Abstract: A secure ranging system can use a secure processing system to deliver one or more ranging keys to a ranging radio on a device, and the ranging radio can derive locally at the system ranging codes based on the ranging keys. A deterministic random number generator can derive the ranging codes using the ranging key and one or more session parameters, and each device (e.g. a cellular telephone and another device) can independently derive the ranging codes and derive them contemporaneously with their use in ranging operations.

Abstract: Techniques are disclosed relating to authenticate a user with a mobile device. In one embodiment, a computing device includes a short-range radio and a secure element. The computing device reads, via the short-range radio, a portion of credential information stored in a circuit embedded in an identification document issued by an authority to a user for establishing an identity of the user. The computing device issues, to the authority, a request to store the credential information, the request specifying the portion of the credential information. In response to an approval of the request, the computing device stores the credential information in the secure element, the credential information being usable to establish the identity of the user. In some embodiments, the identification document is a passport that includes a radio-frequency identification (RFID) circuit storing the credential information, and the request specifies a passport number read from the RFID circuit.

Abstract: A memory management unit (MMU) may manage address translations. The MMU may obtain a first intermediate physical address (IPA) based on a first virtual address (VA) relating to a first memory access request. The MMU may identify, based on the first IPA, a first memory page entry in a second address translation table. The MMU may store, in a second cache memory, a first IPA-to-PA translation based on the identified first memory page entry. The MMU may store, in the second cache memory and in response to the identification of the first memory page entry, one or more additional IPA-to-PA translations that are based on corresponding one or more additional memory page entries in the second address translation table. The one or more additional memory page entries may be contiguous to the first memory page entry.

Abstract: Systems, methods, and computer-readable media for preserving trust data during operating system updates of a secure element of an electronic device are provided.

Abstract: Techniques are disclosed relating to secure data storage. In various embodiments, a mobile device includes a wireless interface, a secure element, and a secure circuit. The secure element is configured to store confidential information associated with a plurality of users and to receive a request to communicate the confidential information associated with a particular one of the plurality of users. The secure element is further configured to communicate, via the wireless interface, the confidential information associated with the particular user in response to an authentication of the particular user. The secure circuit is configured to perform the authentication of the particular user. In some embodiments, the mobile device also includes a biosensor configured to collect biometric information from a user of the mobile device. In such an embodiment, the secure circuit is configured to store biometric information collected from the plurality of users by the biosensor.

Abstract: A signal is protected against an attack by an enhancement process that checks the conformity of an actual state of the signal with respect to an expected state. A protective action is exercised on the signal if the actual state of the signal is not in conformity with the expected state, so as to neutralize or nullify said attack.

Abstract: Techniques are disclosed relating to authenticate a user with a mobile device. In one embodiment, a computing device includes a short-range radio and a secure element. The computing device reads, via the short-range radio, a portion of credential information stored in a circuit embedded in an identification document issued by an authority to a user for establishing an identity of the user. The computing device issues, to the authority, a request to store the credential information, the request specifying the portion of the credential information. In response to an approval of the request, the computing device stores the credential information in the secure element, the credential information being usable to establish the identity of the user. In some embodiments, the identification document is a passport that includes a radio-frequency identification (RFID) circuit storing the credential information, and the request specifies a passport number read from the RFID circuit.

Abstract: A method is provided for managing public and private data input by a device such as a mobile handset, a personal digital assistant, a personal computer and an electronic tablet. Method provides for separating public and private data such that public data can be operated on by open operating system and private data is either encrypted while in the open operating environment but can be operated on and used when received by the secure operating environment.

Abstract: An exemplary method of maintaining secure time in a computing device is disclosed in which one or more processors implements a Rich Execution Environment (REE), and a separate Trusted Execution Environment (TEE). The TEE maintains a real-time clock (RTC) that provides a RTC time to the REE. A RTC offset is stored in non-volatile memory, with the RTC offset indicating a difference between the RTC time and a protected reference (PR) time. Responsive to a request from the REE to read the RTC time, a current RTC time is returned to the REE. Responsive to a request from the REE to adjust the RTC time, the RTC time and the corresponding RTC offset are adjusted by a same amount, such that the PR time is not altered by the RTC adjustment. An exemplary computing device operable to implement the method is also disclosed.

Abstract: A method of authenticating an agent to a secure environment of a device, in a challenge-response authentication sys tem comprising the device, a remote authentication server and a connection path between the device and the remote authentication server, the method comprising: while the connection path is not established:—obtaining a predictable challenge based on at least a current value of a counter;—obtaining a response for the challenge; and,—authenticating the agent to the secure environment based on at least the response; and, wherein, upon successful authentication, the value of the counter is incremented. A challenge-response authentication system and an apparatus are also claimed.

Abstract: Wireless communication apparatus (WAP) which comprises means of receiving data streams such as Access Stratum User Plane (AS UP), Access Stratum Control Plane (AS CP), and Non-Access Stratum Control Plane (NAS CP), each at least partly requiring a cryptographic processing operation, a cryptographic module comprising a cryptoprocessor, and management means configured to deliver at least some of the data streams to the crypto-processor according to an order of priority defined from the data types and cryptographic processing types assigned to each data stream.

Abstract: An electronic device for storing data content by storing at least a portion of the data content in a rewritable memory device by storing an n bit count value associated with the status of the data content in a one time programmable memory. The n bit count value is written to the secure memory device along with the corresponding data content. Then the n bit count value is incremented and stored in the one time programmable memory each time there is a modification of the data content in the rewritable memory device. The number of bits of the one time programmable memory may correspond to the number of potential modifications of the stored data content.

Abstract: A method of protecting digital data stored in a storage medium. The method comprises providing a first and a second addressable storage region in the storage medium, and selector means for selectively indicating one of the first and the second addressable storage regions as active; storing the digital data in the first addressable storage region of the storage medium, wherein the digital data stored in the first addressable storage region is stored encrypted with a first encryption key; and causing the selector means to indicate the first addressable storage region as being active; and, responsive to a trigger event, copying the digital data from the first to the second addressable storage region, wherein the digital data stored in the second addressable storage region is stored encrypted with a second encryption key; and causing the selector means to indicate the second addressable storage region as being active.

Abstract: A memory management unit (MMU) may manage address translations. The MMU may obtain a first intermediate physical address (IPA) based on a first virtual address (VA) relating to a first memory access request. The MMU may identify, based on the first IPA, a first memory page entry in a second address translation table. The MMU may store, in a second cache memory, a first IPA-to-PA translation based on the identified first memory page entry. The MMU may store, in the second cache memory and in response to the identification of the first memory page entry, one or more additional IPA-to-PA translations that are based on corresponding one or more additional memory page entries in the second address translation table. The one or more additional memory page entries may be contiguous to the first memory page entry.

Abstract: Method for decrypting, within a wireless communication device, a sequence of encrypted packets received via a wireless communication channel between the communication device and a cell assigned to this device, comprising for each packet the following steps: —the computation of an encrypting sequence corresponding to the packet (21); and —the decrypting of the packet with the aid of the said encrypting sequence (22). In this method, the encrypting sequences are computed before the reception of the packets while the reception quality is above a threshold (20, TH) and an indication of change of cell is not received (24).

Abstract: A method is provided for managing public and private data input by a device such as a mobile handset, a personal digital assistant, a personal computer and an electronic tablet. Method provides for separating public and private data such that public data can be operated on by open operating system and private data is either encrypted while in the open operating environment but can be operated on and used when received by the secure operating environment.

Abstract: Electronic device (1) comprising a chipset component (2) and a flash memory component (3), the said chipset component being associated with an identifier, the said chipset component comprising a monotonic counter (21) and being configured to:—derive a key from the identifier and a current value of the monotonic counter, by using a cryptographic key derivation function,—build a provisioning command related to the key,—send the provisioning command to the flash memory component, and—use the key to manage a secure storage area in the flash memory component.

Abstract: A method of pre-authentication of a first entity (10) by a second entity (1) communicating with each other via a wireless connection. The second entity (1) sends (23?) a challenge value (c). If the first entity (10) receives (23) a challenge value (c?), it applies to the received challenge value a predefined transformation (g) known to the second entity to obtain a first transformed value (r) and then sends (24) the first transformed value (r) obtained. If the second entity receives (24?) a transformed value (r?), it compares (25?) the received transformed value to a second transformed value (r?) obtained by applying the predefined transformation (g) to the challenge value sent and considers the pre-authentication to have succeeded if the result of comparing the second transformed value obtained and the transformed value received is below a predefined threshold (m).

Abstract: An exemplary method of maintaining secure time in a computing device is disclosed in which one or more processors implements a Rich Execution Environment (REE), and a separate Trusted Execution Environment (TEE). The TEE maintains a real-time clock (RTC) that provides a RTC time to the REE. A RTC offset is stored in non-volatile memory, with the RTC offset indicating a difference between the RTC time and a protected reference (PR) time. Responsive to a request from the REE to read the RTC time, a current RTC time is returned to the REE. Responsive to a request from the REE to adjust the RTC time, the RTC time and the corresponding RTC offset are adjusted by a same amount, such that the PR time is not altered by the RTC adjustment. An exemplary computing device operable to implement the method is also disclosed.

Abstract: In a method of storing data in a memory device, which data comprise content to be processed in a processing device in which the memory device is installed, the method comprises the steps of writing encrypted content (Enc_Krand(flash_content) into the memory device before installing the memory device in the processing device, wherein the content was encrypted by use of a first key (Krand), and accessing the first key (Krand) and encrypting the first key (Krand) by the aid of a second key (KIC; Ke) that is dependent on the processing device after installation of the memory device in the processing device, and writing the encrypted first key (EncSym_KIC(Krand); EncAsym_Ke(Krand)) into the memory device.