Abstract: The invention relates to methods and devices for updating encrypted biometric data of a user at a trusted network node. In an aspect of the invention a method performed by a first client device is provided of updating encrypted biometric data of a user, the encrypted biometric data to be updated having been previously captured by the first client device and registered at a trusted network node.

Abstract: The invention relates to methods and devices for enabling authentication of a user based on biometric data. In an aspect of the invention, a method performed by a client device of enabling authentication of user of the client device with a network node over a secure communication channel based on biometric data is provided.

Abstract: A method performed by a client device of enrolling biometric data of a user with a network node over a secure communication channel comprises capturing the biometric data, transforming the biometric data into a first set of transformed biometric data using a first feature transformation key, generating a second feature transformation key, and transforming the biometric data into a second set of transformed biometric data using the second feature transformation key. The method further comprises encrypting the first and second set of transformed biometric data with an encryption key, encrypting the second feature transformation key with another encryption key shared with the network node at which the first and second sets of transformed biometric data are to be enrolled, and submitting, to the network node, an enrolment request comprising the encrypted first and second sets of transformed biometric data, the encrypted second feature transformation key, and user profile data.

Abstract: A method performed by a client device of enrolling biometric data of a user with a network node over a secure communication channel comprises capturing the biometric data, transforming the biometric data into a first set of transformed biometric data using a first feature transformation key, generating a second feature transformation key, and transforming the biometric data into a second set of transformed biometric data using the second feature transformation key. The method further comprises encrypting the first and second set of transformed biometric data with an encryption key, encrypting the second feature transformation key with another encryption key shared with the network node at which the first and second sets of transformed biometric data are to be enrolled, and submitting, to the network node, an enrolment request comprising the encrypted first and second sets of transformed biometric data, the encrypted second feature transformation key, and user profile data.

Abstract: A method performed by a client device of enrolling biometric data of a user with a network node over a secure communication channel comprises capturing the biometric data, transforming the biometric data into a first set of transformed biometric data using a first feature transformation key, generating a second feature transformation key, and transforming the biometric data into a second set of transformed biometric data using the second feature transformation key. The method further comprises encrypting the first and second set of transformed biometric data with an encryption key, encrypting the second feature transformation key with another encryption key shared with the network node at which the first and second sets of transformed biometric data are to be enrolled, and submitting, to the network node, an Enrollment request comprising the encrypted first and second sets of transformed biometric data, the encrypted second feature transformation key, and user profile data.

Abstract: The present invention relates to a secure component for protecting data in a storage entity and a method at the secure component of protecting data in the storage entity. Further, the present invention relates to a secure domain manager for securely associating a communicating party with a storage domain and a method at the secure domain manager of securely associating the communicating party with the storage domain. Moreover, the present invention relates to a trusted third party for verifying correctness of a launch package created by a secure domain manager to securely associate a communicating party with a storage domain and a method at the trusted third party to verify correctness of the launch package created by the secure domain manager to securely associate the communicating party with the storage domain.

Abstract: A method, computer program and a server node (100) in a communications network (50) for reduction of undesired energy consumption of the server node (100), the method comprising: receiving a request message from a client (120), the request message containing message fields comprising at least a message ID field and an integrity indication field containing a first integrity indication, determining a relation key by performing a calculation by usage of a master key commonly known by the server node (100) and an authorization engine (110) and at least data comprised in the message ID field, calculating a second integrity indication based on a subset of the message fields by usage of the relation key, wherein the subset excludes at least one message field that is predictable by a trusted client (120), verifying the subset of the message fields by comparing the first and second integrity indications, and determining the message to be authorized when the comparison indicates equality, and wherein when the message i

Abstract: Methods (500) of a network node (111) for creating and joining secure sessions for members (111-114) of a group of network nodes are provided. The methods comprise receiving an identity certificate and an assertion for the network node as well as a secret group key for the group. The method for creating a session further comprises creating (501) a session identifier and a secret session key for the session, and sending (502) an encrypted and authenticated broadcast message comprising the session identifier. The method for joining a session further comprises sending an encrypted and authenticated discovery message comprising the identity certificate and the assertion, and receiving an encrypted and authenticated discovery response message from another network node which is a member of the group. The disclosed combined symmetric key and public key scheme is based on the availability of three credentials at each node, i.e.

Abstract: A method, computer program and a server node (100) in a communications network (50) for reduction of undesired energy consumption of the server node (100), the method comprising: receiving a request message from a client (120), the request message containing message fields comprising at least a message ID field and an integrity indication field containing a first integrity indication, determining a relation key by performing a calculation by usage of a master key commonly known by the server node (100) and an authorization engine (110) and at least data comprised in the message ID field, calculating a second integrity indication based on a subset of the message fields by usage of the relation key, wherein the subset excludes at least one message field that is predictable by a trusted client (120), verifying the subset of the message fields by comparing the first and second integrity indications, and determining the message to be authorized when the comparison indicates equality, and wherein when the message i

Abstract: The present invention relates to a secure component for protecting data in a storage entity and a method at the secure component of protecting data in the storage entity. Further, the present invention relates to a secure domain manager for securely associating a communicating party with a storage domain and a method at the secure domain manager of securely associating the communicating party with the storage domain. Moreover, the present invention relates to a trusted third party for verifying correctness of a launch package created by a secure domain manager to securely associate a communicating party with a storage domain and a method at the trusted third party to verify correctness of the launch package created by the secure domain manager to securely associate the communicating party with the storage domain.

Abstract: A device and method in a provisioning unit of secure provisioning of a virtual machine on a target platform having a specific configuration is provided. The method comprising: receiving (404) a public binding key from the target platform (107), the public binding key being bound to the specific configuration, encrypting (410) a virtual machine provisioning command using the public binding key, and sending (412) the encrypted virtual machine provisioning command, to the target platform (107). By the provided device and method secure provisioning of a virtual machine on a target platform is enabled.

Abstract: A method performed by an embedded system controlled by a CPU and capable of operating as a virtualized system under supervision of a hypervisor or as a non-virtualized system under supervision of an operating system, is provided. The embedded system is executed in a normal mode if no execution of any security critical function is required, where the normal mode execution is performed under supervision of the operating system. If a security critical function execution is required, where protected mode execution is performed under supervision of the hypervisor, the operating system is switching execution of the embedded system from normal mode to protected mode, by handing over the execution of the embedded system from the operating system to the hypervisor. When execution of the security critical function is no longer required by the system is switched from protected mode to normal mode, under supervision of the hypervisor.

Abstract: A Hardware Analysis Module (“HAM”) embedded in an integrated circuit (IC) implements a dedicated hardware-controlled access control procedure. The secure hardware analysis features are unlocked by a key unit subject to successful completion of an access control procedure. The access control procedure prevents unlocking of the secure hardware analysis features by an unauthorized or compromised key unit by including an embedded control command in an authentication challenge sent by the HAM to the key unit during the access control procedure.

Abstract: Methods (500) of a network node (111) for creating and joining secure sessions for members (111-114) of a group of network nodes are provided. The methods comprise receiving an identity certificate and an assertion for the network node as well as a secret group key for the group. The method for creating a session further comprises creating (501) a session identifier and a secret session key for the session, and sending (502) an encrypted and authenticated broadcast message comprising the session identifier. The method for joining a session further comprises sending an encrypted and authenticated discovery message comprising the identity certificate and the assertion, and receiving an encrypted and authenticated discovery response message from another network node which is a member of the group. The disclosed combined symmetric key and public key scheme is based on the availability of three credentials at each node, i.e.

Abstract: A method of updating/recovering a configuration parameter of a mobile terminal having stored thereon a public key of a public-key cryptosystem and a current terminal identifier, the method comprising determining an updated configuration parameter by an update/recovery server in response to a received current terminal identifier from the mobile terminal; generating an update/recovery data package by a central signing server, the update/recovery data package including the current terminal identifier, the updated configuration parameter, and a digital signature based on a private key, where the digital signature is verifiable by said public key; storing the current terminal identifier and the updated configuration parameter by the central signing server; sending the update/recovery data package by the update/recovery server to the mobile terminal causing the mobile terminal to verify the received update/recovery data package and to store the! updated configuration parameter of the verified update/recovery data p

Abstract: In a method of provisioning a virtual machine (VM) to a computing network (401), a VM manager or provisioner (403, 408) encrypts a virtual machine using a key bound to at least one security profile indicative of one or more security requirements that a computing resource (402) of the computing network (401) must satisfy in order to be able to decrypt the VM. A key for use in decrypting the VM has previously been sealed into multiple (and preferably into all) computing resources (402) in the network into which the VM is to be provisioned, and has been sealed such that a computing resource can obtain the key only if it is in a state that satisfies the security profile, or at least one security profile, to which the key is bound The VM manager or provisioner (403, 408) creates a VM launch package that includes the encrypted VM and that also includes a key that may be used in decrypting the encrypted VM.

Abstract: A Personal Area Network Security Domain (PSD) is formed between devices (142, 150, 152, 154 and 156). The PSD allows the sharing of data and/or resources between the devices within the PSD. The devices within the PSD are located remotely from one another. For example, communication between device (150 and 156) will be performed via mobile or cellular telephone network (120), the Internet (140) and mobile or cellular telephone network (126). Each network (120, 126) is provided with a PSD Hub, which enables an IPsec secure connection between the devices (150 and 156) to be established.

Abstract: A method performed by an embedded system controlled by a CPU and capable of operating as a virtualized system under supervision of a hypervisor or as a non-virtualized system under supervision of an operating system, is provided. The embedded system is executed in a normal mode if no execution of any security critical function is required, where the normal mode execution is performed under supervision of the operating system. If a security critical function execution is required, where protected mode execution is performed under supervision of the hypervisor, the operating system is switching execution of the embedded system from normal mode to protected mode, by handing over the execution of the embedded system from the operating system to the hypervisor. When execution of the security critical function is no longer required by the system is switched from protected mode to normal mode, under supervision of the hypervisor.

Abstract: The method and apparatus described herein transfers soft SIM credentials from a transferring mobile device to a target mobile device while ensuring that only one mobile device contains active soft SIM credentials at a time. Broadly, a transferring mobile device securely transfers the soft SIM credentials to a target mobile device either directly or via a network server. Before the target mobile device receives or activates the soft SIM credentials, the transferring mobile device deactivates the soft SIM credentials to ensure that only one mobile device contains the active soft SIM credentials.

Abstract: A method performed by an embedded system controlled by a CPU and capable of operating as a virtualized system under supervision of a hypervisor or as a non-virtualized system under supervision of an operating system, is provided. The embedded system is executed in a normal mode if no execution of any security critical function is required by the embedded system, where the normal mode execution is performed under supervision of the operating system. If a security critical function execution is required by the embedded system, where protected mode execution is performed under supervision of the hypervisor, the operating system is switching execution of the embedded system from normal mode to protected mode, by handing over the execution of the embedded system from the operating system to the hypervisor, and when execution of the security critical function is no longer required by the embedded system is switched from protected mode to normal mode, under supervision of the hypervisor.