Abstract: Systems and methods are disclosed herein for implementing a secure hardware component by dividing a single Physically Unclonable Function (PUF) into several PUF challenge space subsets and mapping each subset to each requesting entity. In one example of the secure hardware component, the controller divides a challenge space of the PUF into multiple challenge space subsets and performs a mapping of allowed requesting entities to the plurality of challenge space subsets, respectively. The secure hardware component receives a request for an output from the requesting entity, which comprises a set of parameters. The controller determines whether the request is a valid request based on the set of parameters and forwards the challenge to the response generation subsystem. The response generation subsystem generates the output based on the challenge and forwards it to the requesting entity.

Abstract: Systems and methods are disclosed herein for protecting data in a storage device by encrypting or decrypting the data with a Data Encryption Key (DEK). The storage device is communicatively coupled to a host. In one example, the storage device receives a credential from the host and authenticates the credential with a transformed credential. A Physically Unclonable Function (PUF) generates a PUF response based on a challenge, responsive to successful authentication of the credential from the host. Based on the PUF response, a DEK generation module in the storage device generates a DEK. A crypto module in the storage device uses the DEK and performs encryption of data to be stored in the storage device and/or decryption of data being assessed by the host.

Abstract: Systems and methods are disclosed herein for protecting data in a storage device by encrypting or decrypting the data with a Data Encryption Key (DEK). The storage device is communicatively coupled to a host. In one example, the storage device comprises at least one Physically Unclonable Function (PDF) configured to generate PDF responses based on challenges and an authentication output generation module configured to obtain a nonce from the host, obtain an input related to a first PDF response, generate an authentication output based on the input and the nonce using a One-Way Function (OWF), and provide the authentication output to the host. The storage device further comprises a DEK generation module configured to generate a DEK based on a second PDF response and a crypto module to perform encryption or decryption of data using the DEK.

Abstract: Systems and methods are disclosed herein for protecting data in a storage device by encrypting or decrypting the data with a Data Encryption Key (DEK). The storage device is communicatively coupled to a host and is locked with the host by secret sharing. In one example, the storage device comprises a Physically Unclonable Function (PUF) configured to, during a key generation phase of operation, generate a set of DEK responses based on a set of DEK challenges (chalDEK) and an assembler configured to obtain a set of SED DEK secret shares (SSSED) based on the first set of DEK responses, receive additional data, and assemble at least the set of SED DEK secret shares (SSSED) and the additional data to create a DEK master secret. The storage device also comprises a crypto module configured to receive a DEK based on the master secret and perform encryption and/or decryption of data using the DEK.

Abstract: Solutions and methods are disclosed herein for generating a key from outputs of a Physically Unclonable Function (PUF) and using the key for a cryptographic algorithm. In one embodiment, a device generates the key, which comprises (i) receiving a request to generate a key comprising a defined number of bits for a particular cryptography algorithm and (ii) responsive to receiving the request, generating a valid key for the particular cryptography algorithm. The step of generating the valid key further comprises (a) generating one or more first challenges for a PUF, which is one or more of a plurality of challenges in a challenge space of the PUF, (b) generating a first potential key based on one or more first responses by the PUF responsive to the one or more first challenges, and (c) determining whether the first potential key satisfies one or more predefined criteria for the particular cryptography algorithm.

Abstract: Systems and methods are disclosed herein for providing a secure hardware component for protecting cryptographic keys used in relation to a client device by using a Physically Unclonable Function (PUF) and, in some embodiments, client device authorization. In one embodiment, the secure hardware component comprises an Input/Output (I/O) port, a key generation subsystem, and a cryptographic module. The key generation subsystem comprises the PUF and receives first data related to at least one cryptographic algorithm from the client device, via the I/O port, and generates a key for the at least one cryptographic algorithm in accordance with the first data using the PUF. The cryptographic module receives second data from the client device and generates third data based on the second data and the key, and provides the third data to the client device. Accordingly, the client device is better protected from external attacks.

Abstract: There is provided mechanisms for authenticating an OEM entity as manufacturer of a communication device comprising an identification module. A method is performed by a network entity. The method comprises providing, towards tire identification module, a challenge of a challenge-response authentication procedure. The method comprises obtaining, from the identification module, a first response of the challenge-response authentication procedure. The method comprises providing, towards the OEM entity and upon having obtained the response, the challenge. The method comprises obtaining, from the OEM entity, a second response of the challenge-response authentication procedure. The method comprises authenticating the OEM entity as the manufacturer of the communication device only when the second response matches the first response.

Abstract: A security component (102, 202) for a device (200) is disclosed. The security component (102) comprises a Physically Unclonable Function (PUF) (150) having a plurality of sub functions (152), and a management module (110) that is configured to manage the PUF (150) in accordance with a policy. The management module (110) comprises a measurement module (112) configured to receive, from a device boot process, at least one of a measurement of a component on the device or a measurement of a hardware state of the device, and a rule module (114) configured to compare the received measurement to at least one rule that implements the policy, and to enter a policy state on the basis of the comparison. The management module further comprises a control module (116) configured to configure the PUF (150) in accordance with a policy state entered by the rule module. Also disclosed is a method (300) for operating a security component.

Abstract: There is provided a verifiable OTP memory device, the memory device including an MTP memory block and an OTP memory block for storing data, and a memory controller. The memory controller is configured to handle write requests and read requests. Each write request and read request pertains to writing data to, and reading data from, respectively, a requested position in either the MTP memory block or the OTP memory block. The memory controller is configured to, in response to the write requests, write the data to the requested position in either the MTP memory block or the OTP memory block. The memory controller is configured to, in response to the read requests, output data as combined from the requested position in the MTP memory block and the requested position in the OTP memory block, regardless if the read requests are for the MTP memory block or the OTP memory block.

Abstract: There is provided mechanisms for generating a cryptographic key for a user. The method is performed by a cryptographic key generator device. The method comprises authenticating the user using biometrics data read from the user using a biometrics reader. The method comprises obtaining, only when having authenticated the user, a PUF response from a PUF entity by providing a challenge based on biometrics response data to the PUF entity. The biometrics response data is a function of the biometrics data. The method comprises generating the cryptographic key using a cryptographic function and by seeding the cryptographic function with the PUF response.

Abstract: A security component (102, 202) for a device (200) is disclosed. The security component comprises a Physically Unclonable Function (PUF) (150) that is operable to accept a plurality of challenges and to generate a corresponding plurality of responses. The security component further comprises control logic (110) configured to generate a challenge for submission to the PUF on the basis of at least one of measurements of components booted on the device or a measurement of a hardware state of the device. The PUF comprises a plurality of sub functions (152), and the challenge determines how the sub functions are used by the PUF to generate a PUF response. Also disclosed is a method (300) for operating a security component.

Abstract: A method and a corresponding runtime environment for migrating an instance of an actor of an application are provided. An initiating runtime environment performs a method comprising selecting, based on obtained security attributes for a set of target runtime environments, a target runtime environment from the set of target runtime environments for migration of the instance of the actor. The method comprises migrating the instance of the actor to the selected target runtime environment once the target runtime environment has been selected.

Abstract: A method (100) for performing an authentication procedure between a verifying device and a responding device is disclosed, the verifying and responding devices being provisioned with security credentials. The method, performed by the verifying device, comprises generating an authentication challenge (110), delivering the authentication challenge to the responding device (120), receiving an authentication response from the responding device (130), and verifying the authentication response (140). According to the method, at least one of the authentication challenge or authentication response is encoded as a sequence of qubits and delivered over a quantum communication channel between the verifying device and the responding device (120A, 120B, 130A, 130B). Also disclosed are methods for delivering and receiving a message over a quantum communication channel, and devices for performing authentication and message exchange methods.

Abstract: A method in a communication device, and a communication device, for executing a software updating process at the communication device is suggested, where the method is executed by acquiring data captured by at least one sensor which is accessible to the communication device, by comparing the acquired data to predefined conditions for initiating a software updating process, and by initiating the software updating process at the communication device in response to determining that the acquired data meet with predefined conditions for updating software at the communication device.

Abstract: There is provided mechanisms for authenticating an OEM entity as manufacturer of a communication device comprising an identification module. A method is performed by a network entity. The method comprises providing, towards tire identification module, a challenge of a challenge-response authentication procedure. The method comprises obtaining, from the identification module, a first response of the challenge-response authentication procedure. The method comprises providing, towards the OEM entity and upon having obtained the response. the challenge. The method comprises obtaining, from the OEM entity, a second response of the challenge-response authentication procedure. The method comprises authenticating the OEM entity as the manufacturer of the communication device only when the second response matches the first response.

Abstract: A method (10) performed in an initiating runtime (2a) is disclosed for migrating an actor instance (5a1) of an actor (4a) to a target runtime (2b). The method (10) comprises obtaining (11), from a blockchain entity (3), an ownership token associated with the actor instance (5a1) of the actor (4a), the ownership token being verifiable by a blockchain (7) of the blockchain entity (3), and using (12) the ownership token for migrating the actor instance (5a1). A method in a blockchain entity (3), a method in a target runtime (2b), entities, computer programs and computer program products are also disclosed.

Abstract: A method and a corresponding runtime environment for migrating an instance of an actor of an application are provided. An initiating runtime environment performs a method comprising selecting, based on obtained security attributes for a set of target runtime environments, a target runtime environment from the set of target runtime environments for migration of the instance of the actor. The method comprises migrating the instance of the actor to the selected target runtime environment once the target runtime environment has been selected.

Abstract: A method of establishing a session key at a communication device is disclosed, wherein the session key is to be shared between the communication device and a network application function (NAF) and wherein a service bootstrap key and an associated transaction identifier, previously derived by application of a general bootstrapping architecture (GBA) procedure, are shared between the communication device and a bootstrapping server function (BSF). The method comprises acquiring a NAF identifier associated with the NAF, deriving a NAF specific key based on the NAF identifier and the service bootstrap key, deriving the session key based on the NAF specific key and one or more key defining parameters, wherein the key defining parameters are accessible by the communication device and by the NAF and are non-accessible by the BSF, and transmitting an attach request message and the transaction identifier towards the NAF for establishment of the session key at the NAF.

Abstract: A method and a corresponding runtime environment for migrating an instance of an actor of an application are provided. An initiating runtime environment performs a method comprising selecting, based on obtained security attributes for a set of target runtime environments, a target runtime environment from the set of target runtime environments for migration of the instance of the actor. The method comprises migrating the instance of the actor to the selected target runtime environment once the target runtime environment has been selected.

Abstract: A method (10) performed in an initiating runtime (2a) is disclosed for migrating an actor instance (5a1) of an actor (4a) to a target runtime (2b). The method (10) comprises obtaining (11), from a blockchain entity (3), an ownership token associated with the actor instance (5a1) of the actor (4a), the ownership token being verifiable by a blockchain (7) of the blockchain entity (3), and using (12) the ownership token for migrating the actor instance (5a1). A method in a blockchain entity (3), a method in a target runtime (2b), entities, computer programs and computer program products are also disclosed.