Abstract: A method is provided for providing a new master key to devices in a Thread network for an Internet of Things (IOT). To provide the new master key, Device Provisioning Key (DPK) is generated from a Network Seed Key (NSK) known to a Commissioner and Leader in a local network. The Commissioner provides the DPK as a unique per-device key to each device in the network to establish a secure session. The DPK is derived from the NSK as follows: DPK=OWF(NSK, ID), wherein OWF is a One Way Function, and ID is a unique device identifier for each device. The new master key can then be sent from the commissioner to the new devices to establish a secure session created using the DPK.

Abstract: A system and method for authenticating an application that employs cryptographic keys and functions is provided with white box cryptography employed to secure the application, and to secure communications with the application. The white box includes a transformation of the application and the keys. A secure channel between the white box and a crypto token is used for communications. In some cases, the transformed keys can be employed in authenticating the white box to the crypto token. The presence of a valid crypto token can be periodically determined. In the presence of a valid crypto token, the white box can provide a verifiable message to a remote server. The remote server can verify the message and initiate a service.

Abstract: A code signing system operating a web portal for user clients and a web service for automated machine clients. The web service can receive an operation request from a code signing module running on a remote machine client, the operation request including a request for a cryptographic operation and user credentials retrieved from a hardware cryptographic token connected to the machine client. The code signing system can perform the requested cryptographic operation and return a result to the machine client if the code signing system authenticates the machine client and the requested cryptographic operation is within a permissions set associated with the machine client.

Abstract: An improved code signing method is provided. The code signing method includes receiving a build notification at a package builder utility and retrieving one or more remotely stored code images and build logs identified in the build notification, invoking a code signing module with the package builder utility to request a digital signature from a remote code signing system, combining the requested digital signature with a code image or a manifest file comprising hashes of multiple code images, and storing the signed code image or signed manifest file at a code repository.

Abstract: A method is provided for redirecting signed code images. The method includes the steps of receiving a code image from an origin device at a proxy machine, invoking a code signing client at the proxy machine, receiving signing request information indicating a requested cryptographic operation, sending a code signing request to a code signing server, receiving a signed code image at the code signing client from the code signing server, storing the signed code image in a restricted memory, invoking a software repository client at the proxy machine, and sending the signed code image from the restricted memory location to a software repository.

Abstract: A system is provided wherein a network control access device that is already in a network, called a Gatekeeper, generates a random short password in the form of a series of audio or visual cues that are visible to the user of a joining device. The joining device can be a simple one button device, or even a no-button device that is part of the internet of things (IOT) standard. The response to each cue can be entered by the user on a single-button joining device. For a no-button joining device, an alternate input method may be utilized on the joining device in response to the audio and visual cues. Alternatively, a password can be generated by the no-button joining device and be entered by the user one bit at-a-time directly onto the Gatekeeper keypad. Once the password is received, the Gatekeeper performs a password verification procedure.

Abstract: A digital rights management system is provided that includes a receiving device for receiving an encryption key request from a client device, a first database for storing a set of supported security capabilities corresponding to client device, a second database for storing a set of required security capabilities corresponding to at least one of the encryption key and content associated with the encryption key, a content management system for establishing rules to determine the set of required security capabilities corresponding to content, and a processing device. The processing device may be configured to identify the set of supported security capabilities corresponding to the client device and identify the set of required security capabilities corresponding to the content associated with the encryption key. The content management system may be configured to configure the set of supported security capabilities and configure the set of required security capabilities.

Abstract: A method and system is provided that simplifies the key management by allowing personalization data protected for one chip model to be used to provision device with another chip model with different global hardware root keys. The solution minimizes the changes needed to be performed on the device during provisioning and remains secure.

Abstract: A method provides an origin certificate that can be issued as a digital certificate online. The method includes receiving an origin digital certificate and an encrypted client device private key from an offline certificate authority wherein the client device private key is encrypted according to a private key encryption key PrKEK. The method further includes receiving from the client device, a request for a client device digital certificate and the encrypted client device private key, selecting a digital certificate template for the client device, the digital certificate template having attributes that vary according to the client devices, building the client device digital certificate from the origin digital certificate and the selected digital certificate template, signing the client device digital certificate with an online certificate authority signing key, and transmitting the signed client device digital certificate and the encrypted device private key.

Abstract: A method for whitebox cryptography is provided for computing an algorithm (m,S) with input m and secret S, using one or more white-box encoded operations. The method includes accepting an encoded input c, where c=Enc(P,m); accepting an encoded secret S?, where S?=Enc(P,S); performing one or more operations on the encoded input c and the encoded secret S? modulo N to obtain an encoded output c?; and decoding the encoded output c? with the private key p to recover an output m? according to m?=Dec(p,c?), such that m?=(m,S).

Abstract: A method is provided for automatically provisioning unique X.509 Certificates and Private Keys into Application Instances in a dynamic and elastic cloud environment. The method provides a means of creating a secure identity to be used for secure communications and resource allocation. Security of the provisioning is guaranteed by the fact that a trusted and hardened Orchestrator is launching the application instance and then directly provisioning the certificate and key. As an additional security measure, the certificates will have a limited time of validity, in order to decrease the impact of an incorrectly-issued certificate.

Abstract: A method is provided for securely providing data for use in a consumer electronics device having a processor performing instructions defined in a software image. The method includes receiving the data encrypted according to a global key, further encrypting the data according to a device-unique hardware key, storing the further encrypted data in a secure memory of the consumer electronics device, providing the global key to a whitebox encoder for encoding according to a base key to generate a whitebox encoded global key, and transmitting the software image to the consumer electronics device for storage in an operating memory of the consumer electronics device, the software image having a whitebox decoder utility corresponding to the whitebox encoder and the whitebox encoded global key.

Abstract: A method and system is provided for embedding cryptographically modified versions of secret in digital certificates for use in authenticating devices and in providing services subject to conditional access conditions.

Abstract: A method of providing a household key to a client device, comprising receiving a key request including a subscriber identifier at an update server from a client device, and determining whether the subscriber identifier has previously been associated with a household encryption key. The household encryption key can be configured to be used by the client device to encrypt recordings of media content it makes and/or decrypt recordings of media content it previously made or that it receives from another client device that encrypted the recording using the household key. If the subscriber identifier has previously been associated with a household encryption key, the update server retrieves the household key and sends it to the client device. If the subscriber identifier has not previously been associated with a household encryption key, the update server retrieves a new household key from a pool, associates the new household key with the subscriber identifier, and sends it to the client device.

Abstract: A method and system are provided for improved distributing of a complete software image to all electronic devices of a certain type or model while using encryption to limit its use to specific ones of those devices. In the method, the entire software image is encrypted with a global key and the encrypted software image is distributed to all devices which have the capability of running that software. The global software decryption key for decrypting the software image is uniquely encrypted for every device that is authorized to use the software and the encrypted global software key is distributed to those devices from a field or factory provisioning server across a point-to-point connection.

Abstract: A secure digital communications method is provided in which a Certificate Authority generates an improved RSA key pair having a modulus, a public key exponent, a public key, and a private key. The public key exponent can contain descriptive attributes and a digital signature. The digital signature can be responsive to the descriptive attributes and the modulus. A secure session can be established between a first system and a second system, within a secure digital communication protocol. The second system can verify the digital signature to authenticate the public key.

Abstract: A method and system is provided for signing data such as code images. In one embodiment, the method comprises receiving, from a requestor, a request to sign the data according to a requested configuration selected from a first configuration, in which the data is for use with any of the set of devices, and a second configuration in which the data is for use only with a subset of a set of devices; modifying the data according to the requested configuration; generating a data signature using the modified data; and transmitting the generated data signature to the requestor. Another embodiment is evidenced by a processor having a memory storing instructions for performing the foregoing operations.

Abstract: A method is provided for providing a new master key to devices in a Thread network for an Internet of Things (IOT). To provide the new master key, Device Provisioning Key (DPK) is generated from a Network Seed Key (NSK) known to a Commissioner and Leader in a local network. The Commissioner provides the DPK as a unique per-device key to each device in the network to establish a secure session. The DPK is derived from the NSK as follows: DPK=OWF(NSK, ID), wherein OWF is a One Way Function, and ID is a unique device identifier for each device. The new master key can then be sent from the commissioner to the new devices to establish a secure session created using the DPK.

Abstract: A method is provided for redirecting signed code images. The method includes the steps of receiving a code image from an origin device at a proxy machine, invoking a code signing client at the proxy machine, receiving signing request information indicating a requested cryptographic operation, sending a code signing request to a code signing server, receiving a signed code image at the code signing client from the code signing server, storing the signed code image in a restricted memory, invoking a software repository client at the proxy machine, and sending the signed code image from the restricted memory location to a software repository.

Abstract: A system is provided wherein a network control access device that is already in a network, called a Gatekeeper, generates a random short password in the form of a series of audio or visual cues that are visible to the user of a joining device. The joining device can be a simple one button device, or even a no-button device that is part of the internet of things (IOT) standard. The response to each cue can be entered by the user on a single-button joining device. For a no-button joining device, an alternate input method may be utilized on the joining device in response to the audio and visual cues. Alternatively, a password can be generated by the no-button joining device and be entered by the user one bit at-a-time directly onto the Gatekeeper keypad. Once the password is received, the Gatekeeper performs a password verification procedure.