Abstract: A quantum entanglement communication service can be provided by detecting a request to access data stored at a first computer. In response to detecting the data access request, a request can be generated to request that a server computer generate an entangled particle pair. Measurement data can be received, the measurement data corresponding to a measurement observed after interacting a first bit of a token stored at a second computer with a first entangled particle from the entangled particle pair. An operation to perform on a second entangled particle of the entangled particle pair at the first computer can be determined and performed. A state of the second entangled particle can be measured to obtain a value, and a bit string can be generated, where the bit string can include a number that corresponds to the value.

Abstract: A secure private network connectivity system (SNCS) within a cloud service provider infrastructure (CSPI) is described that provides secure private network connectivity between external resources residing in a customer's on-premise environment and the customer's resources residing in the cloud. The SNCS provides secure private bi-directional network connectivity between external resources residing in a customer's external site representation and resources and services residing in the customer's VCN in the cloud without a user (e.g., an administrator) of the enterprise having to explicitly configure the external resources, advertise routes or set up site-to-site network connectivity.

Abstract: A system includes a plurality of remote units; a centralized unit communicatively coupled to the plurality of remote units via a fronthaul network; and an entity that performs deep packet inspection. The centralized unit transmits sets of data to the plurality of remote units across the fronthaul network in packets, each of the sets of data mapped to at least one of the plurality of remote units and each of the packets including a respective indicator indicating each remote unit the associated packet is intended for, wherein each indicator comprises a plurality of bit positions where each bit position is mapped to a different one of the plurality of remote units. The entity performs the deep packet inspection on the packets to determine each remote unit the packets are intended for and communicate each packet to each remote unit the packet is intended for over the fronthaul network.

Abstract: Method and apparatus for improving the flexibility of supporting service continuity are disclosed. A method comprises receiving a PCC rule containing a traffic steering control information per AF request which includes an indication on whether service continuity for offload traffic is supported or not; and performing a PSA relocation based on the information.

Abstract: An external Secure Intelligent Secondary Router is connected to a Primary Wired/Wireless Router/Modem via wire cable, and whereby said external Secure Intelligent Secondary Router communicably coupled to said Primary Wired/Wireless Router/Modem creates one or more secure secondary Wi-Fi networks that can only be accessed by a computing device that has been registered by the rightful account owner and whose identity has been validated by an online validation service.

Abstract: A machine data validation system can track and validate the integrity of machine data generated by machines. The system can generate hashes for the items and batch hashes that can be validated using an immutable data store, such one or more blockchains in a tiered blockchain structure. The system can store machine data and additional associated data in a first lightweight blockchain, and store grouped sets of the data in a second robust blockchain. The system can implement the tiered blockchain structure to efficiently store and reference the hashes to validate the machine data at different times or upon request from an end-user.

Abstract: The present invention comprises a computer-implemented method for zero-trust authentication and session management utilizing the Bitcoin Lightning Network. A user requests access to the resource of a service provider and the user provides authentication material to securely access the service provider. The service provider initiates a Hold Invoice via a cryptographic function to generate a pre-image hash instructing the user to authorize release a specified amount of Bitcoin. Bitcoin is then moved into the Hold Invoice where it remains during an authentication attempt. A successful attempt issues an access token to log into an authenticated session. The Hold Invoice remains in place until the session ends, then the Hold Invoice is canceled and Bitcoin is released to the user. An unsuccessful attempt or a violations of terms of use, reveals the pre-image, denies the user access, and Bitcoin is transferred to the service provider as a settled payment transaction.

Abstract: A unified network service that connects multiple disparate private networks and end user client devices operating on separate networks is described. The multiple disparate private networks and end user client devices connect to a distributed cloud computing network that provides routing services, security services, and performance services, and that can be controlled consistently regardless of the connection type. The unified network service provides uniform access control at the L3 layer (e.g., at the IP layer) or at a higher layer using user identity information (e.g., a zero-trust model). The disparate private networks are run on top of the distributed cloud computing network. The virtual routing layer of the distributed cloud computing network allows customers of the service to have private resources visible only to client devices (e.g.

Abstract: The present disclosure relates to a system, method, and computer-program product for identifying and tagging users. Embodiments may include receiving, using at least one processor, a first content request. Embodiments may further include associating a user-access identifier with a first portion of data from the first content request based upon a second portion of the data from the first content request. Embodiments may also include storing the first portion of data from the first content request and the user-access identifier within a memory system. Embodiments may further include receiving a second content request. Embodiments may also include generating a user-identifier tag based upon the user-access identifier stored in the memory system, the first portion of data from the first content request, and a first portion of data from the second content request. Embodiments may further include providing a response to the second content request, the response including the user-identifier tag.

Abstract: A fraud detecting method for use in an in-vehicle network system including a plurality of electronic control units that communicate with each other via a network includes detecting whether a state of a vehicle satisfies a first condition or a second condition, and switching, upon detecting that the state of the vehicle satisfies the first condition or the second condition, an operation mode of a second electronic control unit connected to the network. A first mode in which a first type of detecting process for detecting a fraudulent message in the network is performed is switched to a second mode in which the first type of detecting process is not performed upon detecting that the state of the vehicle satisfies the first condition. Moreover, the second mode is switched to the first mode upon detecting that the state of the vehicle satisfies the second condition.

Abstract: The invention relates to a method and a system for generating and saving a set of digital data or evidence associated with an individual within a system including several devices issuing and receiving evidence and a medium for communicating between the devices, which may include: For the generation of the data constituting evidence by a device, the definition of a data block characterizing the evidence, For the individual wishing to build him/herself a set of evidence, adding to the received data block data characterizing a piece of evidence, a datestamp parameter, an indicator identifying the device receiving a piece of evidence, an evidence signature. In order to use a piece of evidence, an individual issues a request containing the evidence proving that he/she is the recipient of this evidence to a third-party system. The third-party system contacts the device issuing the evidence which re-signs.

Abstract: Methods and systems to identify a user across multiple browsers and machines are described. In some embodiments, a web request is received at a retrieval service from a browser. The web request may include a request to access a retrieval service website of the retrieval service and may be initiated by a redirection of the browser from a requesting service to the retrieval service. A unique identifier associated with a user logged in to an account of the retrieval service may be determined. The user may be logged in to the account via the browser. A redirect request is sent from the retrieval service to the browser. The redirect may include the unique identifier and may redirect the browser from the retrieval service website to the requesting service. The unique identifier may be used by the requesting service to perform additional functionality specific to the user.

Abstract: Methods and apparatus are provided for network slice configuration. In one example aspect, a method in a network function in a network is disclosed. The network is a visited network for at least one User Equipment, UE. The network provides a network slice for the at least one UE, and the network function is a gateway for data communications for the at least one UE. The method includes obtaining an IP address for at least one service for the at least one UE, and providing the at least one service to the at least one UE according to a gateway configuration from a home network of the at least one UE.

Abstract: Techniques and apparatus for optimizing an initial access stratum security mode command procedure are described. One example technique includes sending a first service request to establish a connection with a network. A second service request is sent to the network, upon determining that one or more criteria is satisfied. Another example technique includes sending a first service request to establish a connection with a network and sending a second service request after sending the first service request. The first service request is associated with a first security parameter and the second service request is associated with a second security parameter. A security mode command procedure is participated in with a base station, based on the first security parameter and the second security parameter.

Abstract: A learning device includes processing circuitry configured to use a web browser to crawl one or more web pages from an originating web page, and to accept input of log information obtained from the web browser until an ending web page is reached, and generate a training model using, as training data, any one or more feature amounts among a feature amount of each web page included in the log information, a feature amount about an operation performed on the web browser on a path reaching the ending web page, and a feature amount about an event occurring on the path reaching the ending web page.

Abstract: Systems and methods for presenting user-selectable options for parental control in response to detecting a triggering action by a user are disclosed. A system generates for output a first content item on a device. The system identifies a first user and a second user in proximity to the device and determines that a first gesture is performed by the first user wherein the first gesture is covering the eyes of the second user. In response to determining that the first gesture is performed, the system presents a selectable option for a user input such as (a) skipping a portion of the first content item; (b) lowering the volume; (c) removing the video of the first content item; or (d) presenting a second content item instead of presenting the first content item. In response to receiving a user input selecting the selectable option, the system performs an action corresponding to the selectable option.

Abstract: Systems and methods for implementing a system for analyzing large amounts of event data to determine any potential security threats or anomalies. Event data may be obtained and processed. The processed event data may be analyzed to detect any potential security threats or anomalies.

Abstract: An integrated access and backhaul (IAB) donor central unit (CU) may transmit, to an IAB-node, a plurality of messages for a child of the IAB-node, the plurality of messages including a first message being associated with a first condition, and a second message being associated with a second condition, and transmit an indication instructing the IAB to forward, to the child, the first message if a first condition is met or the second message if a second condition is met. The IAB-node may receive, from the IAB-donor-CU, the indication, determine that one condition among the first condition and the second condition has occurred, forward one of the first message or the second message to the child based on the occurrence of the one condition, and discard the other of the first message or the second message.

Abstract: A method includes receiving, by an identity provider computing system, a user token from a third party provider, wherein the user token is associated with a user of the identity provider computing system; sending, by the identity provider computing system, a prompt to a user device associated with the user token, the prompt requesting authentication information and including a code; and authenticating, by the identity provider computing system, the user token based on receipt of the requested authentication information and receipt of the code from the third party provider.

Abstract: Techniques are provided that facilitate responding to cyberattacks using counter intelligence (CI) bot technology. In one embodiment, a first system is disclosed that comprises a processor and a memory. The memory can store executable instructions that, when executed by the processor, facilitate performance of operations including receiving a request from a second system requesting assistance in association with a cyberattack on the second system, wherein the request comprises information indicating a type of the cyberattack. The operations further comprise selecting a counter intelligence bot configured to respond to the type of cyberattack, and directing the counter intelligence bot to respond to the cyberattack, wherein the directing comprises enabling the counter intelligence bot to respond to the cyberattack by establishing a gateway with the second system and employing the gateway to intercept and respond to traffic associated with the cyberattack on behalf of the second system.

Abstract: A computer method and system for mitigating Domain Name System (DNS) misuse using a probabilistic data structure, such as a cuckoo filter. Intercepted is network traffic flowing from one or more external hosts to a computer network, the intercepted network traffic including a DNS request that requests a Resource Record name in a DNS zone file. A determination is made as to whether the DNS request is requesting resolution at a protected DNS Name Server. A hash value is calculated for the requested Resource Record name if it is determined the DNS request is requesting resolution at the protected DNS Name Server. A determination is then made as to whether the calculated hash value for the requested Resource Record name is present in the probabilistic data structure. The DNS request is forwarded to the protected server if the requested Resource Record name is determined present in the probabilistic data structure.

Abstract: A computing system for detecting shadow applications operating in devices used by an organization, the system including a memory and a processor configured to monitor incoming email messages received by email accounts of the organization, identify, from the incoming email messages, a first list of software services used by identities of the organization, collect from identity provider services a second list of software services used by identities of the organization via the identity provider services, identify a list of unsanctioned applications that appear in the first list and do not appear in the second list of software services, and update a database based on the list of unsanctioned applications.

Abstract: In a method for enabling a message receive end to quickly confirm a certificate status, a defined field of a certificate includes classification information of the certificate, and a defined field of a certificate revocation list includes classification information of a revoked certificate, so that the receive end can quickly narrow a searching or matching range in massive records of the certificate revocation list based on the classification information carried in the certificate of a transmit end.

Abstract: A computer-implemented system for authorizing access to one or more smart devices provided in a local environment is disclosed herein. The system comprises a client device, a local network node, and a remote network node. The remote network node is configured generate a link and send it to an address associated with a personal identifier of the client device, and in response to the client device having executed the link, the client device being configured to receive an authorization code. The authorization code is locally or remotely validated based on a challenge previously generated by the client device. An access token is generated and sent to the client device, thereby authorizing the client device access to the one or more smart devices in the local environment.

Abstract: This application provides a communication method and apparatus, and relates to the field of communication technologies. The method may include: A network device performs integrity protection on system information by using a first private key, and sends the system information, where the system information includes a first public key corresponding to the first private key and/or an index of the first public key. Correspondingly, a terminal device receives the system information from the network device, and if determining that the first public key is valid, the terminal device verifies integrity of the system information by using the first public key. According to this method, on one hand, the terminal device can effectively identify validity of the system information. On the other hand, because the system information includes the first public key and/or the index of the first public key, flexible update of an asymmetric key can be implemented.

Abstract: Upon determining a first user of an object is authorized via first biometric data, object components are controlled based on user data for the first user. A second user is permitted to access the object based on detecting a presence of the second user within a predetermined time of detecting an absence of the first user. Then, upon determining a delay parameter is satisfied, a user status of the second user is determined via second biometric data. The user status is one of authorized or not authorized. The object components are controlled based on the user status of the second user.

Abstract: An image forming apparatus is provided with a storage, a controller, an image forming part, a first interface configured to receive an image forming job, and a second interface to which a portable storage device is connectable. When the particular storing function is enabled, image data is stored in the portable storage in response to receipt of the print job, and an image is formed in accordance with the image data stored in the portable storage. When the particular storing function is disabled, the image data related to the print job is stored in the storage of the image forming apparatus in response to receipt of the print job, and an image is formed in accordance with the image data stored in the storage of the image forming apparatus.

Abstract: A processing element array includes N processing elements (PE) arranged linearly, N?2, and an operating method of the PE array includes: performing a first data transmission procedure, where an initial value of I is 1 and the first data transmission procedure includes: operating, by an ith PE, according to a first datum stored in itself, and sending the first datum to other PEs for their operations, adding 1 to I when I<N, and performing the first data transmission procedure again, performing a second data transmission procedure when I is equal to N, which includes: operating, by the Jth PE, according to a second datum stored in itself, and sending the second datum to other PEs for their operations, reducing J by 1 when J>1 and the (J?1)th PE has the second datum, and performing the second data transmission procedure again.

Abstract: A method for scalable vulnerability detection is provided. The method includes selecting at least a workload of a plurality of workloads deployed in a first cloud environment for inspection, wherein the workload includes a first volume; generating in a remote cluster an inspection node, the inspection node including at least a first disk, wherein the remote cluster provisions inspection nodes in response to demand for inspection nodes; generating a persistent volume (PV) on which the at least a first disk is mounted, wherein the at least a first disk is generated from a snapshot of the first volume; and generating a persistent volume claim (PVC) of the PV for an inspector workload, wherein the inspector workload is configured to inspect the PV for an object, and wherein inspector workloads are provisioned in response to demand for inspector workloads.

Abstract: A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The client device accesses an acceleration server to receive a list of available tunnel devices. The requested content is partitioned into slices, and the client device sends a request for the slices to the available tunnel devices. The tunnel devices in turn fetch the slices from the data server, and send the slices to the client device, where the content is reconstructed from the received slices. A client device may also serve as a tunnel device, serving as an intermediate device to other client devices. Similarly, a tunnel device may also serve as a client device for fetching content from a data server. The selection of tunnel devices to be used by a client device may be in the acceleration server, in the client device, or in both.

Abstract: Techniques for facilitating onboarding to a non-public network is provided. Provisioning parameters may be provided to User Equipment (UE) from a Default Credential Server (DCS) via a secure communication tunnel. Additionally or alternatively, provisioning parameter container(s) including readable provisioning parameters for an Onboarding Network (ONN), and secure provisioning parameters for the UE, may be transmitted to the UE via the ONN. The disclosed methods and apparatuses enable the UE to onboard to a non-public network using the provisioning parameters, and to verify the integrity of the provisioning parameters and ensure the provisioning parameters are not modified by an unauthorized device.

Abstract: An authentication system includes an authentication module and a user history database storing order information that includes, for each of multiple logins of the first user to a web property, at least one of: an indication of an order of hypertext transfer protocol (HTTP) headers that were previously received at the authentication module during the login, and an indication of an order of navigator object properties that were previously returned to the authentication module during the login. The authentication module is configured to: receive, from a web browser of a first entity attempting to log in to the web property, credentials of the first user; determine order information of the first entity's web browser; perform a comparison operation based on the order information of the first user and that of the first entity, and determine whether to allow the first entity to log in based on the comparison operation.

Abstract: Devices, systems, and methods are provided for enhanced parsing of manifest files for streaming media. A method may include receiving, by a media player, a first media manifest including tags indicative of first temporal segments for media content; identifying, using a parser, a first tag indicative of a first temporal segment; identifying, using the parser, a second tag indicative of a second temporal segment; parsing, using the parser, the first tag; based on at least one of the parsing or a user preference indicative of a starting location for playback of first media content of the media content or a preferred bandwidth, refraining from parsing the second tag; retrieving, by the at least one processor, based on a time associated with the first temporal segment, an address of the first video content; and presenting, by the at least one processor, the first media content based on the address.

Abstract: A method for sketch computation is provided. The method may comprise receiving an input data stream from one or more client applications. The method may also comprise generating at least one segment from the input data stream. At least one segment may comprise a plurality of chunks. The method may further comprise computing a sketch of the at least one segment. The sketch may comprise a set of features that are representative of or unique to the at least one segment, such that the set of features corresponds to the at least one segment. The sketch may be useable for inline deduplication of at least one other input data stream received from the one or more client applications without (i) generation of a full index of the plurality of chunks or (ii) comparison of the at least one other input data stream to the full index.

Abstract: A permission management method and a terminal device are provided, where the permission management method is applied to the terminal device including a first display area and a second display area. The permission management method includes: determining a target permission management policy corresponding to a first application based on a display area in which the first application is located (101); and controlling permission management for the first application according to the target permission management policy (102); where the target permission management policy includes a first permission management policy corresponding to the first display area and/or a second permission management policy corresponding to the second display area.

Abstract: A device for a website building system (WBS) includes a communication hub embedded in a page of a website built by the WBS to implement 2-way cross domain communication with direct addressing between at least two third party applications from different vendors, the at least two third party applications each having an instance within the page. The communication hub includes a smart identifier and addresser to identify and provide the direct addressing of source or target third party applications between the at least two third party applications and to maintain a table of all absolute addresses for the 2-way cross domain communication; and a communication policy enforcer to enforce a communication policy between the WBS and the at least two third party applications to filter non-conforming communication according to the communication policy; and a protocol translator to provide 2-way interface translation between the at least two third party applications.

Abstract: The present disclosure includes secure device coupling. An embodiment includes a processing resource, memory, and a network management device communication component configured to, identifying a network attached device within a first domain. Generating a domain device secret corresponding to the first domain. Each network attached device within the first domain can share the same domain device secret. Coupling iterations may be performed for each device within the first domain can include: generating a network management device private key and public key. Providing, via short-range communication, the network management device public key and the domain device secret to a network attached device communication component included in each network attached device of the first domain.

Abstract: Embodiments of the present invention provide computer-implemented methods, computer program products and computer systems. Embodiments of the present invention can monitor user activity for one or more user interactions performed while connected to a Virtual Private Network. Embodiments of the present invention can then identify potential risks associated with a user and respective user interactions. Embodiments of the present invention can then, in response to determining a respective user interaction of the one or more interactions is suspicious, generate a real time risk score for the respective user interaction. Embodiments of the present invention can then, in response to the generate real time risk score exceeding a threshold level of risk for the respective user interaction, initiate a secondary authentication protocol.

Abstract: Systems and methods are presented herein for generating an augmented reality (“AR”) display with user interface (“UI”) elements that respond to changes in pupil characteristics in response to detecting device streaming content. A media stream playing on a device that is within a threshold distance of the AR device is detected. The source of the media stream is identified. The AR device queries the source of the media stream for a consumption option. An AR overlay is generated and comprises selectable UI elements corresponding to the consumption options. In response to receiving an input at a UI element, the AR overlay is generated based on the consumption option.

Abstract: Examples of techniques for threat detection in an industrial process system are described herein. An aspect includes determining a plurality of subsystems of an industrial process system. Another aspect includes, for each of the plurality of subsystems, constructing and training a respective deep autoencoder (DAE) model of the subsystem based on data corresponding to the industrial process system. Another aspect includes monitoring the industrial process system using the plurality of DAE models corresponding to the plurality of subsystems. Another aspect includes, based on the plurality of DAE models, determining a cyberattack in a subsystem of the plurality of subsystems.

Abstract: A server is configured to perform obtaining a first request for information associated with an administrator of a communication device from an administrator's device, transmitting management information associated with the administrator to a management device in response to the first request, obtaining an information request for information to be used by the communication device therefrom, transmitting authentication information to use the communication device thereto, obtaining the authentication information and the management information from the terminal device, the authentication information obtained from the terminal device being information transmitted by the terminal device based on the authentication information received by the communication device, the management information obtained from the terminal device being information to be transmitted by the terminal device based on the management information received by the management device, and associating the management information obtained from the term

Abstract: Systems and techniques for an adaptive authentication system are described herein. In an example, an adaptive authentication system is adapted to receive a request at a first entity from a second entity for secure data of a user, where the second entity is remote from the first entity. The adaptive authentication system may be further adapted to transmit a prompt to a user device associated with the user for authentication of the user and authentication of the request. The adaptive authentication system may be further adapted to receive a response to the prompt and authenticate the user and the request based on the response. The adaptive authentication system may be further adapted to transmit the secure data of the user to the second entity.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable storage media for providing an embedded web view of a folder in a content management system on a web page. For example, a user can request from a content management system code for embedding a web view of a content item or group of content items (e.g., folder) into a web page. After the code is embedded into the webpage, the web page can present a web view of the content item or group of content items that is dynamically updated when the content item or group of content items is updated. Thus, the user is relieved of the burden of updating the web page with new links to reflect changes in content items stored in the online content management system.

Abstract: A method of ending a subscription performed in a network entity is disclosed. The method comprises receiving, from a device comprising an Embedded Universal Integrated Circuit Card, eUICC, a signed confirmation of a profile having been deleted in the device, the profile being associated with a subscription for the device; sending, to a Subscription Manager Data Preparation entity, a command for deletion of the profile; and deleting the user subscription and related profile in case an acknowledgement of the deletion of the profile is received from the Subscription Manager Data Preparation entity. Method in a device, method in a Subscription Manager Data Preparation entity, devices and entities, computer programs and computer program products are also provided.

Abstract: A system for providing network services is provided. The system includes a device configured to interface with the network to receive a container, where the container is configured to interface with an operating system of the device and a plurality of applications operating on the device. The container is further configured to interface with a network services provider of one or more network services and one or more third party service providers.

Abstract: The present invention comprises a computer-implemented zero-trust authentication method that utilizes the Bitcoin Lightning Network, which is the sole protocol offering immediate, immutable, and cost-free Bitcoin settlement. A user requests access to the resource of a service provider and the user provides authentication material necessary to securely access the service provider. The service provider initiates a Hold Invoice via a cryptographic function to generate a pre-image hash, instructing the user to authorize release of Bitcoin in an amount stipulated by the Hold Invoice. Bitcoin is held in the Hold Invoice until an authentication attempt is either successful or unsuccessful. If successful, the user is issued an access token to login into the resource, the Hold Invoice is canceled and Bitcoin is released to the user. If unsuccessful, the pre-image is revealed, the user is denied access, and Bitcoin is transferred to the service provider as a settled payment transaction.

Abstract: Methods and apparatuses are described for automatic validation of a hybrid digital document. A server computing device downloads a hybrid digital document from a remote computing device, the hybrid digital document comprising an image content file and a hypertext content file. The server computing device determines content validation rules based upon one or more attributes associated with the hybrid digital document. The server computing device converts the image content file to a text content file. The server computing device validates one or more data elements in the text content file using the content validation rules. The server computing device validates one or more data elements in the hypertext content file using the content validation rules. The server computing device transmits a notification to the remote computing device indicating an outcome of the data elements validation.

Abstract: An overlay to existing infrastructure that establishes trusted paths in a communication network to fulfill a fundamental need to identify and protect a trusted plane of devices and/or applications on a need specific basis is described. Establishing trusted paths operationally fulfills a fundamental need to identify and protect a trusted plane of devices and/or applications on a need specific basis as an overlay to the existing relatively unsecured network.

Abstract: Described implementations obtain credential information including an encrypted digital identity (ID). The encrypted digital ID may include a public component of a credential and identity data. Furthermore, the credential information may include cryptographically obfuscated data based on the identity data and a private component of the credential. A proof is obtained that includes proof data. The proof data may confirm that the credential information was correctly generated. Verification of the proof data, and confirmation that the cryptographically obfuscated data is not associated in a collection of cryptographically obfuscated data, cause a computer-implemented service to issue a pseudonym. The pseudonym is usable to generate a relationship associated with a computer-implemented service.

Abstract: Provided is a process including: obtaining criteria to select plain-text values in a lower-trust database; selecting, based on the criteria, a first plain-text value; in response, determining a first reference value; storing the first plain-text value in a higher-trust database in a second entry identified by the first reference value; storing the first reference value in the first entry of the lower-trust database; selecting another instance of the first plain-text value stored requested to be stored in a third entry in the lower-trust database; and in response, storing the first reference value in the third entry.