Abstract: Features described herein generally relate to systems and methods for generating and managing tokens for authenticated assets. In some aspects, generating a token is performed according to one or more rules and includes generating metadata that links the token to a representation of an asset. In some other aspects, tracking token access includes monitoring a blockchain for token access events and generating a token based on a modified historian and received feedback. In other aspects, validating a token for an authenticated asset includes matching representations of the authenticated asset.

Abstract: A system and method for digitally signing data. A method includes generating, by a first device, at least one first secret share based on a secret key chosen by the first device, wherein the first device is offline with respect to a second device; partially signing data by the first device using the at least one secret share, wherein the data is received from the second device without establishing direct communications between the first device and the second device; and sending the partially signed data from the first device to the second device, wherein the second device generates signed data using the partially signed data, wherein the signed data corresponds to a public key generated based on the at least one first secret share and at least one second secret share generated by the second device.

Abstract: A computing system and method enables a business to manage negative and positive reviews of a purchased good or service. An example computing system may be configured to retrieve ratings and reviews relating to the business from a plurality of computing devices deployed within a communication network; extract data from the ratings and reviews; determine a parameter for the business based at least upon the data extracted from the ratings; process the data extracted from the reviews to identify inappropriate content; generate signals to obscure the inappropriate content in the reviews; generate a graphical user interface comprising a display of a listing of the ratings and reviews including the signals obscuring the inappropriate content in the reviews; detect cursor movements on the graphical user interface; and modify the display of the graphical user interface based at least on the cursor movements in relation to the inappropriate content.

Abstract: A computing device includes a direct memory access (DMA) engine coupled to a memory, a network interface, and processing circuitry. The processing circuitry is to perform a secure exchange with a second computing device to negotiate a shared encryption key, based on a request for data received via the network interface from the second computing device. The DMA engine is to retrieve the data from a storage location based on an encryption command. The encryption command indicates the storage location. The DMA engine is to encrypt the data based on the shared encryption key to generate encrypted data, and store the encrypted data in the memory.

Abstract: A method includes providing one or more signals to an electronic device for performing a test procedure that involves programming a One-Time Programmable (OTP) memory in the electronic device. A verification is made as to whether connection of the one or more signals to the electronic device is stable, by performing a sequence of one or more iterations, each iteration including (i) determining, from among a set of scratchpad addresses in the OTP memory, an address that is available for programming, (ii) writing a test value to the address, and then (iii) reading the test value from the address. If the read test value differs from the written test value, re-tuning of the connection of the one or more signals is initiated. Only when the connection is verified as stable by the sequence of iterations, the OTP memory is programmed in accordance with the test procedure.

Abstract: A system and method for securely dispensing medication are described herein. The system includes a telemedicine center that communicates with medical assistant station and a medication distribution station located at a correctional facility and a physician center remote to the correctional facility. The medical assistant station transmits a request for medication to the telemedicine center. The telemedicine center verifies an identity of the medical assistant requesting the medication and transmits the request to the physician center. When the telemedicine center receives a confirmation to dispense medicine from the physician center, an identity of the physician transmitting the confirmation is verified. The telemedicine center then verifies an identity of an inmate to receive the medication, by way of the medication distribution station, and allows the medication distribution station to dispense the medication.

Abstract: Methods and systems for managing and/or processing a blockchain to maintain data security for confidential and/or personal data are provided. According to certain aspects, the disclosed data security techniques may enable access sharing functionality utilizing the blockchain. For example, access sharing may be utilized to share policy information. The policy information may be associated with a smart contract. Accordingly, the policy information may be encrypted using a public key for the smart contract and compiled into a block of the blockchain. In response to a request to provide access to the information to a particular node, the private key for the smart contract may be encrypted using the public key for the particular node and compiled into a block of the blockchain.

Abstract: Secure hashing of large files to verify file identity. In some implementations, a method includes determining a size of a particular file received by an endpoint device, and searching for a record indexed in a data structure based on the size. In response to finding the record, a sequence of multiple records is accessed in the data structure. For each record of the sequence, a particular data portion is hashed that has a location in the particular file that corresponds to a location in the record to obtain a particular hash result. In response to the particular hash result matching a corresponding previous hash result stored in the record based on an associated data portion in an associated file, the particular file is determined to be the same as the associated file, and characteristics of the particular file are determined using file information for the associated file.

Abstract: Training a neural network and embedding a watermark in the network to prove ownership. The network includes a plurality of trainable parameters associated with network nodes in which the plurality of trainable parameters is split into a first set of trainable parameters and a second set of trainable parameters. A first set of training samples is input to the network and the network is trained by iterating the first set of samples through the network to update the first set of parameters and hindering the second set of parameters to be updated during iteration of the first set of samples. A second set of samples is input and the watermark is embedded by iterating the second set of samples through the network to update the second set of parameters and hindering the first set of parameters to be updated during iteration of the second set of samples.

Abstract: Systems and methods include processing communication segments. A method may include obtaining at least one audio segment of an audio communication and distributing the at least one audio segment to a rules engine, analyzing, with the rules engine, the at least one audio segment for at least one acoustic trigger, determining at least one event that is triggered based on comparing the at least one acoustic trigger to one or more trigger rules, and communicating the at least one event to at least one end user through a web server.

Abstract: Aspects of a storage device are provided for managing a key version used for encryption and decryption and processing host commands associated with sanitized and non-sanitized logical pages using cryptographic erase. A controller of the storage device updates, in response to a sanitize command, a current address offset associated with the KV from a first address offset to a second address offset without changing the KV. In response to a subsequent read command, the controller determines whether the KV mismatches an expected KV obtained from the metadata beginning at the second address offset but matches or mismatches an expected KV obtained from the metadata beginning at the first address offset. The controller transmits garbage data decrypted using a different KV than the KV if a match, or an error message indicating a KV mismatch error if a mismatch. Thus, the controller may avoid returning garbage data for non-sanitized logical pages.

Abstract: An electronic device and a method for protecting seed data packet thereof, which relate to the field of information security. The electronic device includes a receiving module, a first obtaining module, a first determining module, a first confirming module, a sending module, a first verifying module, a second determining module, a checking module, a first setting module, a second setting module, a second verifying module, a generating and storing module, a third setting module, a fourth setting module, a data storing module, a key generating module, a third verifying module, a second confirming module, a second obtaining module and an organizing module.

Abstract: Techniques are described for controlling data and resource access. For example, methods and systems can facilitate controlled token distribution across systems and token processing in a manner so as to limit access to and to protect data that includes access codes.

Abstract: Methods, systems, and devices for verification of a volatile memory, such as a dynamic random-access memory (DRAM), using a unique identifier (ID) are described. A memory device may store a unique ID for a DRAM component of the memory device in non-volatile memory (e.g., in the DRAM, external to the DRAM). A host device coupled with the memory device may store, to non-volatile memory at the host device, information for verifying the identity of the DRAM component, for example, based on the unique ID. The memory device and host device may perform a procedure for verification of the identity of the DRAM component using the unique ID of the DRAM and the verification information stored at the host device. If the host device detects that the DRAM has been replaced or modified based on the verification procedure, the host device may disable one or more features of the memory device.

Abstract: A data transfer method, a data transfer device and a computer readable storage medium. The data transfer device comprises at least one first-stage memory, at least one second-stage memory and at least one third-stage memory which are connected in sequence. The data transfer method comprises: receiving a first input comprising a number of input lanes and/or a number of output lanes; selecting a corresponding second-stage memory and controlling a first read signal and a second read signal, according to the number of input lanes and/or the number of output lanes; storing data of the input lanes through the at least one first-stage memory; reading data of the first-stage memory and writing the data into the corresponding second-stage memory when the first read signal is enabled; and reading data of the corresponding second-stage memory and writing the data into the third-stage memory when the second read signal is enabled.

Abstract: A data storage management system is enhanced to accommodate, and moreover to optimize, the storing and retention of deduplicated secondary copies at write-once read-many (WORM) enabled storage platforms. Enhancements include without limitation: user interface (UI) options to enable WORM functionality for secondary storage, whether used for deduplicated or non-deduplicated secondary copies; enhancements to secondary copy (e.g., deduplication copy, backup) operations; and pruning changes. The storage manager is generally responsible for managing the creation, tracking, and deletion of secondary copies, with and without deduplication. Media agents that store secondary copies to and prune them from the WORM-enabled storage platforms also are enhanced for communicating and interoperating with both bucket-level and object-level WORM-enabled storage platforms to implement the features disclosed herein.

Abstract: Techniques for secure cryptographic secret bootstrapping balance the need to quickly and conveniently restore cryptographic secrets to server computers in the event of an outage with the need for security. Before the outage, a server computer uses a trusted platform module of the server computer to seal an encryption key used to encrypt a secret stored at the server computer. In response to the outage, the server computer restores the secret by using the trusted platform module to unseal the encryption key and then using the unsealed encryption key to decrypt the encrypted secret. The techniques can be used to restore cryptographic secrets rapidly and securely to a cluster of server computers used for cryptographic operations in a provider network without the overhead of safe room procedures.

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.

Abstract: The present disclosure relates to an antenna apparatus for a base station and an adapter thereof and particularly comprises: an antenna module vertically installed to be spaced forward from a support pole by a predetermined distance so as to have a distancing space therebetween; an RRH installed on the antenna module to be positioned in the distancing space, wherein one of the upper end and the lower end thereof is hinge-coupled to the antenna module and the other of the upper end and the lower end thereof is attached to or detached from a part of the antenna module to enable electrical signal connection or disconnection while being rotated around the hinge; and an adapter for mediating the electrical signal connection and disconnection between the antenna module and the RRH. Therefore, the present disclosure provides advantages of reducing installation time and installation costs.

Abstract: Systems, computer program products, and methods are described herein for generating data strings and for managing encrypted data in data containers in an electronic network. The present invention is configured to identify at least one data container, wherein the at least one data container comprises encrypted data; interrogate the at least one data container; determine at least one encryption associated with the encrypted data of the data container; receive at least one encryption key associated with the encrypted data; receive at least one tag associated with the encrypted data, wherein the at least one tag comprises at least one location identifier associated with the encrypted data; generate a string for the data of the data container, wherein the string comprises the at least one tag; and decrypt the encrypted data of the data container based on the at least one encryption key.

Abstract: A method and apparatus for hard deletion of user data are described. The method may include receiving a request from a user computer system to delete user data. The method may also include determining a unique user identifier associated by a system with a user making the request. The method may also include determining whether a data partition, in which data generated by a job or subsystem of the computer system is stored, is predicted to contain a record having the unique user identifier. Then, the method may include searching, when the data partition is predicted to contain a record having the unique user identifier, data records stored in the data partition for a user data record based on the unique identifier, and performing a hard deletion of the user data record from the partition when found during the searching.

Abstract: Methods, systems, and apparatuses embodied herein control and track access to secured data independent of the asset storing the secured data. In this regard, some embodiments organize volumes including one or more datasets and attach one or more assets to each volume. Some embodiments further receive data permissions of use information, for example from a data steward device, for the volume and datasets, which are registered with the volume and the datasets. Some embodiments further receive a set of restrictions, retrieve the dataset permissions of use information for one or more dataset identifiers, and determine the restrictions do not conflict with the dataset permissions of use information. Some embodiments further generate, and subsequently store, an indication the set of restrictions is valid when the dataset permissions of use information does not conflict. Permissions of use information may be organized into persona data objects assigned to various user profiles.

Abstract: A cloud infrastructure is configured and deployed for managing services executed on a cloud platform. The cloud infrastructure includes a control datacenter configured to communicate with one or more service datacenters. The service datacenter deploys one or more application programming interfaces (API's) associated with a service. The service datacenter also deploys an administration agent. The control datacenter hosts an engine that receives requests from users to perform administration operations by invoking the administration API's. In this manner, the control datacenter functions as a centralized control mechanism that effectively distributes administration operation requests as they are received from users to service datacenters that can service the requests. The cloud infrastructure provides an auditable, compliant and secure management system for administering services for distributed systems running in the cloud.

Abstract: Disclosed is a system for protecting electronic devices from counterfeiting and misuse. The system includes a hub unit and a smart switch. The hub unit includes a generator, a modulator and a first conductive surface. The smart switch is connected to sub-circuits and capacitively coupled to the hub unit. The smart switch includes a transmission gate, a second conductive surface, a rectifier, a buffer, a demodulator, and a latch. The smart switch receives switching instructions over an alternating electric field from the hub unit to operate the electronic device.

Abstract: A system and method for securely obtaining access to a program operating on a remote device via a local smart pass program transmitting a local cryptographic key specific to a local user device.

Abstract: A network system to allow global usage of data while allowing regional jurisdictions control over sensitive data. Different jurisdictions may declare different types of data as sensitive data that is not to be discoverable by another party. The system may receive data that includes encoded data at a first device from a second device (e.g., associated with a remote datacenter). The system may store the data at the first device. In response to receiving a request from a third entity, the system may request a cryptographic key for decoding one or more data fields of the encoded data. Based on decoding the associated field data, the system may transmit a response to the data request that includes the decoded data.

Abstract: The arrangements disclosed herein relate to systems, apparatus, methods, and non-transitory computer readable media for determining to erase a plurality of ciphertext blocks stored in a memory device, in response to determining to erase the plurality of ciphertext blocks, performing a cryptographic erasure of the plurality of ciphertext blocks. The cryptographic erasure includes encrypting each of the plurality of ciphertext blocks with a random key and destroying the random key in response to encrypting each of the plurality of ciphertext blocks.

Abstract: Systems and methods for text processing are described. Embodiments of the present disclosure receive a query comprising a natural language expression; extract a plurality of mentions from the query; generate a relation vector between a pair of the plurality of mentions using a relation encoder network, wherein the relation encoder network is trained using a contrastive learning process where mention pairs from a same document are labeled as positive samples and mention pairs from different documents are labeled as negative samples; combine the plurality of mentions with the relation vector to obtain a virtual knowledge graph of the query; identify a document corresponding to the query by comparing the virtual knowledge graph of the query to a virtual knowledge graph of the document; and transmit a response to the query, wherein the response includes a reference to the document.

Abstract: An encryption key generating device includes a shared key separator separating a shared key into a first key and a second key and storing the first key in a non-volatile memory and storing the second key in a volatile memory; a key extender extending the second key to the same key length as that of the first key and storing the second key extended as a third key in the volatile memory; a key calculator calculating an encryption key by an exclusive-OR of the first key and the third key and storing it in the volatile memory.

Abstract: In one embodiment, a parallel computing system includes a key manager to assign symmetric memory keys to parallel computing jobs including a first symmetric memory key to a first parallel computing job, and a plurality of server nodes to execute parallel computing processes of the first parallel computing job, and cause registration of host memory regions of the server nodes with the assigned first symmetric memory key in corresponding network interface controllers of the server nodes so that different ones of the host memory regions are accessible with the first symmetric memory key by remote ones of the server nodes using remote direct memory access.

Abstract: A method for the simultaneous or contemporaneous generation of at least one encrypted compression key; the deletion of the original database; the transfer of the encrypted compression key; the reversing and decompressing of the encrypted compression key; and the recreation of the original database. The method is usable with any database. Further, the method, includes the generation of at least one encrypted compressed organization key which can be joined with the encrypted compression key to, in essence, add a layer of encryption to compression and a layer of compression to encryption. A double encrypted compressed key may be generated from the use of a trap door or one-way functionality in combination with the compression and encryption portions provided by the encrypted compression key and the encrypted compressed organization key. The encrypted compression key and the double encrypted compressed key include functional parts that accelerate and improve the accuracy of the compression.

Abstract: Provided are a computer program product, system, and method for determining an encryption technique for a modified data object to backup. Deep data inspection is performed on an object using a natural language processing module to determine facets for the object. The facets provide facet values for instances of sensitive information in the object. The facet values for the object are processed to determine a cumulative facet value. A determination is made of an encryption technique comprising one of a plurality of different encryption techniques to use on the object based on the cumulative facet value. The determined encryption technique is used to encrypt the object to transfer to a backup storage.

Abstract: Techniques for training data protection in an artificial intelligence model execution environment are disclosed. For example, a method comprises executing a first partition of an artificial intelligence model within a secure execution area of an information processing system and a second partition of the artificial intelligence model within a non-secure execution area of the information processing system, wherein data at least one of obtained and processed in the first partition of the artificial intelligence model is inaccessible to the second partition of the artificial intelligence model. Communication between the first partition and the second partition may be enabled via a model parallelism-based procedure. Data obtained in the secure execution area may comprise one or more data samples in an encrypted form usable to train the artificial intelligence model.

Abstract: A method and a system for maintaining immutability of evidence that relates to software development life cycle data and that is protected from tampering in order to guarantee data integrity and consistency are provided. The method includes: receiving an evidence item that relates to a software development; encrypting the evidence item; storing the encrypted evidence item in a memory; computing a hash value based on the evidence item; and combining the hash value with a hash tree that relates to the software development. The hash tree includes a set of hash values for which there is a one-to-one correspondence with a set of evidence items that are represented in the hash tree. When tampering, such as content alteration or deletion, occurs with respect to an evidence item, the hash values in the hash tree may be used to determine the evidence item for which the tampering has occurred.

Abstract: A micro-controller chip is coupled to an external memory and includes a central processing unit (CPU), an address reorder circuit, and an address bus. The CPU is configured to provide a first internal address. The address reorder circuit calculates a unique identifier and a seed code to generate a base parameter and performs a reorder operation for the first internal address according to the base parameter to generate a first encryption address. The address bus is coupled between the address reorder circuit and the external memory to provide the first encryption address to the external memory. The external memory stores specific data according to the first encryption address.

Abstract: This application discloses a remote attestation method and an apparatus. The method specifically includes: A first network device receives encrypted information and first measurement information of a second network device through the second network device, where the encrypted information is information obtained by encrypting second measurement information of a third network device; the first network device determines, based on the first measurement information, that the second network device is system-trusted; and the first network device decrypts the encrypted information to obtain the second measurement information.

Abstract: An electronic device is provided. The electronic device includes a memory and a processor, the processor allocates first and second address spaces (AS) to the memory in rich execution environment (REE) when detecting a request to write data, writes the data to the first AS and detect access to the second address space in the REE, configures access permission of a first user virtual memory AS (VMAS), mapped to the first address space, in the REE so that write access is deactivated by a trusted environment manager when detecting access to the second AS, configures access permission of a second user VMAS, mapped to the second AS, in the REE so that read access is activated and write access is deactivated, and configures access permission of a first kernel VMAS, mapped to the first AS, in the REE so that write access is deactivated by the trusted environment manager.

Abstract: A method for sharing encrypted data including encrypting first data with at least one first attribute. The first attribute satisfies a first access policy of a first cryptographic key to enable one or more first users holding the first cryptographic key to decrypt the encrypted first data using the first cryptographic key. The method includes encrypting second data with at least one second attribute of the second data. The method includes generating a second cryptographic key based on a second access policy including at least one logical connective of the first attribute and the second attribute for decrypting the encrypted first data and the encrypted second data using the second cryptographic key and providing the second cryptographic key to one or more second users to enable the second users to decrypt the encrypted first data and the encrypted second data.

Abstract: A system for secure sharing of documents via a content management repository is provided. The system includes a content management unit, a filtering unit, a graphical user interface, and a memory communicatively coupled to the content management unit. The content management unit is configured to receive content restriction rules for content stored in the content management repository. The content management unit is further configured to inject the content restriction rules into policy rules. The content management unit is configured to intercept an Application Programming Interface call for the content from a user. The filtering unit is configured to dynamically filter the content based on the content restriction rules. The graphical user interface is configured to render the filtered content to display the filtered content to the user.

Abstract: Authorization for a user may be dynamically tailored per application or per application function, rather than globally managed by an administrator. For example, in some embodiments, an identity access management system may generate a suitable authorization token (or authorization token information) to enable a user to login to an application or perform a particular function. The authorization token may be dynamically generated and tailored based on filtering various identity information otherwise available from an identity system, access boundaries of applicable application functions, or other factors.

Abstract: A tokenization system receives a request for data anonymization, the request referencing structured data containing values of interest. Responsively, the tokenization system performs a tokenization operation on the structured data, generates a corresponding token, and replaces a value of interest with the corresponding token to produce an anonymized version of the structured data. The tokenization system stores the value of interest with the corresponding token in a secure data vault. Subsequently, the tokenization system may receive a request for revealing the anonymized version of the structured data containing the corresponding token. In response, the tokenization system can perform a reveal operation on the anonymized version of the structured data by querying the secure data vault for the corresponding token and retrieving the value of interest from the secure data vault using the corresponding token.

Abstract: An inspection apparatus includes a conveyer configured to convey a medium having a plurality of printing areas in a conveying direction, a reader configured to read images printed in the printing areas, and a controller. When a plurality of images, each of which a printing position of a code in the printing area is the same as the other images, are respectively printed in the printing areas, the controller causes the reader to read a prescribed image, inspects whether the code satisfies a prescribed condition, acquires position information for specifying a printing position of the code, causes the reader to read an upstream image in a printing area upstream of the prescribed image, extracts a processing range in which the code is included from a read image of the upstream image based on the position information, and inspects whether the code included in the processing range satisfies the prescribed condition.

Abstract: A lightweight intrusion detection method includes obtaining a feature data set of the internet of vehicles and pre-processing data; dividing pre-processed data into an initial training set, an initial verification set and an initial test set according to a preset proportion, performing data balance on the initial training set to obtain a balanced training set, performing feature selection on the balanced training set, the initial verification set and the test set; obtaining a teacher model by training with the model training set and the model verification set; using the teacher model, the model training set and the model verification set for distillation training to obtain a student model; testing a size and complexity of the student model and the performance of the student model, and saving the student model that passes the test as a lightweight intrusion detection model; and deploying the lightweight intrusion detection model.

Abstract: In one aspect, an illustrative methodology implementing the disclosed techniques includes, by a computing device, determining that an application process includes use of a first image and a second image, one of the first and second images being generated as part of the application process, and detecting a difference in content of the first image or the second image based on a comparison of the first and second images. The method also includes, by the computing device, revoking access to a file that includes at least one of the first and second images based on the detection of the difference in content of one of the first and second images.

Abstract: There is provided a method performed by an encryption node for provisioning storage in a system. The encryption node is associated with an application node and the application node is configured to run at least part of one or more applications. In response to an unencrypted storage volume becoming available to the encryption node from a storage provisioning node of the system, an encrypted storage volume is generated (20) from the unencrypted storage volume and provisioning of the encrypted storage volume is initiated (22) to make the encrypted storage volume available at a compute node of the system for use by the application node.

Abstract: In one aspect, a method of classifying a computer object as malware includes receiving at a base computer data about a computer object from each of plural remote computers on which the object or similar objects are stored. The data about the computer object received from the plural computers is compared in the base computer. The computer object is classified as malware on the basis of said comparison. In one embodiment, the data about the computer object includes one or more of: executable instructions contained within or constituted by the object; the size of the object; the name of the object; the logical storage location or path of the object on the respective remote computers; the vendor of the object; the software product and version associated with the object; and, events initiated by or involving the object when the object is created, configured or runs on the respective remote computers.

Abstract: A storage device includes a substrate, at least one data storage element, a case, and at least one sensing pin. The substrate includes at least one security pad. The data storage element is mounted on the substrate. The case surrounds the substrate and the data storage element, and includes at least one contact structure for an electrical connection with the security pad. The sensing pin receives an electrical signal. A level of the electrical signal varies by detecting a change in a resistance according to whether the security pad is electrically connected to the contact structure. When at least a part of the case is removed, a level change of the electrical signal is detected, and a secure erase process for data stored in the data storage element is performed.

Abstract: Secured automated or semi-automated systems are provided herein. In one embodiment, a sensor system includes a sensor, a legacy computing environment that is configured to communicate with the sensor and process sensor raw data output, and transmit the processed sensor output to a first network node over the network, and a trusted computing environment configured to receive raw sensor output directly from the sensor and transmit the raw sensor output to an additional network node or the first network node over the network.

Abstract: A recording control system includes a storage medium and a control device that is detachably connectable to and controls reading/writing of data to/from the storage medium. The storage medium stores a first authentication code corresponding to at least one first attribute of the storage medium among attributes regarding reading and writing. The control device includes: a readout unit that outputs first request information to the storage medium to read therefrom at least one common authentication code each corresponding to a respective one of at least one common attribute of the first authentication code and the first request information, the first request information corresponding to at least one second attribute of the control device; an identification unit that identifies the at least one common attribute according to the at least one common authentication code; and a control unit that controls the reading/writing according to the at least one common attribute.

Abstract: Systems, devices, and techniques are disclosed for cryptographic key migration. A tenant host may determine a first Key Management Service (KMS) indicated as storing a cryptographic key associated with the tenant host from a new KMS mapping. The tenant host may send a request for the cryptographic key associated with the tenant host to the first KMS. The tenant host may receive an indication from the first KMS that the first KMS does not store the cryptographic key. The tenant host may determine a second KMS indicated as storing the cryptographic key associated with the tenant host from an original KMS mapping. The tenant host may receive the cryptographic key associated with the tenant host from the second KMS. The tenant host may send a request to the second KMS that the cryptographic key associated with the tenant host be replicated from the second KMS to the first KMS.