Abstract: A method for establishing and maintaining a security policy for a device can include establishing a secure channel between a secure execution environment (SEE) operating on the device and a security entity external to the device. The method can also include configuring, by a security manager executing on the SEE, access to sensitive operations of an environment interactor coupled to the device based on a security policy provided from the security entity. The method can further include resetting, by the security manager, a secure watchdog timer in response to a reset authorization token provided from the secure entity. If the secure watchdog timer expires a given predetermined number of times since a last reset authorization token is received, the security manager executes a given prescriptive operation dictated by the security policy.

Abstract: A method for establishing and maintaining a security policy for a device can include establishing a secure channel between a secure execution environment (SEE) operating on the device and a security entity external to the device. The method can also include configuring, by a security manager executing on the SEE, access to sensitive operations of an environment interactor coupled to the device based on a security policy provided from the security entity. The method can further include resetting, by the security manager, a secure watchdog timer in response to a reset authorization token provided from the secure entity. If the secure watchdog timer expires a given predetermined number of times since a last reset authorization token is received, the security manager executes a given prescriptive operation dictated by the security policy.

Abstract: A system and method can support device management. A trusted operating system (OS) in a trusted execution environment can store a digest for one or more binary files, which are associated with a trusted application that is deployed in the trusted execution environment. Then, the system can update the trusted application based on one or more updates received from a service provider. Furthermore, the system allows the trusted OS to derive at least one secret bound to the updated trusted application using the digest stored by the trusted OS in the trusted execution environment.

Abstract: A method may include receiving, by a hardware token from a client device, a chain of certificates including a server certificate and a first root certificate authority (CA) certificate. The method may further include determining, by the hardware token, to offload validation of one or more certificates in the chain of certificates to the client device, and verifying, by a cryptography application running in a memory of the hardware token, using a trusted root CA certificate stored in the hardware token, each certificate in the chain of certificates. The method may further include authenticating, by the hardware token and based on the verification, a public key of a server certificate, encrypting, by the cryptography application, a secret message using the authenticated public key of the server certificate to obtain an encrypted secret message, and sending, by the hardware token, the encrypted secret message to the client device.

Abstract: A method for enforcing secure processes between a user and a device involves determining that the user has initiated installation of a secure application, installing the RA part of the secure application, triggering a trusted UI session upon realization that the TA part of the secure application is not installed, receiving, via the trusted UI session, user credentials for authenticating the user and enforcing user-specific and device-specific security, cryptographically signing combined user credentials with a cryptographic signature to obtain an authentication object, passing the authentication object to a service provider associated with the secure application for extraction of the user credentials, and generating an authorization token permitting the installation of the TA part of the secure application upon verification of the cryptographically signed authentication object.

Abstract: A method may include receiving, by a hardware token from a client device, a chain of certificates including a server certificate and a first root certificate authority (CA) certificate. The method may further include determining, by the hardware token, to offload validation of one or more certificates in the chain of certificates to the client device, and verifying, by a cryptography application running in a memory of the hardware token, using a trusted root CA certificate stored in the hardware token, each certificate in the chain of certificates. The method may further include authenticating, by the hardware token and based on the verification, a public key of a server certificate, encrypting, by the cryptography application, a secret message using the authenticated public key of the server certificate to obtain an encrypted secret message, and sending, by the hardware token, the encrypted secret message to the client device.

Abstract: A system and method can support on-device operation management. A token issuer on a backend server, and/or a tool, can generate an authorization token, which is bound to a user of one or more devices using a unique identifier (ID) that is assigned to the user. The unique ID can be known and/or shared between the an on-device authorizing entity and the token issuer. Then, the on-device authorizing entity can verify the authorization token before granting an execution of one or more protected on-device operations. Furthermore, the on-device authorizing entity may not grant the execution of the one or more protected on-device operations, when the unique ID is erased from the device.

Abstract: A system and method can support device management. A trusted application can be deployed in a trusted execution environment on a device, wherein the trusted execution environment includes a trusted operating system (OS) and the trusted application is associated with an identifier. Then, the system can derive one or more secrets bound to said trusted application based on the identifier and a master key maintained by the trusted OS. Additionally, the secret derivation can take into account binary code/data for the trusted application. Thus, the system can prevent another trusted application in the trusted execution environment from retrieving said one or more secrets using the same identifier.

Abstract: A method for enforcing secure processes between a user and a device involves determining that the user has initiated installation of a secure application, installing the RA part of the secure application, triggering a trusted UI session upon realization that the TA part of the secure application is not installed, receiving, via the trusted UI session, user credentials for authenticating the user and enforcing user-specific and device-specific security, cryptographically signing combined user credentials with a cryptographic signature to obtain an authentication object, passing the authentication object to a service provider associated with the secure application for extraction of the user credentials, and generating an authorization token permitting the installation of the TA part of the secure application upon verification of the cryptographically signed authentication object.

Abstract: A system and method can support device management. An authorization entity can pass one or more secrets that are wrapped with a first key to a communication entity. Furthermore, the communication entity can use a second key to establish a secure channel with an application on a device, and pass the one or more secrets that are wrapped with the first key to the application on the device using the secure channel. Then, the device can use the first key to unwrap the received wrapped secret.

Abstract: A system and method can support device management. An authorization entity can pass one or more secrets that are wrapped with a first key to a communication entity. Furthermore, the communication entity can use a second key to establish a secure channel with an application on a device, and pass the one or more secrets that are wrapped with the first key to the application on the device using the secure channel. Then, the device can use the first key to unwrap the received wrapped secret.

Abstract: A system and method can support device management. A trusted operating system (OS) in a trusted execution environment can store a digest for one or more binary files, which are associated with a trusted application that is deployed in the trusted execution environment. Then, the system can update the trusted application based on one or more updates received from a service provider. Furthermore, the system allows the trusted OS to derive at least one secret bound to the updated trusted application using the digest stored by the trusted OS in the trusted execution environment.

Abstract: A system and method can support device management. A trusted application can be deployed in a trusted execution environment on a device, wherein the trusted execution environment includes a trusted operating system (OS) and the trusted application is associated with an identifier. Then, the system can derive one or more secrets bound to said trusted application based on the identifier and a master key maintained by the trusted OS. Additionally, the secret derivation can take into account binary code/data for the trusted application. Thus, the system can prevent another trusted application in the trusted execution environment from retrieving said one or more secrets using the same identifier.

Abstract: A system and method can support on-device operation management. A token issuer on a backend server, and/or a tool, can generate an authorization token, which is bound to a user of one or more devices using a unique identifier (ID) that is assigned to the user. The unique ID can be known and/or shared between the an on-device authorizing entity and the token issuer. Then, the on-device authorizing entity can verify the authorization token before granting an execution of one or more protected on-device operations. Furthermore, the on-device authorizing entity may not grant the execution of the one or more protected on-device operations, when the unique ID is erased from the device.

Abstract: A mobile station includes a radio section which communicates with a base station, and a short-range radio section for performing short range radio communication independently of the radio section. A backlight mounted on a display portion of the mobile station can be selectively turned on and off. The operation of the short-range radio section is disabled when the backlight is deactivated, and the operation of the short-range radio section is enabled when the backlight is activated.

Abstract: The invention relates to a method for securing a user interface that comprises a user interface including one or more peripheral hardware devices of the user interface for interaction with said interface, said peripheral hardware devices being driven by driver software, and one or more applications using the user interface. The invention also relates to a method for securing such an interface. The system of the invention is characterised in that the same further comprises a hypervisor and one or more virtual machines, the drivers of the peripheral hardware devices of the user interface being divided into two portions, i.e. a main portion of said drivers under the control of the hypervisor and a front-end portion of said drivers under the control of the virtual machines, wherein the front-end portion of the securing software component is in charge of managing the front-end portion of the drivers and the main portion of the securing software component is in charge of managing the main portion of the drivers.

Abstract: A mobile station includes a radio section which communicates with a base station, and a short-range radio section for performing short range radio communication independently of the radio section. A backlight mounted on a display portion of the mobile station can be selectively turned on and off. The operation of the short-range radio section is disabled when the backlight is deactivated, and the operation of the short-range radio section is enabled when the backlight is activated.

Abstract: The invention relates to a method for securing a user interface that comprises a user interface including one or more peripheral hardware devices of the user interface for interaction with said interface, said peripheral hardware devices being driven by driver software, and one or more applications using the user interface. The invention also relates to a method for securing such an interface. The system of the invention is characterised in that the same further comprises a hypervisor and one or more virtual machines, the drivers of the peripheral hardware devices of the user interface being divided into two portions, i.e. a main portion of said drivers under the control of the hypervisor and a front-end portion of said drivers under the control of the virtual machines, wherein the front-end portion of the securing software component is in charge of managing the front-end portion of the drivers and the main portion of the securing software component is in charge of managing the main portion of the drivers.