Abstract: An authentication system and device including physical unclonable function (PUF) and threshold cryptography comprising: a PUF device having a PUF input and a PUF output and constructed to generate, in response to the input of a challenge, an output value characteristic to the PUF and the challenge; and a processor having a processor input that is connected to the PUF output, and having a processor output connected to the PUF input, the processor configured to: control the issuance of challenges to the PUF input via the processor output, receive output from the PUF output, combine multiple received PUF output values each corresponding to a share of a private key or secret, and perform threshold cryptographic operations. The system and device may be configured so that shares are refreshable, and may be configured to perform staggered share refreshing.

Abstract: A resilient device authentication system for use with one or more managed devices each including a physical unclonable function (PUF), comprises: one or more verification authorities (VA) each including a processor and a memory loaded with a complete verification set (CVS) that includes hardware part-specific data associated with the managed devices' PUFs and metadata, the processor configured to create a limited verification set (LVS) through one-way algorithmic transformation of hardware part-specific data together with metadata from the loaded CVS so as to create a LVS representing both metadata and hardware part-specific data adequate to redundantly verify all of the hardware parts associated with the LVS; and one or more provisioning entities (PE) each connectable to a VA and including a processor and a memory loaded with a LVS, and configured to select a subset of the LVS so as to create an application limited verification set (ALVS).

Abstract: A system and device for verifying the integrity of a system from its components, the system comprising a plurality of components each having a physical state, the system and the device comprising a processor that is connected to each of the components, the processor configured to verify systemic integrity by performing verification on some or all specified components. The verification may be individual (1, 1) or threshold (n, 1), and may be interactive or non-interactive.

Abstract: A resilient device authentication system comprising: one or more verification authorities (VAs) including a memory loaded with a complete verification set that includes hardware part-specific data, and configured to create a limited verification set (LVS) therefrom; one or more provisioning entities (PEs) each connectable to at least one of the VAs, including a memory loaded with a LVS, and configured to select a subset of data therefrom so as to create an application limited verification set (ALVS). Also disclosed is a device for use with an authentication system, comprising: a first hardware part and a second hardware part that are adapted to communicate with and perform authentication on each other; and/or a hardware part that contains two or more chips that are adapted to communicate with and perform authentication on each other.

Abstract: A network authentication system with dynamic key generation that facilitates the establishment of both endpoint identity, as well as a secure communication channel using a dynamically-generated key between two end devices (potentially on separate local area networks). An interactive or noninteractive authentication protocol is used to establish the identity of the target end device, and dynamic key generation is used to establish a shared symmetric session key for creating an encrypted communication channel between the end devices.

Abstract: A system and device for verifying the integrity of a system from its subcomponents, the system comprising a plurality of subcomponents each having a physical state, the system and the device comprising a processor that is connected to each of the subcomponents, the processor configured to verify systemic integrity by performing verification on some or all specified subcomponents. The verification may be individual (1,1) or threshold (n,1), and may be interactive or non-interactive.

Abstract: A system and device for verifying the integrity of a system from its components, the system comprising a plurality of components each having a physical state, the system and the device comprising a processor that is connected to each of the components, the processor configured to verify systemic integrity by performing verification on some or all specified components. The verification may be individual (1, 1) or threshold (n, 1), and may be interactive or non-interactive.

Abstract: A system, device, and method for binding metadata, such as information derived from the output of a biometric sensor, to hardware intrinsic properties by obtaining authentication-related metadata and combining it with information pertaining to a root of trust, such as a physical unclonable function. The metadata may be derived from a sensor such as a biometric sensor, the root of trust may be a physical unclonable function, the combination of the metadata and root of trust information may employ a hash function, and output from such a hash process may be used as an input to the root of trust. The combined information can be used in interactive or non-interactive authentication.

Abstract: A resilient device authentication system and method comprising: one or more verification authorities (VAs) including a memory loaded with a complete verification set that includes hardware part-specific data, and configured to create a limited verification set (LVS) therefrom; one or more provisioning entities (PEs) each connectable to at least one of the VAs, including a memory loaded with a LVS, and configured to select a subset of data therefrom so as to create an application limited verification set (ALVS). Also disclosed is a device comprising a controller, device memory, input/output capable of communicating with the authentication system, and a physically-unclonable function associated with hardware part-specific information corresponding to hardware part-specific data in the loaded CVS. Further disclosed is an authentication system including hardware security modules.

Abstract: A device authentication system for use with an authenticatable device having a physically-unclonable function and constructed to, in response to input of challenge C, internally generate an output O characteristic to the PUF and the challenge C, and configured to: i) upon receiving challenge C, generate a corresponding commitment value that depends upon a private value r, and ii) upon receiving an authentication query that includes the challenge C and a nonce, return a zero knowledge proof authentication value that corresponds to the commitment value.

Abstract: A device authentication system including one or more devices, child servers capable of communicating therewith, and a root server configured to enroll devices by: collecting device-specific tokens and creating a complete verification set (“CVS”) therefrom; creating a working verification set (“WVS”) by selecting a subset of the CVS; creating a limited verification set (“LVS”) by performing a derivation function on at least part of the WVS; and distributing part or all of the LVS to child servers. A device authentication system configured such that a PUF-containing device and a server communicating with the device can perform an extended BPV generation. A device authentication system that includes a device containing a PUF and is configured to perform error decoding on subsets of an authentication-related value multiple times.

Abstract: A resilient device authentication system comprising: one or more verification authorities (VAs) including a memory loaded with a complete verification set that includes hardware part-specific data, and configured to create a limited verification set (LVS) therefrom; one or more provisioning entities (PEs) each connectable to at least one of the VAs, including a memory loaded with a LVS, and configured to select a subset of data therefrom so as to create an application limited verification set (ALVS); and one or more device management systems connectable to at least one of the PEs, including a memory loaded with an ALVS, and configured to manage device security-related applications through the performance of security-related functions on devices associated with the hardware part-specific data.

Abstract: A personal authentication device for use with a mobile device, comprising a secure processor, a crypto engine supporting certificate functions, a wireless communication module, a cryptographic engine, a memory, a hardware based identity, a policy engine, one or more security features; and an on-board main power battery. Also a system comprising the personal authentication device and a verification authority, and an associated method of authentication.

Abstract: A resilient device authentication system comprising: one or more verification authorities (VAs) including a memory loaded with a complete verification set that includes hardware part-specific data, and configured to create a limited verification set (LVS) therefrom; one or more provisioning entities (PEs) each connectable to at least one of the VAs, including a memory loaded with a LVS, and configured to select a subset of data therefrom so as to create an application limited verification set (ALVS); and one or more device management systems connectable to at least one of the PEs, including a memory loaded with an ALVS, and configured to manage device security-related applications through the performance of security-related functions on devices associated with the hardware part-specific data.

Abstract: A multi-mode Trusted Computing Platform (TCP) comprising a Field Programmable Gate Array (FPGA) device that includes a Type-1-compliant root of trust (ROT), a memory containing a Type-1 security boot image and at least one lower-security boot image, and a memory containing a Type-1-associated operating system (OS) image and at least one lower-security-associated OS image. The TCP is configured to execute a multi-stage boot process that, depending on the presence of one or more valid external inputs, selects and initiates either a Type-1 TCP computing mode or a lower-assurance computing mode.

Abstract: A resilient device authentication system comprising: one or more verification authorities (VAs) including a memory loaded with a complete verification set that includes hardware part-specific data, and configured to create a limited verification set (LVS) therefrom; one or more provisioning entities (PEs) each connectable to at least one of the VAs, including a memory loaded with a LVS, and configured to select a subset of data therefrom so as to create an application limited verification set (ALVS); and one or more device management systems connectable to at least one of the PEs, including a memory loaded with an ALVS, and configured to manage device security-related applications through the performance of security-related functions on devices associated with the hardware part-specific data.

Abstract: An electronic memory key is described. The key includes internal memory and contact points on an exemplary flat and annular surface with a mechanical fastening mechanism to securely affix the key to a device interface. Corresponding contacts are provided on the device to electronically communicate the key to device.

Abstract: A network extension device comprising a CPU, memory, protected I/O connectable to local controls and peripherals, external communications port, a trusted device connected to the CPU such that it can provide attestation of the network extension device's trusted operation to a connected known external network, and a protected interface connected to at least one network extension module that includes a local network communications port. Optionally, a traffic encryption module may be provided, and the trusted device's attestation may include a check of its operation. Also, a method comprising connecting the network extension device to an external network, performing an operating mode check, causing the network extension device to operate in a mode and perform a security check that correspond to the result, causing the trusted device to attest trusted operation to the external network and thereafter causing the CPU to function fully and permitting access to the external network.