Abstract: Technologies for counter with CBC-MAC (CCM) mode encryption include a computing device that performs a CBC-MAC authentication operation on a message with an encryption key, using a 64-bit block cipher to generate a message authentication code. The computing device generates a first 64-bit authentication block including an 8-bit flag field and a length field of between 11 and 32 bits. The flag field indicates the length of the length field. Performing the CBC-MAC authentication operation includes formatting the message into one or more 64-bit authentication blocks. The computing device performs a counter mode encryption operation on the message with the encryption key using the 64-bit block cipher to generate a cipher text. Performing the counter mode encryption includes generating multiple 64-bit keystream blocks. The computing device generates an authentication tag based on the message authentication code and a first keystream block of keystream blocks. Other embodiments are described and claimed.

Abstract: Embodiments of a system for, and method for using, an elliptic curve cryptography integrated circuit are generally described herein. An elliptic curve cryptography (ECC) operation request may be received. One of a plurality of circuit portions may be instructed to perform the ECC operation. The plurality of circuit portions that may be used include a finite field arithmetic circuit portion, an EC point addition and doubler circuit portion, a finite field exponentiation circuit portion, and a point multiplier circuit portion. The result of the ECC operation may then be output.

Abstract: One embodiment provides an apparatus. The apparatus includes a lightweight cryptographic engine (LCE), the LCE is optimized and has an associated throughput greater than or equal to a target throughput.

Abstract: One embodiment provides an electronic control unit (ECU) for a vehicle. The ECU includes transceiver circuitry, voltage measurement circuitry and feature set circuitry. The transceiver circuitry is to at least one of send and/or receive a message. The voltage measurement circuitry is to determine at least one of a high bus line voltage (VCANH) value and/or a low bus line voltage (VCANL) value, for each zero bit of at least one zero bit of a received message. The received the message includes a plurality of bits. The feature set circuitry is to determine a value of at least one feature of a feature set based, at least in part, on at least one of a high acknowledge (ACK) threshold voltage (VthH) and/or a low ACK threshold voltage (VthL). The feature set includes at least one of an operating most frequently measured VCANH value (VfreqH2) of a number of VCANH values and/or an operating most frequently measured VCANL value (VfreqL2) of a number of VCANL values.

Abstract: One embodiment provides a signer device. The signer device includes hash signature control logic and signer signature logic. The hash signature control logic is to retrieve a first nonce, to concatenate the first nonce and a message to be transmitted and to determine whether a first message representative satisfies a target threshold. The signer signature logic is to generate a first transmitted signature based, at least in part, on the first message representative, if the first message representative satisfies the target threshold. The hash signature control logic is to retrieve a second nonce, concatenate the second nonce and the message to be transmitted and to determine whether a second message representative satisfies the target threshold, if the first message representative does not satisfy the target threshold.

Abstract: One embodiment provides an apparatus. The apparatus includes an Internet of Things (IoT) device including a processor, a memory, a flash memory, a network interface and a boot Read Only Memory (ROM). A Root-of-Trust (RoT) application stored in the boot ROM causes the processor run the RoT after initialization of the IoT device. The RoT causes the device to determine a selected image by determining if an update mode is set. The RoT also causes the processor to load the selected image into memory and determine whether a verification of a signature of the selected image is successful.

Abstract: Lightweight trusted execution technologies for internet-of-things devices are described. In response to a memory request at a page unit from an application executing in a current domain, the page unit is to map a current virtual address (VA) to a current physical address (PA). The policy enforcement logic (PEL) reads, from a secure domain cache (SDC), a domain value (DID) and a VA value that correspond to the current PA. The PEL grants access when the current domain and the DID correspond to the unprotected region or the current domain and the DID correspond to the secure domain region, the current domain is equal to the DID, and the current VA is equal to the VA value. The PEL grants data access and denies code access when the current domain corresponds to the secure domain region and the DID corresponds to the unprotected region.

Abstract: In one embodiment, the present invention includes a system on a chip (SoC) that has a first agent with an intellectual property (IP) logic, an interface to a fabric including a target interface, a master interface and a sideband interface, and an access control plug-in unit to handle access control policy for the first agent with respect to incoming and outgoing transactions. This access control plug-in unit can be incorporated into the SoC at integration time and without any modification to the IP logic. Other embodiments are described and claimed.

Abstract: One embodiment provides an apparatus. The apparatus includes a lightweight cryptographic engine (LCE), the LCE is optimized and has an associated throughput greater than or equal to a target throughput.

Abstract: Managing playback of a media file, including detecting, while a media file is playing, a trigger mechanism indicating a change in optimal play characteristics of the media file from an original format, wherein the playback of the media file is associated with a first license, in response to detecting the trigger mechanism, instructing a trusted execution environment to request an updated license from a content provider of the media file, and upon receiving a second license for the media file, the trusted execution environment enforces play of the media file using the second license for a second format. The second license allows for the play of the media file to continue at the optimal play characteristics.

Abstract: Systems, apparatuses and methods may provide for changing the execution mode of a device based on policy enforcement request that is received when the device is located proximately to a specific area. The policy enforcement request is verified with respect to a System on Chip (SoC) platform. An enforcement manager of the SoC platform may enforce the received policy enforcement request if verification is successful, and an attestation controller may report the enforced policy request and a status of the platform to an external device from which the policy request originates.

Abstract: Embodiments of a system for, and method for using, an elliptic curve cryptography integrated circuit are generally described herein. An elliptic curve cryptography (ECC) operation request may be received. One of a plurality of circuit portions may be instructed to perform the ECC operation. The plurality of circuit portions that may be used include a finite field arithmetic circuit portion, an EC point addition and doubler circuit portion, a finite field exponentiation circuit portion, and a point multiplier circuit portion. The result of the ECC operation may then be output.

Abstract: System and techniques for secure unlock to access debug hardware are described herein. A cryptographic key may be received at a hardware debug access port of a device. A digest may be computed from the cryptographic key at an unlock unit of the device. A fuse value may be received from a non-volatile read-only storage on the device. The digest and the fuse value may be compared to determine whether they are the same. A pass-fail pulse may be provided that indicates the result of the comparing.

Abstract: In a method for validating software updates, a data processing system contains a current version of a software component. The data processing system saves at least first and second current advance keys (AKs). After saving the current AKs, the data processing system receives an update package for a new version of the software component. The data processing system extracts a digital signature and two or more new AKs from the update package. The data processing system uses at least one current AK to determine whether the digital signature is valid. In response to a determination that the digital signature is valid, the data processing system uses a software image from the update package to update the software component, and the data processing system saves the new AKs, for subsequent utilization as the current AKs. Other embodiments are described and claimed.

Abstract: In a method for enabling devices to communicate securely, a first device dynamically generates a human body nonce (HBN) and then sends that HBN to a second device via a human body communication conduit (HBCC). After sending the HBN from the first device to the second device, the first device uses the HBN to establish security for an over-the-air (OTA) communication session between the first device and the second device. For instance, the first device may derive a key, based at least in part on the HBN, and the first device may use the key to encrypt communications to be sent OTA between the first device and the second device. Other embodiments are described and claimed.

Abstract: In a method for enabling devices to communicate securely, a first device dynamically generates a human body nonce (HBN) and then sends that HBN to a second device via a human body communication conduit (HBCC). After sending the HBN from the first device to the second device, the first device uses the HBN to establish security for an over-the-air (OTA) communication session between the first device and the second device. For instance, the first device may derive a key, based at least in part on the HBN, and the first device may use the key to encrypt communications to be sent OTA between the first device and the second device. Other embodiments are described and claimed.

Abstract: One embodiment provides an apparatus. The apparatus includes a lightweight cryptographic engine (LCE), the LCE is optimized and has an associated throughput greater than or equal to a target throughput.

Abstract: In one embodiment, a method includes: receiving, in a device, a first message to request transfer of ownership of the device from a current owner to a new owner, the device having a storage to store a first title including a device identifier for the device and an owner identifier for the current owner, the storage to further store a first root authorization key associated with the current owner; sending a second message from the device to the new owner, the second message including a hash value of the first title; and receiving a third message, in the device, the third message including a second title for the device, the second title generated by the new owner and including a new owner identifier, the second title comprising a concatenation of the first title, to enable ownership of the device to be transferred to the new owner.

Abstract: Systems and techniques for a System-on-a-Chip (SoC) security plugin are described herein. A component message may be received at an interconnect endpoint from an SoC component. The interconnect endpoint may pass the component message to a security component via a security interlink. The security component may secure the component message, using a cryptographic engine, to create a secured message. The secured message is delivered back to the interconnect endpoint via the security interlink and transmitted across the interconnect by the interconnect endpoint.

Abstract: A system on chip (SOC) includes a policy generator to identify lifecycle data that identifies a lifecycle of the SOC and identify authentication data that identifies a particular user that is to debug the SoC. A particular policy is determined based on the lifecycle and identification of the particular user, and policy data is sent to at least one block of the SoC, the policy data identifying the particular policy. Debug access at the block is based on the particular policy.