Abstract: A system is provided for distribution of device key sets over a network in a protected software environment (PSE). In the system, a client device includes a connection interface for receiving a crypto hardware (CH) token belonging to a user, untrusted software, a quoting enclave, and a PSE for generating a provisioning request for a device key set. An attestation proxy server (APS) receives the provisioning message using a first network connection, and transmits the provisioning message to an online provisioning server (OPS) using a second network connection. The OPS constructs a provisioning response and an encrypted device key set, and delivers the provisioning response to the untrusted software using the first and second network connections. The PSE decrypts the encrypted device key set to obtain the device key set, re-encrypts the device key set with a local chip-specific key, and stores the re-encrypted device key set.

Abstract: An external trusted time source is implemented over a network for conditional access system (CAS)/digital rights management (DRM) client devices. A client device includes untrusted software and a trusted execution environment (TEE) for processing an entitlement management message (EMM) that includes an epoch sequence number (ESN) transmitted from an EMM server using a first network connection. A remaining client key set (CKS) lifetime value is stored and updated in the TEE based on the ESN processed.

Abstract: A secure cloud-based node-locking service with built-in attack detection to eliminate fuzzing, cloning and other attacks is disclosed. White-box base files are securely stored on the cloud service and are not vulnerable to accidental leakage. A secure cloud-based dynamic secret encoding service reduces the risk of exposure of unprotected secrets and other sensitive data.

Abstract: In a system comprising an customer providing a service to a plurality of client devices, a method and system for providing an customer-specific digital certificate to a client device of the plurality of client devices is disclosed. The method comprises receiving, in an intermediate certificate authority, a pre-generated digital certificate and an encrypted client device private key encrypted according to a private key encryption key PrKEK, receiving, from the client device, a request for the customer-specific digital certificate, the request comprising at least one of client device identifying information and information identifying the customer, the request signed according to a pre-provisioned client device digital certificate, and transmitting the customer-specific digital certificate and the encrypted client device private key to the client device.

Abstract: A system and method for signing data is presented. In one embodiment, the method comprises: generating a data signing key; transforming the data signing key into a first subkey and a second subkey; encrypting the first subkey according to a secret key of an ODSS; generating a signature verification public key; providing the signature verification public key, the encrypted first subkey, and the second subkey for storage in a client device; accepting a request to sign the data, the request having a representation of the data and the encrypted first subkey; generating a partially computed signature of the data according to the representation of the data and the encrypted first subkey; and providing the partially computed signature of the data to the client device.

Abstract: A method provides an origin certificate that can be issued as a digital certificate online. The method includes receiving an origin digital certificate and an encrypted client device private key from an offline certificate authority wherein the client device private key is encrypted according to a private key encryption key PrKEK. The method further includes receiving from the client device, a request for a client device digital certificate and the encrypted client device private key, selecting a digital certificate template for the client device, the digital certificate template having attributes that vary according to the client devices, building the client device digital certificate from the origin digital certificate and the selected digital certificate template, signing the client device digital certificate with an online certificate authority signing key, and transmitting the signed client device digital certificate and the encrypted device private key.

Abstract: A method and system are provided for updating an elliptic curve (EC) base point G, with the EC basepoint used in encryption and coding of video data. A candidate base point G is generated that includes additional data used for validation purposes and checked as a valid base point before transmission and use.

Abstract: A system and method for preventing use of invalid digital certificates is disclosed. The method comprises receiving, in a validation service from a requesting entity, a cryptographic asset and a request to evaluate the cryptographic asset, the cryptographic asset uniquely assigned to one of the plurality of devices by an associated one of the commercially distinct entities, the request comprising the cryptographic asset, determining an evaluation state of the cryptographic asset at least in part from a database derived from a plurality of public keys currently assigned to the plurality of devices and previously received by the validation service, determining a disposition of the cryptographic asset according to a disposition policy associated with the determined evaluation state and the device and effecting the determined disposition of the cryptographic asset.

Abstract: To address the requirements described above, this document discloses a system and method for performing an action on at least one resource node of a hierarchical organization of resource nodes is disclosed. The system utilizes an external Identity Provider that provide more flexible authentication and authorization services, and leverages such services with secure server such as an on-line data signing service to provide flexible permission management.

Abstract: Embodiments relate to systems and methods for securely provisioning login credentials to an electronic device on a network, e.g., a consumer premises device (CPE) device, such as, among other devices, a modem. The login credential may be used, for example, for securely provisioning and configuring a CPE device.

Abstract: A method is provided for securely providing data for use in a consumer electronics device having a processor performing instructions defined in a software image. The method includes receiving the data encrypted according to a global key, further encrypting the data according to a device-unique hardware key, storing the further encrypted data in a secure memory of the consumer electronics device, providing the global key to a whitebox encoder for encoding according to a base key to generate a whitebox encoded global key, and transmitting the software image to the consumer electronics device for storage in an operating memory of the consumer electronics device, the software image having a whitebox decoder utility corresponding to the whitebox encoder and the whitebox encoded global key.

Abstract: In one embodiment, a method for secure virtualized wireless base station orchestration comprises: obtaining a node certificate and private key from a global CA defining a PKI signing certificate/private key; obtaining a sub CA certificate/private key from either an edge cloud node cluster or the global CA, using a PKI request signed using the PKI signing certificate/private key; establishing an orchestration access IPsec tunnel to a cloud comprising edge cloud orchestration functions; utilizing the orchestration functions to deploy on the node virtualized entities comprising VNFs of a wireless base station; obtaining at least one VNF certificate and private key for the VNFs from the global CA using a PKI request signed using the global certificate/private key; utilizing the VNF certificate/private key, establishing IPsec tunnels between the VNFs and a wireless network services operator network and/or to an OAM secure gateway for a DMS.

Abstract: A system and method for signing or encrypting data is disclosed. The method comprises providing, from a first device, data signing information for storage in a first database, the data signing information having at least one key comprising a signing key Ks, wherein the signing key Ks is encrypted according to a wrapping key Kw before storage in the first database; receiving a data signing request comprising a representation of the data; retrieving, in a second device communicatively coupled to an hardware security module (HSM) storing the wrapping key Kw, the stored data signing information from a second database, wherein at least a portion of the second database including the stored signing information is pushed from the first database to the second database; decrypting, in the HSM, the encrypted signing key according to the wrapping key Kw stored in the HSM to recover the signing key Ks; and signing the representation of the data according to the recovered signing key.

Abstract: A method is provided for generating a key ladder for securely communicating between a first device and a second device using a first device symmetric key and a chip-unique private key. The method includes generating a second processor-specific first device symmetric key from a first processor-specific first device symmetric key and a first identifier (CPU_ID), generating a chip-unique first device application private key (CUAPrK) from a second identifier and the second processor-specific first device symmetric key, generating a chip-unique first device application public key (CUAPuK) from the chip-unique first device application private key (CUAPrK), and transmitting the chip-unique first device application public key (CUAPuK) and an identifier of the processor to the second device.

Abstract: A method and system are provided for updating an elliptic curve (EC) base point G, with the EC basepoint used in encryption and coding of video data. A candidate base point G is generated that includes additional data used for validation purposes and checked as a valid base point before transmission and use.

Abstract: A secure cloud-based node-locking service with built-in attack detection to eliminate fuzzing, cloning and other attacks is disclosed. White-box base files are securely stored on the cloud service and are not vulnerable to accidental leakage. A secure cloud-based dynamic secret encoding service reduces the risk of exposure of unprotected secrets and other sensitive data.

Abstract: A digital rights management system is provided that includes a receiving device for receiving an encryption key request from a client device, a first database for storing a set of supported security capabilities corresponding to client device, a second database for storing a set of required security capabilities corresponding to at least one of the encryption key and content associated with the encryption key, a content management system for establishing rules to determine the set of required security capabilities corresponding to content, and a processing device. The processing device may be configured to identify the set of supported security capabilities corresponding to the client device and identify the set of required security capabilities corresponding to the content associated with the encryption key. The content management system may be configured to configure the set of supported security capabilities and configure the set of required security capabilities.

Abstract: A system and method for preventing use of invalid digital certificates is disclosed. The method comprises receiving, in a validation service from a requesting entity, a cryptographic asset and a request to evaluate the cryptographic asset, the cryptographic asset uniquely assigned to one of the plurality of devices by an associated one of the commercially distinct entities, the request comprising the cryptographic asset, determining an evaluation state of the cryptographic asset at least in part from a database derived from a plurality of public keys currently assigned to the plurality of devices and previously received by the validation service, determining a disposition of the cryptographic asset according to a disposition policy associated with the determined evaluation state and the device and effecting the determined disposition of the cryptographic asset.

Abstract: A method is provided for securely providing data for use in a consumer electronics device having a processor performing instructions defined in a software image. The method includes receiving the data encrypted according to a global key, further encrypting the data according to a device-unique hardware key, storing the further encrypted data in a secure memory of the consumer electronics device, providing the global key to a whitebox encoder for encoding according to a base key to generate a whitebox encoded global key, and transmitting the software image to the consumer electronics device for storage in an operating memory of the consumer electronics device, the software image having a whitebox decoder utility corresponding to the whitebox encoder and the whitebox encoded global key.

Abstract: A method is provided for generating a key ladder for securely communicating between a first device and a second device using a first device symmetric key and a chip-unique private key. The method includes generating a second processor-specific first device symmetric key from a first processor-specific first device symmetric key and a first identifier (CPU_ID), generating a chip-unique first device application private key (CUAPrK) from a second identifier and the second processor-specific first device symmetric key, generating a chip-unique first device application public key (CUAPuK) from the chip-unique first device application private key (CUAPrK), and transmitting the chip-unique first device application public key (CUAPuK) and an identifier of the processor to the second device.