Abstract: There is provided mechanisms for authenticating an OEM entity as manufacturer of a communication device comprising an identification module. A method is performed by a network entity. The method comprises providing, towards tire identification module, a challenge of a challenge-response authentication procedure. The method comprises obtaining, from the identification module, a first response of the challenge-response authentication procedure. The method comprises providing, towards the OEM entity and upon having obtained the response, the challenge. The method comprises obtaining, from the OEM entity, a second response of the challenge-response authentication procedure. The method comprises authenticating the OEM entity as the manufacturer of the communication device only when the second response matches the first response.

Abstract: A security component (102, 202) for a device (200) is disclosed. The security component (102) comprises a Physically Unclonable Function (PUF) (150) having a plurality of sub functions (152), and a management module (110) that is configured to manage the PUF (150) in accordance with a policy. The management module (110) comprises a measurement module (112) configured to receive, from a device boot process, at least one of a measurement of a component on the device or a measurement of a hardware state of the device, and a rule module (114) configured to compare the received measurement to at least one rule that implements the policy, and to enter a policy state on the basis of the comparison. The management module further comprises a control module (116) configured to configure the PUF (150) in accordance with a policy state entered by the rule module. Also disclosed is a method (300) for operating a security component.

Abstract: There is provided a verifiable OTP memory device, the memory device including an MTP memory block and an OTP memory block for storing data, and a memory controller. The memory controller is configured to handle write requests and read requests. Each write request and read request pertains to writing data to, and reading data from, respectively, a requested position in either the MTP memory block or the OTP memory block. The memory controller is configured to, in response to the write requests, write the data to the requested position in either the MTP memory block or the OTP memory block. The memory controller is configured to, in response to the read requests, output data as combined from the requested position in the MTP memory block and the requested position in the OTP memory block, regardless if the read requests are for the MTP memory block or the OTP memory block.

Abstract: There is provided mechanisms for generating a cryptographic key for a user. The method is performed by a cryptographic key generator device. The method comprises authenticating the user using biometrics data read from the user using a biometrics reader. The method comprises obtaining, only when having authenticated the user, a PUF response from a PUF entity by providing a challenge based on biometrics response data to the PUF entity. The biometrics response data is a function of the biometrics data. The method comprises generating the cryptographic key using a cryptographic function and by seeding the cryptographic function with the PUF response.

Abstract: A security component (102, 202) for a device (200) is disclosed. The security component comprises a Physically Unclonable Function (PUF) (150) that is operable to accept a plurality of challenges and to generate a corresponding plurality of responses. The security component further comprises control logic (110) configured to generate a challenge for submission to the PUF on the basis of at least one of measurements of components booted on the device or a measurement of a hardware state of the device. The PUF comprises a plurality of sub functions (152), and the challenge determines how the sub functions are used by the PUF to generate a PUF response. Also disclosed is a method (300) for operating a security component.

Abstract: A method and a corresponding runtime environment for migrating an instance of an actor of an application are provided. An initiating runtime environment performs a method comprising selecting, based on obtained security attributes for a set of target runtime environments, a target runtime environment from the set of target runtime environments for migration of the instance of the actor. The method comprises migrating the instance of the actor to the selected target runtime environment once the target runtime environment has been selected.

Abstract: A method (100) for performing an authentication procedure between a verifying device and a responding device is disclosed, the verifying and responding devices being provisioned with security credentials. The method, performed by the verifying device, comprises generating an authentication challenge (110), delivering the authentication challenge to the responding device (120), receiving an authentication response from the responding device (130), and verifying the authentication response (140). According to the method, at least one of the authentication challenge or authentication response is encoded as a sequence of qubits and delivered over a quantum communication channel between the verifying device and the responding device (120A, 120B, 130A, 130B). Also disclosed are methods for delivering and receiving a message over a quantum communication channel, and devices for performing authentication and message exchange methods.

Abstract: A method in a communication device, and a communication device, for executing a software updating process at the communication device is suggested, where the method is executed by acquiring data captured by at least one sensor which is accessible to the communication device, by comparing the acquired data to predefined conditions for initiating a software updating process, and by initiating the software updating process at the communication device in response to determining that the acquired data meet with predefined conditions for updating software at the communication device.

Abstract: There is provided mechanisms for authenticating an OEM entity as manufacturer of a communication device comprising an identification module. A method is performed by a network entity. The method comprises providing, towards tire identification module, a challenge of a challenge-response authentication procedure. The method comprises obtaining, from the identification module, a first response of the challenge-response authentication procedure. The method comprises providing, towards the OEM entity and upon having obtained the response. the challenge. The method comprises obtaining, from the OEM entity, a second response of the challenge-response authentication procedure. The method comprises authenticating the OEM entity as the manufacturer of the communication device only when the second response matches the first response.

Abstract: A method (10) performed in an initiating runtime (2a) is disclosed for migrating an actor instance (5a1) of an actor (4a) to a target runtime (2b). The method (10) comprises obtaining (11), from a blockchain entity (3), an ownership token associated with the actor instance (5a1) of the actor (4a), the ownership token being verifiable by a blockchain (7) of the blockchain entity (3), and using (12) the ownership token for migrating the actor instance (5a1). A method in a blockchain entity (3), a method in a target runtime (2b), entities, computer programs and computer program products are also disclosed.

Abstract: A method and a corresponding runtime environment for migrating an instance of an actor of an application are provided. An initiating runtime environment performs a method comprising selecting, based on obtained security attributes for a set of target runtime environments, a target runtime environment from the set of target runtime environments for migration of the instance of the actor. The method comprises migrating the instance of the actor to the selected target runtime environment once the target runtime environment has been selected.

Abstract: A method of establishing a session key at a communication device is disclosed, wherein the session key is to be shared between the communication device and a network application function (NAF) and wherein a service bootstrap key and an associated transaction identifier, previously derived by application of a general bootstrapping architecture (GBA) procedure, are shared between the communication device and a bootstrapping server function (BSF). The method comprises acquiring a NAF identifier associated with the NAF, deriving a NAF specific key based on the NAF identifier and the service bootstrap key, deriving the session key based on the NAF specific key and one or more key defining parameters, wherein the key defining parameters are accessible by the communication device and by the NAF and are non-accessible by the BSF, and transmitting an attach request message and the transaction identifier towards the NAF for establishment of the session key at the NAF.

Abstract: A method and a corresponding runtime environment for migrating an instance of an actor of an application are provided. An initiating runtime environment performs a method comprising selecting, based on obtained security attributes for a set of target runtime environments, a target runtime environment from the set of target runtime environments for migration of the instance of the actor. The method comprises migrating the instance of the actor to the selected target runtime environment once the target runtime environment has been selected.

Abstract: A method (10) performed in an initiating runtime (2a) is disclosed for migrating an actor instance (5a1) of an actor (4a) to a target runtime (2b). The method (10) comprises obtaining (11), from a blockchain entity (3), an ownership token associated with the actor instance (5a1) of the actor (4a), the ownership token being verifiable by a blockchain (7) of the blockchain entity (3), and using (12) the ownership token for migrating the actor instance (5a1). A method in a blockchain entity (3), a method in a target runtime (2b), entities, computer programs and computer program products are also disclosed.

Abstract: A method and a corresponding runtime environment for migrating an instance of an actor of an application are provided. An initiating runtime environment performs a method comprising selecting, based on obtained security attributes for a set of target runtime environments, a target runtime environment from the set of target runtime environments for migration of the instance of the actor. The method comprises migrating the instance of the actor to the selected target runtime environment once the target runtime environment has been selected.

Abstract: A Mobile Station (MS), a Base Station System (BSS) and a Mobile Switching Centre (MSC) of a cellular network, such as GSM, are disclosed. According to one embodiment, the MS is arranged to carry out one or more security features in its communication with the network. For example, the MS may be arranged to: by means of information received in a signalling message (0) from the network, discover if the network supports one or more of said security features, exchange information with the network in order to enable the use of one or more of the above-mentioned supported security features in the communication, carry out at least one of the one or more of the supported security features in the communication with the network.

Abstract: An exemplary method of maintaining secure time in a computing device is disclosed in which one or more processors implements a Rich Execution Environment (REE), and a separate Trusted Execution Environment (TEE). The TEE maintains a real-time clock (RTC) that provides a RTC time to the REE. A RTC offset is stored in non-volatile memory, with the RTC offset indicating a difference between the RTC time and a protected reference (PR) time. Responsive to a request from the REE to read the RTC time, a current RTC time is returned to the REE. Responsive to a request from the REE to adjust the RTC time, the RTC time and the corresponding RTC offset are adjusted by a same amount, such that the PR time is not altered by the RTC adjustment. An exemplary computing device operable to implement the method is also disclosed.

Abstract: A Mobile Station (MS), a Base Station System (BSS) and a Mobile Switching Center (MSC) of a cellular network, such as GSM, are disclosed. According to one embodiment, the MS is arranged to carry out one or more security features in its communication with the network. For example, the MS may be arranged to: • by means of information received in a signalling message (0) from the network, discover if the network supports one or more of said security features, • exchange information with the network in order to enable the use of one or more of the above-mentioned supported security features in the communication, • carry out at least one of the one or more of the supported security features in the communication with the network.

Abstract: A method, arrangement, and provisioning server in a Selected Home Operator (SHO) network for downloading a new Downloadable Universal Subscriber Identity Module (DLUSIM) to a communication device when the communication device changes from a first operator network to the SHO network. A manager of the communication device registers with the SHO network and transfers KAuth to the SHO network. The communication device then receives a bootstrapping message instructing the device to connect to the provisioning server. The bootstrapping message includes an address of the provisioning server and an authentication nonce. The SHO network validates the communication device when the communication device attempts to connect to the provisioning server. The SHO network then generates the new DLUSIM and encrypts the new DLUSIM with KProvision. The provisioning server then downloads the new DLUSIM as an encrypted blob to the communication device.

Abstract: A temporary anti-rollback table—which is cryptographically signed, unique to a specific device, and includes a version number—is provided to an electronic device requiring a replacement anti-rollback table. The table is verified by the device, and loaded to memory following a reboot. The memory image of the table is used to perform anti-rollback verification of all trusted software components as they are loaded. After booting, the memory image of the table is written in a secure manner to non-volatile memory as a replacement anti-rollback table, and the temporary anti-rollback table is deleted. The minimum required table version number in OTP memory is incremented. The temporary anti-rollback table is created and signed using a private key at authorized service centers; a corresponding public key in the electronic device verifies its authenticity.