Abstract: A method of verifying the integrity of a virtual machine in a cloud computing deployment comprises: creating a virtual machine image derived from a trusted virtual machine, wherein the trusted virtual machine has a Keyless Signature Infrastructure signature stored in a signature store; and verifying that a computation resource can be trusted. If it is verified that a computation resource can be trusted, the method further comprises: submitting the virtual machine image to the trusted computation resource; checking a signature of the virtual machine image against the stored signature of the trusted virtual machine; launching the virtual machine image on the trusted computation resource, and creating a Keyless Signature Infrastructure signature of the virtual machine image; and storing the signature of the virtual machine image in a signature store.

Abstract: A method and encryption node (300) for providing encryption of a message m according to a selected encryption scheme. A noise computation engine (300a) in the encryption node (300) computes (3:1) a noise factor F as a function of a predefined integer parameter n of the selected encryption scheme and a random number r. When the message m is received (3:3) from a client (302) for encryption, an encryption engine (300b) in the encryption node (300), encrypts (3:4) the message m by computing a cipher text c as e=gm·F mod n2, where g is another predefined integer parameter of the selected encryption scheme. The cipher text c is then delivered (3:5) as an encryption of the message m, e.g. to the client (302) or to a cloud of processing resources (304).

Abstract: A device provides a one-time proof of knowledge about a one-time signing key to a server without revealing the one-time signing key by computing a hash as a hash function from the one-time signing key, and transmitting, to the server, the computed hash, an identity associated with the electronic device and a hash path of the hash. The server receives the message from the device and checks whether the hash corresponds to a one-time signing key for a root hash included in a public certificate associated with the identity, checks whether an index corresponding to the hash path from the one-time signing key to the root hash corresponds to a correct time slot, and determines it to be proven that the device is in possession of the correct one-time signing key when the checks are fulfilled.

Abstract: A client provides a hash value that provides for a time-stamp for data upon verification, by deriving a one-time signing key, OTSK, of a OTSK hash chain by applying a time fraction hash tree splitting a time slot corresponding to an index into time fractions such that the time slot is divided into fractions according to the number of leafs of the time fraction hash tree, forming a signing request by applying the OTSK for the fraction for the data to calculate hash values, and transmitting the signing request comprising the hash values to a server of a signing authority. The server receives the signing request from the client, derives a time stamp for the data including a hash path of the time fraction hash tree as a sub-tree of hash tree of the OTSK, and transmits the time stamp for the data.

Abstract: A hash value provides for a time-stamp for a piece of data upon verification. Providing the hash value includes deriving one-time signing keys of signer's one-time signing key hash chain by a one-way function of a secret key of the signer and a function of an index of the one-time signing key, and providing the hash value for the piece of data by a hash function including the piece of data and the derived one-time signing key. An electronic device having a processor arranged to implement a functional module for deriving a one-time signing key and providing a hash value for a piece of data by a hash function including the piece of data and the derived one-time signing key is also disclosed. The functional module is arranged to perform the method. A computer program for implementing the method on the electronic device is also disclosed.

Abstract: A server receives a client's signing request comprising a hash value of data, the hash value being formed using a time-forwarded one-time signing key that comprises a time-forwarded index The server queues the signing request, pushes the hash value to a signature infrastructure entity at the time-forwarded time, and receives a time stamp in return. A client obtains a time stamp for each piece of a stream of pieces of data by collecting the pieces of data and deriving one-time signing keys of a one-time signing key hash chain, forming a stream of signing requests for the pieces of data by applying the one-time signing keys with time-forwarded indices for the respective piece of data to calculate hash values of the respective pieces of data, and transmitting the stream of signing requests comprising the hash values to a server for deriving time stamps for the pieces of data, respectively.

Abstract: A method of verifying the integrity of a virtual machine in a cloud computing deployment comprises: creating a virtual machine image derived from a trusted virtual machine, wherein the trusted virtual machine has a Keyless Signature Infrastructure signature stored in a signature store; and verifying that a computation resource can be trusted. If it is verified that a computation resource can be trusted, the method further comprises: submitting the virtual machine image to the trusted computation resource; checking a signature of the virtual machine image against the stored signature of the trusted virtual machine; launching the virtual machine image on the trusted computation resource, and creating a Keyless Signature Infrastructure signature of the virtual machine image; and storing the signature of the virtual machine image in a signature store.

Abstract: A method and encryption node (300) for providing encryption of a message m according to a selected encryption scheme. A noise computation engine (300a) in the encryption node (300) computes (3:1) a noise factor F as a function of a predefined integer parameter n of the selected encryption scheme and a random number r. When the message m is received (3:3) from a client (302) for encryption, an encryption engine (300b) in the encryption node (300), encrypts (3:4) the message m by computing a cipher text c as e=gm·F mod n2, where g is another predefined integer parameter of the selected encryption scheme. The cipher text c is then delivered (3:5) as an encryption of the message m, e.g. to the client (302) or to a cloud of processing resources (304).

Abstract: There is provided a method of an electronic device for providing a one-time proof of knowledge about a one-time signing key to a server without revealing the one-time signing key. The method comprises computing a hash as a hash function from the one-time signing key, and transmitting, to the server, the computed hash, an identity associated with the electronic device and a hash path of the hash. There is also provided a method of a server of a signing authority for issuing a time stamp signature.

Abstract: There is provided a method of a client for providing a hash value for a piece of data, where the hash value provides for a time-stamp for the piece of data upon verification. The method comprises collecting the piece of data and deriving a one-time signing key, OTSK, of a OTSK hash chain by applying a time fraction hash tree splitting a time slot corresponding to an index into time fractions such that the time slot is divided into fractions according to the number of leafs of the time fraction hash tree, forming a signing request for the piece of data by applying the OTSK for the fraction for the respective piece of data to calculate hash values of the piece of data, and transmitting the signing request comprising the hash values to a server for deriving a time stamp for the piece of data. There is also provided a method of a server of a signing authority for issuing a time stamp signature.

Abstract: There is provided a method of providing a hash value for a piece of data, where the hash value provides for a time-stamp for the piece of data upon verification. The method comprises deriving one-time signing keys of signer's one-time signing key hash chain by a one-way function of a secret key of the signer and a function of an index of the one-time signing key, and providing the hash value for the piece of data by a hash function including the piece of data and the derived one-time signing key. An electronic device comprising a processor arranged to implement a functional module for deriving a one-time signing key and providing a hash value for a piece of data by a hash function including the piece of data and the derived one-time signing key is also disclosed. The functional module is arranged to perform the method. A computer program for implementing the method on the electronic device is also disclosed.

Abstract: There is provided a method of a server for deriving a time stamp for a piece of data. The method comprises receiving a signing request from a client comprising a hash value of the piece of data, wherein the hash value is formed using a time-forwarded one-time signing key, OTSK, wherein the time-forwarded OTSK comprises a time-forwarded index, queuing the signing request, pushing the hash value to a signature infrastructure entity at the time-forwarded time, and receiving a time stamp from the signature infrastructure entity. There is also provided a method of a client for signing a stream of pieces of data by obtaining a time stamp for each piece of data.

Abstract: A method of updating/recovering a configuration parameter of a mobile terminal having stored thereon a public key of a public-key cryptosystem and a current terminal identifier, the method comprising determining an updated configuration parameter by an update/recovery server in response to a received current terminal identifier from the mobile terminal; generating an update/recovery data package by a central signing server, the update/recovery data package including the current terminal identifier, the updated configuration parameter, and a digital signature based on a private key, where the digital signature is verifiable by said public key; storing the current terminal identifier and the updated configuration parameter by the central signing server; sending the update/recovery data package by the update/recovery server to the mobile terminal causing the mobile terminal to verify the received update/recovery data package and to store the! updated configuration parameter of the verified update/recovery data p

Abstract: A method of maintaining a version counter indicative of a version of memory content stored in a processing device. The method comprises selectively operating the device in a first or second mode. Access to the first mode is limited to authorized users and controlled separately from access to the second mode. In the first mode at least an initial integrity protection value is generated for cryptographically protecting an initial counter value of said version counter during operation of the processing device in the second mode; wherein the initial counter value is selected from a sequence of counter values, and the initial integrity protection value is stored as a current integrity protection value in a storage medium. In the second mode, a current counter value is incremented to a subsequent counter value; wherein incrementing includes removing the current integrity protection value from said storage medium.

Abstract: A method for obtaining a digital signature is disclosed. Upon receipt of request for a digital signature within a customer computer, a Mobile electronic transaction proxy within the customer PC notifies a web browser of the request for the digital signature and assists in obtaining a digital signature on a data string included within the request. After the digital signature is obtained, the data string along with an appended digital signature is transmitted back to a requesting party.

Abstract: A method of updating/recovering a configuration parameter of a mobile terminal having stored thereon a public key of a public-key cryptosystem and a current terminal identifier, the method comprising determining an updated configuration parameter by an update/recovery server in response to a received current terminal identifier from the mobile terminal; generating an update/recovery data package by a central signing server, the update/recovery data package including the current terminal identifier, the updated configuration parameter, and a digital signature based on a private key, where the digital signature is verifiable by said public key; storing the current terminal identifier and the updated configuration parameter by the central signing server; sending the update/recovery data package by the update/recovery server to the mobile terminal causing the mobile terminal to verify the received update/recovery data package and to store the updated configuration parameter of the verified update/recovery data pa

Abstract: An electrical device for generating a multi-rate pseudo random noise (PN) sequence. A sequence generator is adapted to output a plurality of sequence values based on a step control signal (St). A selection system is adapted to select one of a plurality of sequence values based on a select value (Mt). A step control is adapted to provide the step control signal (St). Also disclosed is a method of generating a multi-rate PN sequence.

Abstract: A method and apparatus for performing cryptographic computations employing recursive algorithms to accelerate multiplication and squaring operations. Products and squares of long integer values are recursively reduced to a combination of products and squares reduced-length integer values in a host processor. The reduced-length integer values are passed to a co-processor. The values may be randomly ordered to prevent disclosure of secret data.

Abstract: An electrical device for generating a multi-rate pseudo random noise (PN) sequence. A sequence generator is adapted to output a plurality of sequence values based on a step control signal (St). A selection system is adapted to select one of a plurality of sequence values based on a select value (Mt). A step control is adapted to provide the step control signal (St). Also disclosed is a method of generating a multi-rate PN sequence.

Abstract: The integrity of a dynamic data object that comprises one or more dynamic data items is ensured by storing the dynamic data object and dynamic authorization data in a memory. The dynamic authorization data may, for example, be a count of how many failed attempts to gain authorization have previously been made, and this is modified at least whenever another failed attempt is made. Whenever the dynamic data object or the dynamic authorization data is changed, its corresponding hash value is recomputed and stored into the memory. The dynamic data object is considered authentic only if newly-generated values of the two hash signatures match those that were previously stored into the memory. Changes to the dynamic data object are permitted only after the user has executed passed an authorization procedure.