process within the device itself using a securely stored private key that never leaves the device. By not transferring the private key away from the device, potential vulnerabilities of known systems due to transfer of identification information during or after manufacturing is effectively eliminated.

Abstract: Systems and methods for managing group encryption are described. In certain methods, a content asset may be encrypted with an asset key. An account key may be determined. Using the account key, an encrypted content asset package may be generated. The asset key may make up at least a portion of the encrypted content asset package. The encrypted content asset package is decryptable with the account key. The encrypted content asset package and an identifier associated with the account key may be transmitted, for example to a playback device.

Abstract: Systems and methods that may implement an Oracle-aided protocol for producing and using FHE encrypted data. The systems and methods may initially encrypt and store input data in one encrypted form that is not performed using FHE, which does not substantially increase the size of the data and storage resources required to store the encrypted data. In accordance with the Oracle-aided protocol, the encrypted data is re-encrypted as FHE encrypted data when FHE encrypted data is required.

Abstract: A computer-implemented method according to one embodiment includes obtaining, at an untrusted environment, encrypted data from a storage location, initiating, within the untrusted environment, a performance of one or more secure computations on the encrypted data, and providing, within the untrusted environment, results of performing the one or more secure computations on the encrypted data.

Abstract: A method and apparatus for determining a propagation delay and/or a distance between a plurality of transceivers, in particular between transceivers outside and/or as part of a motor vehicle, wherein the transceivers are each designed: to generate identical codes in a plurality of these transceivers, using a calculation method known to them, from at least one starting value transmitted, in particular, from one of the transceivers to the further transceivers, to transmit one or more messages from at least one of the transceivers to one or more further ones of the transceivers, which messages each contain at least one of the codes, to determine at least one propagation delay and/or at least one distance between at least two of the transceivers, in particular from the propagation delay and/or transmission times of the one or more messages.

Abstract: Technologies related to enhancing security of digital content are described. Linear error correction codes (LECCs) are employed for dual purposes: 1) to obfuscate digital content; and 2) to verify integrity of the digital content. A transmitter computing system obfuscates digital content based upon an obfuscation protocol, wherein the obfuscated digital content includes an LECC. A receiver computing system deobfuscates the digital content by performing the inverse of the obfuscation protocol.

Abstract: The present invention provides methods and apparatuses for verifying that a transaction is legitimate. The methods and apparatuses use protected memory space, such as kernel space of an operating system, or a separate memory space, such as is available on a SIM card of a cellular phone. The method of the invention proceeds by creating a transaction identification string (TID) and associating the TID with a transaction. The TID contains data relevant to or associated with the transaction and is typically readable by an end-user. The transaction is then interrupted until a user responds in the affirmative to allow completion of the transaction. Methods and devices used in the invention are particularly well suited to M-commerce, where transactions originating from a device are typically recognized by a merchant as coming from the owner of the device without further authentication.

Abstract: Systems and methods for secure enrollment of physical unclonable function devices include providing a device with an enrollment controller. The enrollment controller receives an enrollment request from an enrollment system and authenticates the request. If the request is authentic, the enrollment controller generates challenges in a pseudorandom order determined by a random seed that is shared with the enrollment system. The enrollment controller issues the challenges to interrogation circuitry coupled to a PUF array and records the responses. The responses are transmitted in encrypted form, and in the pseudorandom order, to the enrollment system. The responses are encrypted using a random number shared with the enrollment system. The enrollment system and the enrollment controller can independently generate the encryption key using the shared random number and/or other securely shared information.

Abstract: Disclosed is a method in an operator authentication server for authentication of a communication device associated with a communication device manager. The communication device manager being associated with a plurality of communication devices, wherein the operator authentication server has transmitted group subscriber identity module (SIM) information to the communication device manager, wherein the group SIM information is associated with an international mobile subscriber identity (IMSI) number and a shared secret K. The method comprises receiving from the communication device a request for authentication comprising a sub identifier associated with the communication device; determining whether the sub identifier is known.

Abstract: A method for determining a terminal ID from a message received from a terminal in a communication system avoids sending the terminal ID in the clear. In this system each terminal ID has an associated encryption key. A transmitted message comprises at least a Message Authentication Code (MAC), a n-bit hash, and encrypted message text. At least the terminal key and a nonce is used to generate the MAC, and neither the terminal ID or the terminal key are included in the transmitted message. An authentication broker stores the set of all (terminal ID, terminal key) pairs for the plurality of terminals in the communication system. The set of all terminal keys is grouped into at least two partitions, and on receipt of a message the authentication broker identifies the partition that includes the terminal key of the terminal that transmitted the received message using the n-bit hash (the search partition).

Abstract: The provided invention is a unique method and system for generating and using a digital memorized secret, password or other form of digital user authentication by navigating a realistic virtual 3D environment with a keyboard, controller, mouse, virtual reality device or other form of virtual navigation device and selecting an ordered sequence of objects within the virtual 3D environment. The selected sequence of objects have associated character strings or other associated data which are cumulatively stored and used as the users method of user authentication in place of a traditional password, memorized secret or other form of digital user authentication. Encryption and decryption of any data within this system may be performed on both the client and server sides. Hashing and salting of the memorized secret, password or other form of digital user authentication may be performed on both the client and server sides.

Abstract: Various examples described herein are directed to systems and methods for securing data. A security system may receive a first record comprising a plurality of record fields, where the plurality of record fields includes a first record field and the first record field includes a first record field data. The security system may access a source setup record corresponding to the first record from a source setup table and determine that the source setup record comprises data referencing the first record field. The security system may access first token data corresponding to the first record field data and replace the first record field data at the first record field with the first token data. The security system may store the first token data at a token table and writing the first token data to the first record field to replace the first record field data.

Abstract: A method for key agreement between a first party and a second party over a public communications channel, the method including selecting, by the first party, from a semigroup, a first value “a”; multiplying the first value “a” by a second value “b” to create a third value “d”, the second value “b” being selected from the semigroup; sending the third value “d” to the second party; receiving, from the second party, a fourth value “e”, the fourth value comprising the second value “b” multiplied by a fifth value “c” selected by the second party from the semigroup; and creating a shared secret by multiplying the first value “a” with the fourth value “e”, wherein the shared secret matches the third value “d” multiplied by the fifth value “c”.

Abstract: An encryption processing system includes: an encryption data generation device, an encryption processing device, and a processing result utilization device. A first processor of the encryption data generation device is configured to perform preprocessing by generating encrypted data of homomorphic encryption corresponding to data obtained by multiplying plaintext data as a target by a power of a predetermined number of two or more. A second processor of the encryption processing device is configured to perform acquiring the encrypted data, and executing a processing on the encrypted data in an encrypted state to obtain a processing result in the encrypted state. A third processor of the processing result utilization device is configured to perform acquiring the processing result, and postprocessing by decrypting data of the processing result in the encrypted state and by dividing the decrypted data by the power of the predetermined number of two or more.

Abstract: Encrypted multi-stage smart contracts are disclosed. A smart contract that is to be performed by a contract executor in a plurality of successive stages is generated. For each respective stage of at least some stages, a package of data is encrypted with at least one key to generate an encrypted package that corresponds to the respective stage, and an envelope that corresponds to the respective stage is generated. The envelope includes a condition precedent confirmable by an oracle, and an encrypted package-decryption key that is encrypted with a key of the contract executor. The encrypted package-decryption key, when decrypted, is configured to facilitate the decryption of the encrypted package that corresponds to the respective stage. For at least some of the stages, the encrypted package comprises an envelope and an encrypted package that corresponds to a next successive stage.

Abstract: Cryptographic key management systems configured to provide key management services for the secure and decentralized control and storage of private cryptographic keys and other information. Asset private keys, seeds, passphrases, and other digitized information may be split into a plurality of subkeys and distributed to a group of people to allow the group to gain control of the asset private key if and when a specified condition has occurred. In some examples, the group of people receive less than a threshold number of the subkeys required to restore the asset private key and one or more of the subkeys required to restore the asset private key are defined as validator subkeys, the validator subkeys separately and securely stored. In some examples, the validator subkeys are encrypted and the encrypted validator subkeys stored on a blockchain platform.

Abstract: The disclosure proposes a novel method for generating public polynomials. The method simplifies key exchange processes, reduces the time required for key exchange and reduces the bandwidth required for data transmission from a server to a client. Secondly, the method keeps the calculation processes at both sides synchronized through a novel data exchange solution, particularly through handshaking signals, to ensure that the server and the client are always in the same key exchange process. In addition, the method further reduces a transmission bandwidth by sending information of the client twice. A state synchronization mechanism of the client and the server is proposed in the disclosure to ensure that Trivium modules at both sides are in the same state at the beginning of each key exchange, thereby avoiding reinitializing the modules and improving the operation efficiency of the whole system.

Abstract: The present invention is generally related to client and computing platforms that may be used for conducting secure transactions.

Abstract: Described embodiments provide systems and methods for securing offline data for shared accounts of a shared computing device. Cache files can be generated for a plurality of users of an application executable on the device to store user data corresponding to individual users of the application. An encryption key can be generated for one or more of the cache files and the encryption key can be associated with at least one user of the application. The encryption key can be associated with a user identifier so that the encryption key is not accessible by other users of the computing device. The user data can be encrypted in one of the cache files with the encryption key. The encrypted user data can be presented to a user via the shared computing device based on receipt of a user identifier that enables access to the encryption key.

Abstract: A method for a data owner to enforce attribute-based and discretionary access control over a cloud-based data store by specifying an access policy, creating a plurality of users with attributes that satisfy the access policy, and revoking one or more of the plurality of users by embedding their respective identities as revoked into a ciphertext, whereby only those of the plurality of users whose attributes satisfy the access policy and that are not revoked can decrypt the ciphertext.

Abstract: Techniques for sending encrypted data includes establishing a plurality of different links between a first node and a different second node. The different links are different physical layer links or different virtual private network (VPN) links or some combination. The method also includes encrypting plaintext using a first value for an encryption parameter to produce ciphertext. Further, the method includes sending a first plurality of messages that indicate the ciphertext using at least one link of the plurality of different links. Still further, the method includes sending a different second plurality of messages that indicate the first value for the encryption parameter using at least one different link of the plurality of different links without introducing a random bit error.

Abstract: A blockchain of transactions may be referenced for various purposes and may be later accessed by interested parties for ledger verification. One example operation may comprise one or more of identifying determining a shared file is being edited by one or more entities, identifying one or more changes to the shared file while the shared file is being edited, signing the one or more changes with one or more public keys, and adding the one or more changes to a blockchain.

Abstract: Double key encryption encrypts sensitive data using a content key, obtains a user public key from a key management service, encrypts the content key using the user public key, and encrypts the result using a cloud service provider key. Data confidentiality is protected efficiently through multilevel encryption and also by utilizing keys that are managed by different entities. Sensitivity labeling allows analytics to track sensitive data without compromising confidentiality. Compliance mechanisms may use attribute-based access control to support storage of sensitive data in a cloud, but only inside a permitted region, and without giving the cloud service provider access to the sensitive data.

Abstract: Disclosed is a method for indirectly activating at least one connected object intended to be joined to a network of connected objects, the network of connected objects including at least one network organizing agent and a commissioning agent, each including a communication module, the communication module including a first radiofrequency interface suitable for communicating according to a first communication protocol, the method including a step of collecting information that is useful for connecting at least one connected object to the network of connected objects by a mobile terminal, a step of transmitting, by the mobile terminal, the collected information to the commissioning agent and a step of inputting at least one connected object into the network of connected objects using information useful for connecting the connected object.

Abstract: Systems and techniques are described for a centralized management system operating within a virtual machine which configures, monitors, analyzes, and manages an adaptive private network (APN) to provide a discovery process that learns about changes to the APN through a network control node (NCN) that is a single point of control of the APN. The discovery process automatically learns a new topology of the network without relying on configuration information of nodes in the APN. Network statistics are based on a timeline of network operations that a user selected to review. Such discovery and timeline review is separate from stored configuration information. If there was a network change, the changes either show up or not show up in the discovery process based on the selected time line. Configuration changes can be made from the APN VM system by loading the latest configuration on the APN under control of the NCN.

Abstract: A communication terminal (10) includes control means for generating a subscription concealed identifier (SUCI) including a subscription permanent identifier (SUPI) concealed using a predetermined protection scheme, and a protection scheme identifier identifying the protection scheme, and transmission means for sending the SUCI to a first network apparatus during a registration procedure, the SUCI being sent for a second network apparatus to de-conceal the SUPI from the SUCI based on the protection scheme used to generate the SUCI.

Abstract: This specification describes techniques for managing assets in a blockchain. One example method includes receiving, from a target user recorded in a distributed database of a blockchain network, a user input including a request to update a status of a target object, determining, based on a contract object, whether the target user is a member user with an update permission for the target object, the contract object being published in the blockchain network and corresponding to an asset type of the target object, wherein the target object was created using the contract object, and in response to determining that the target user has the update permission for the target object, performing a status update on the target object by using the contract object.

Abstract: The present disclosure provides generally for a system and method for visualizing and measuring software assets and identifying security risk and vulnerabilities associated with products and personnel. An analytics engine may be configured to analyze a software asset and provide a plurality of analytics and a plurality of insights related to the software asset. A correlation engine may be configured to translate the plurality of insights into a set of universal data and correlate the plurality of insights to predefined risks associated with the software asset.

Abstract: A set of servers can support secure and efficient “Machine to Machine” communications using an application interface and a module controller. The set of servers can record data for a plurality of modules in a shared module database. The set of servers can (i) access the Internet to communicate with a module using a module identity, (i) receive server instructions, and (iii) send module instructions. Data can be encrypted and decrypted using a set of cryptographic algorithms and a set of cryptographic parameters. The set of servers can (i) receive a module public key with a module identity, (ii) authenticate the module public key, and (iii) receive a subsequent series of module public keys derived by the module with a module identity. The application interface can use a first server private key and the module controller can use a second server private key.

Abstract: A uniform protocol can facilitate secure, authenticated communication between a controller device and an accessory device that is controlled by the controller. An accessory and a controller can establish a pairing, the existence of which can be verified at a later time and used to create a secure communication session. The accessory can provide an accessory definition record that defines the accessory as a collection of services, each service having one or more characteristics. Within a secure communication session, the controller can interrogate the characteristics to determine accessory state and/or modify the characteristics to instruct the accessory to change its state.

Abstract: An information processing apparatus that, when authentication is successfully performed by using first authentication information, permits access to first content. When authentication is successfully performed by using second authentication information which is different from the first authentication information, the information processing apparatus permits access to second content having a confidentiality level higher than a confidentiality level of the first content. The third authentication information is issued to a user in a period in which authentication using the second authentication information is valid. The third authentication information is different from the first authentication information and the second authentication information. When authentication is successfully performed by using both the first authentication information and the third authentication information, the information processing apparatus permits access to the second content.

Abstract: Provided is a system-on-chip that may perform a message encryption operation based on a transport layer security (TLS) scheme. The system-on-chip may include an authentication unit configured for exchanging a key used for the message encryption operation and performing authentication for a subject to perform communication, an advanced encryption standard (AES) engine core configured for performing a function of encrypting a message using a key or decrypting the encrypted message and a function of encrypting the key or decrypting the encrypted key, and a controller configured for controlling the AES engine core and the authentication unit based on a real time operating system (RTOS) and firmware for performing the message encryption operation.

Abstract: Disclosed herein are methods, systems, and processes for continuously renewing credentials in application development and testing environments that include application products from third-party vendors. A notification indicating that an existing credential associated with a developer account of a third-party application will expire is received via a webhook. A credential renewal request for a new set of credentials for the developer account is sent using a request method specified for the third-party application and the new set of credentials for the developer account are received within the expiration period via the webhook.

Abstract: A method for controlling the transfer of data through a firewall. The method includes one or more computer processors establishing a first communication channel between a first server and a second server. The method further includes transmitting, via the first communication channel, information related to a pending transmission of data from the first server to the second server. The method further includes receiving from the second server, via the first communication channel, a set of security information associated with accessing the second server via a second communication channel. The method further includes establishing the second communication channel between the first server and the second server based on the set of security information received from the second server. The method further includes transmitting the data from the first server to the second server utilizing the established second communication channel.

Abstract: Disclosed herein are methods, systems, and media for privacy-protected user recognition. One of the methods comprising obtaining a biometric feature of a first user; performing homomorphic encryption on the biometric feature of the first user to obtain a first ciphertext feature; determining a candidate ciphertext feature from a predetermined ciphertext feature set based on the first ciphertext feature and a predetermined graph structure index, wherein the predetermined ciphertext feature set comprises a plurality of second ciphertext features obtained by performing the homomorphic encryption of a plurality of second biometric features of multiple second users, and wherein the predetermined graph structure index is generated based on similarity among at least some of the plurality of second ciphertext features in the predetermined ciphertext feature set; and determining a recognition result for the first user based on the candidate ciphertext feature.

Abstract: Embodiments of the present invention provide a system for generative adversarial network training and feature extraction for biometric authentication. The system collects electronic biometric data of a user from one or more data sources, and stores the collected electronic biometric data as a biometric user account for the user in a personal NoSQL database library associated with the user. A generative adversarial neural network system then determines improved biometric feature selection and improved model refinements for existing biometric authentication models based on the biometric account for the user in the personal library associated with the user. The system can then determine user exposure levels for different authentication channels, including certain biometric authentication channels. A custom adversarial strategy for general adversarial network attacks is then established based on the user exposure levels to generate a biometric authentication process that is more accurate and secure.

Abstract: A computer implemented system for controlling access to data associated with an entity includes a data storage device having a protected memory region, and one or more processors, at least one of which is operable in the protected memory region. The one or more processors are configured for: storing a secret key associated with the entity in a portion of the protected memory region associated with the entity; upon receiving entity data, storing the entity data in the portion of the protected memory region associated with the entity; and upon receiving an access grant signal, generating a smart contract, the smart contract defining the entity data to be accessed and a recipient of the entity data to be accessed.