Abstract: Embodiments of systems and methods disclosed herein include an embedded secret provisioning system that is based on a shared-derivative mechanism. Embodiments of this mechanism use a trusted third-party topology, but only a single instance of a public-private key exchange is required for initialization. Embodiments of the system and methods are secure and any of the derived secret keys are completely renewable in untrusted environments without any reliance on asymmetric cryptography. The derived secrets exhibit zero knowledge attributes and the associated zero knowledge proofs are open and available for review. Embodiments of systems and methods can be implemented in a wide range of previously-deployed devices as well as integrated into a variety of new designs using minimal roots-of-trust.

Abstract: Symmetric key identification systems and methods are disclosed herein. An example system includes a distributed device service that distributes, to devices, dynamic portions of the keyed hashing function, the devices embedding static portions of the keyed hashing function and are each configured to create a secret key from pairs of the static portions and the dynamic portions, the secret key used to generate encrypted session keys that are utilized to facilitate secure sessions and trusted relationships between one or more of the devices, the secret key unknown to a processor of the device to which it belongs.

Abstract: Authorization using symmetric key systems and methods are disclosed herein. An example method includes authenticating nodes by verifying symmetric keys that comprise a static portion and a dynamic portion of a keyed-hashing function having been cryptographically processed, each of the nodes having one of the symmetric keys, comparing the symmetric keys to values stored by a rubicon identity service, exchanging symmetric keys between the nodes when authenticated, pre-provisioning an authorization policy to the nodes, and authorizing a node of the nodes to perform an action defined within the authorization policy.

Abstract: Embodiments of systems and methods disclosed herein include an embedded secret provisioning system that is based on a shared-derivative mechanism. Embodiments of this mechanism use a trusted third-party topology, but only a single instance of a public-private key exchange is required for initialization. Embodiments of the system and methods are secure and any of the derived secret keys are completely renewable in untrusted environments without any reliance on asymmetric cryptography. The derived secrets exhibit zero knowledge attributes and the associated zero knowledge proofs are open and available for review. Embodiments of systems and methods can be implemented in a wide range of previously-deployed devices as well as integrated into a variety of new designs using minimal roots-of-trust.

Abstract: Systems and methods in which multiple key servers operate cooperatively to securely provide authorization codes to requesting devices. In one embodiment, a server cloud receives a device authorization code request and selects an “A server”. The “A server” requests authorization from one or more “B servers” and authorizes the “B servers” to respond. The “B servers” provide authorization to the “A server”, and may provide threshold key inputs to enable decryption of device authorization codes. The “A server” cannot provide the requested device authorization code without authorization from the “B server(s)”, and the “B server(s)” cannot provide the requested server authorization code and threshold inputs without a valid request from the “A server”. After the “A server” receives authorization from the “B server(s)”, it can provide the initially requested device authorization code to the requesting device.

Abstract: Embodiments as described herein provide systems and methods for sharing secrets between a device and another entity. The shared secret may be generated on the device as a derivative of a secret value contained on the device itself in a manner that will not expose the secret key on the device and may be sent to the entity. The shared secret may also be stored on the device such that it can be used in future secure operations on the device. In this manner, a device may be registered with an external service such that a variety of functionality may be securely accomplished, including, for example, the generation of authorization codes for the device by the external service based on the shared secret or the symmetric encryption of data between the external service and the device using the shared secret.

Abstract: Embodiments of systems and methods disclosed herein include a distributed device activation mechanism involving a group of external entities without using asymmetric cryptography. Systems and methods include techniques for deriving a device secret using a hardware secret and authenticated unique input data provided to the device by one or more external entities. A hardware hash function uses the hardware secret as a key and the authenticated unique input data as input data to output the derived device secret. The derived device secret is written to a security register of the device to enter a new security layer.

Abstract: Systems and methods in which multiple key servers operate cooperatively to securely provide authorization codes to requesting devices. In one embodiment, a server cloud receives a device authorization code request and selects an “A server”. The “A server” requests authorization from one or more “B servers” and authorizes the “B servers” to respond. The “B servers” provide authorization to the “A server”, and may provide threshold key inputs to enable decryption of device authorization codes. The “A server” cannot provide the requested device authorization code without authorization from the “B server(s)”, and the “B server(s)” cannot provide the requested server authorization code and threshold inputs without a valid request from the “A server”. After the “A server” receives authorization from the “B server(s)”, it can provide the initially requested device authorization code to the requesting device.