Abstract: A system and process for performing a touchless key provisioning operation for a communication device. In operation, a key management facility (KMF) imports a public key and a public key identifier uniquely identifying the public key of the communication device. The public key is associated with an asymmetric key pair generated at the communication device during its factory provisioning and configuration. The KMF registers the communication device and assigns a key encryption key (KEK) for the communication device. The KMF then provisions the communication device by deriving a symmetric touchless key provisioning (TKP) key based at least in part on the public key of the communication device, encrypting the KEK with the symmetric TKP key to generate a key wrapped KEK, and transmitting the key wrapped KEK to the communication device for decryption by the communication device.

Abstract: A system and process for performing a touchless key provisioning operation for a communication device. In operation, a key management facility (KMF) imports a public key and a public key identifier uniquely identifying the public key of the communication device. The public key is associated with an asymmetric key pair generated at the communication device during its factory provisioning and configuration. The KMF registers the communication device and assigns a key encryption key (KEK) for the communication device. The KMF then provisions the communication device by deriving a symmetric touchless key provisioning (TKP) key based at least in part on the public key of the communication device, encrypting the KEK with the symmetric TKP key to generate a key wrapped KEK, and transmitting the key wrapped KEK to the communication device for decryption by the communication device.

Abstract: A device, system and method for installing encrypted data are provided. A device includes a processor comprising: immutable memory storing preconfigured trust anchor data; and a module storing preconfigured non-exportable data.

Abstract: Provisioning device certificates for electronic processors. One example method includes receiving a flashloader at the electronic processor. The method also includes validating the flashloader with the electronic processor. After validating the flashloader, the method includes receiving an encrypted provisioned key bundle at the electronic processor. The method also includes decrypting the encrypted provisioned key bundle with the electronic processor using a provisioning key to create a decrypted provisioned key bundle. The method further includes executing a provisioning process on the electronic processor using the decrypted provisioned key bundle.

Abstract: A device, system and method for installing encrypted data are provided. A device includes a processor comprising: immutable memory storing preconfigured trust anchor data; and a module storing preconfigured non-exportable data.

Abstract: A method and apparatus for selective frequency signal metric collection via location is provided. A radio frequency (RF) analysis system may periodically send to a mobile device an indication of at least one geographic area of interest, the at least one geographic area of interest is based on an RF coverage heatmap. RF signal measurement may be received form the mobile device, wherein the mobile device takes RF signal measurements at a first rate when outside the at least one geographic area of interest and at a second rate when within the at least one geographic area of interest. The RF coverage heatmap may be updated based on the received RF signal measurements. The at least one geographic area of interest may be updated based on the updated RF coverage heatmap.

Abstract: Provisioning device certificates for electronic processors. One example method includes receiving a flashloader at the electronic processor. The method also includes validating the flashloader with the electronic processor. After validating the flashloader, the method includes receiving an encrypted provisioned key bundle at the electronic processor. The method also includes decrypting the encrypted provisioned key bundle with the electronic processor using a provisioning key to create a decrypted provisioned key bundle. The method further includes executing a provisioning process on the electronic processor using the decrypted provisioned key bundle.

Abstract: A method and computing device for integrating a key management system with a Pre-Shared Key (PSK)-authenticated Internet Key Exchange (IKE). The method comprises the following: An IKE Identification Payload including an Identification Data field is generated via a first computing device. The Identification Data field comprises: a user identifier (ID) field uniquely identifying one or more of a user of the first computing device and the first computing device; a key ID field uniquely identifying a PSK; and a separator between the user ID field and the key ID field. The IKE Identification Payload is transmitted from the first computing device to a second computing device as part of the IKE.

Abstract: A key variable loader receives a set of Rijndael parameters that were verified using a simulation computer, wherein the set of Rijndael parameters provide an input for implementing at least one step of the Rijndael block cipher and when used with a secret key allow a conversion between plain text and cipher text using the Rijndael block cipher. The key variable loader further stores the set of Rijndael parameters and subsequently provides the set of Rijndael parameters to a device having a customizable Rijndael block cipher, like a subscriber unit or a key management facility.

Abstract: Systems and methods for vetting data include receiving a notification at a second processor that a first processor has written first output data to an output data buffer in an output device. A hardware-implemented buffer access flag controls a permission for the first processor to write data to the output data buffer. The second processor sets the hardware-implemented buffer access flag to a first setting that prevents the first processor from writing additional output data to the output data buffer while the first output data in the output data buffer is being inspected. The second processor has a read-write permission to the hardware-implemented buffer access flag. The first processor has a read-only permission to the hardware-implemented buffer access flag.

Abstract: A key variable loader receives a set of Rijndael parameters that were verified using a simulation computer, wherein the set of Rijndael parameters provide an input for implementing at least one step of the Rijndael block cipher and when used with a secret key allow a conversion between plain text and cipher text using the Rijndael block cipher. The key variable loader further stores the set of Rijndael parameters and subsequently provides the set of Rijndael parameters to a device having a customizable Rijndael block cipher, like a subscriber unit or a key management facility.

Abstract: A system and method of providing secure communications is provided. Messages are encrypted or decrypted in protected memory of a processor. Outbound messages from a secure network are prepared for encryption by adding a header outside of the protected memory and then encrypted in the protected memory. The encryption is performed by retrieving a key from a key cache as designated by rules in the header. The encrypted message is sent to the unsecure network. An inbound message from an unsecure network that is received in unprotected memory is sent to a decryption module in protected memory. The inbound message is decrypted using a key designated in its header and retrieved from the key cache. The decrypted message is returned to the unprotected memory, where it is stripped of the encryption header and then sent to its destination within the secure network.

Abstract: Systems and methods for vetting data include receiving a notification at a second processor that a first processor has written first output data to an output data buffer in an output device. A hardware-implemented buffer access flag controls a permission for the first processor to write data to the output data buffer. The second processor sets the hardware-implemented buffer access flag to a first setting that prevents the first processor from writing additional output data to the output data buffer while the first output data in the output data buffer is being inspected. The second processor has a read-write permission to the hardware-implemented buffer access flag. The first processor has a read-only permission to the hardware-implemented buffer access flag.

Abstract: A system and method of providing secure communications is provided. Messages are encrypted or decrypted in protected memory of a processor. Outbound messages from a secure network are prepared for encryption by adding a header outside of the protected memory and then encrypted in the protected memory. The encryption is performed by retrieving a key from a key cache as designated by rules in the header. The encrypted message is sent to the unsecure network. An inbound message from an unsecure network that is received in unprotected memory is sent to a decryption module in protected memory. The inbound message is decrypted using a key designated in its header and retrieved from the key cache. The decrypted message is returned to the unprotected memory, where it is stripped of the encryption header and then sent to its destination within the secure network.

Abstract: A single-chip integrated circuit comprising a first processor for executing a plurality of applications, a second processor for executing a plurality of applications, at least one of a) at least one embedded peripheral and b) at least one memory, and a bus monitor for allowing access to the at least one of a) the at least one embedded peripheral and b) the at least one memory, if the access is allowed, wherein the bus monitor comprises a mapping of access rights to the at least one of a) the at least one embedded peripheral and b) the at least one memory for the first processor and the second processor is disclosed.