Abstract: In illustrative examples described herein, a hardware-based mechanism is provided to prevent brute force attacks on user credentials. In some examples, a throttling policy is added to a hardware key manager to provide timer-based throttling using a secure hardware timer. A register or slot in hardware is used to maintain throttling policy attributes or parameters for tracking a throttle count and a timeout value to be enforced. During a cryptographic wrap operation, a user key is associated with, or bound to, the slot or register. During a subsequent unwrap operation, the hardware key manager then enforces any needed timeouts by throttling user access in response to any incorrect entries based on the throttling policy attributes or parameters maintained in the slot or register. Examples exploiting an always-on battery-backed processing island are also provided. In some examples, throttling is implemented without the use of any secure storage.

Abstract: Various features relate to the providing Software-Resilient User Privacy within smartphones or other devices by storing and processing all pertinent values needed for user privacy—such as security keys and access attempt counters—in hardware, such as within a System-on-a-Chip (SoC) processor formed on an integrated circuit (IC). For example, an on-die ephemeral Volatile Memory (eVM) device may be employed for storing access attempt counters or other parameters used to control malicious attack countermeasures. In one example, the eVM employs static random-access memory (SRAM) formed on the die and exploits capacitive remanence to recover stored counter values even if power is disconnected, then reconnected. On-chip NVM may be used for permanent storage of other privacy values, such as a device-unique secret key that is generated locally on the device and not known to the chip vendor, the device Original Equipment Manufacturer (OEM)) or the owner/user of the device.

Abstract: Various embodiments include methods and devices for implementing protection of data by preventing non-authorized firmware modification on a computing device. Embodiments may include measuring, by a software program, an image of a firmware update producing a measurement of the image of the firmware update, modifying a version identifier of a prior installed firmware producing a version identifier of the firmware update, applying a root key generation algorithm to the measurement of the image of the firmware update, the version identifier of the firmware update, and an enroll identity credential, generating an enroll encryption root key as an output of the root key generation algorithm, applying a seed key encryption algorithm to the enroll encryption root key and an enroll encryption seed key, and generating a sealed encryption seed key as an output of the seed key encryption algorithm.

Abstract: A method for configuring the features of an integrated circuit. In the method, the integrated circuit receives a feature vector message from a first party. The feature vector message is included in a response to a feature set request from the first party to a second party. The integrated circuit configures at least one feature of the integrated circuit based on a feature vector in the feature vector message. The integrated circuit generates an attestation result based on the at least one configured feature of the integrated circuit and using a key securely stored in the integrated circuit and known to the second party and not known to the first party. The integrated circuit forwards the attestation result to the first party.

Abstract: Methods, apparatus, and computer program products for generating a derivative key for an execution environment (EE) are described. An example of a method includes obtaining a device key by a key derivation circuit, obtaining a context string by the key derivation circuit from a one-time writable bit register (OWBR), generating the derivative key for a current EE by the key derivation circuit based on the device key and on the context string from the OWBR.

Abstract: Various features relate to the providing Software-Resilient User Privacy within smartphones or other devices by storing and processing all pertinent values needed for user privacy—such as security keys and access attempt counters—in hardware, such as within a System-on-a-Chip (SoC) processor formed on an integrated circuit (IC). For example, an on-die ephemeral Volatile Memory (eVM) device may be employed for storing access attempt counters or other parameters used to control malicious attack countermeasures. In one example, the eVM employs static random-access memory (SRAM) formed on the die and exploits capacitive remanence to recover stored counter values even if power is disconnected, then reconnected. On-chip NVM may be used for permanent storage of other privacy values, such as a device-unique secret key that is generated locally on the device and not known to the chip vendor, the device Original Equipment Manufacturer (OEM)) or the owner/user of the device.

Abstract: Techniques for securing transactions on a mobile device are provided. An example method according to these techniques includes receiving an input of a code to authorize a transaction in a security sensitive application, authenticating the transaction responsive to the input of the code, monitoring sensor information indicative of a context change, and authorizing subsequent transactions responsive to the sensor information indicating that the context change has not occurred since receiving the input of the code.

Abstract: A method for configuring the features of an integrated circuit. In the method, the integrated circuit receives a feature vector message from a first party. The feature vector message is included in a response to a feature set request from the first party to a second party. The integrated circuit configures at least one feature of the integrated circuit based on a feature vector in the feature vector message. The integrated circuit generates an attestation result based on the at least one configured feature of the integrated circuit and using a key securely stored in the integrated circuit and known to the second party and not known to the first party. The integrated circuit forwards the attestation result to the first party.

Abstract: Methods, apparatus, and computer program products for generating a derivative key for an execution environment (EE) are described. An example of a method includes obtaining a device key by a key derivation circuit, obtaining a context string by the key derivation circuit from a one-time writable bit register (OWBR), generating the derivative key for a current EE by the key derivation circuit based on the device key and on the context string from the OWBR.

Abstract: Aspects may relate to a device that comprises: a non-volatile storage medium (NVM) to store a signature and a device key, the device key based on a symmetric master key and an identifier; an interface; and a processor coupled to the interface and the NVM. The processor may be configured to: apply a key derivation function (KDF) to the device key to generate a derivative key; apply a key generation function to the derivative key to generate at least one public key; and command transmission of the signature and the at least one public key through the interface to a service provider.

Abstract: A method operational within a memory controller is provided for securing content stored in memory. The memory controller may allocate logical memory regions within a memory device to different domains. A different domain-specific key is obtained for each of the different domains, where each domain-specific key is a function of at least a master key and domain-specific information. During write operations, content/data is encrypted, at the memory controller, as it is written into each logical memory region using a domain-specific key corresponding to a domain providing the content and to which the logical memory region is allocated. Similarly, during read operations, content/data is decrypted, at the memory controller, as it is read from each memory region using a domain-specific key corresponding to a domain requesting the content and to which the logical memory region, where the content is stored, is allocated.

Abstract: Disclosed is a method for deterring a timing-based glitch attack during a secure boot process of a device having a device-specific number. In the method, the device generates a pseudorandom number specific to a particular execution of a secure boot process. The device combines the device-specific number and the pseudorandom number to generate a diversity value. The device may change a timing of at least one process step of the secure boot process based on the diversity value. Also, the device may change an order of process steps of the secure boot process based on the diversity value.

Abstract: A method operational within a memory controller is provided for securing content stored in memory. The memory controller may allocate logical memory regions within a memory device to different domains. A different domain-specific key is obtained for each of the different domains, where each domain-specific key is a function of at least a master key and domain-specific information. During write operations, content/data is encrypted, at the memory controller, as it is written into each logical memory region using a domain-specific key corresponding to a domain providing the content and to which the logical memory region is allocated. Similarly, during read operations, content/data is decrypted, at the memory controller, as it is read from each memory region using a domain-specific key corresponding to a domain requesting the content and to which the logical memory region, where the content is stored, is allocated.

Abstract: Disclosed is a method for deterring a timing-based glitch attack during a secure boot process of a device having a device-specific number. In the method, the device generates a pseudorandom number specific to a particular execution of a secure boot process. The device combines the device-specific number and the pseudorandom number to generate a diversity value. The device may change a timing of at least one process step of the secure boot process based on the diversity value. Also, the device may change an order of process steps of the secure boot process based on the diversity value.

Abstract: Apparatus and methods for providing an incentive-based system for the superdistribution of content, which include one or more communications devices transmitting one or more referral messages relating to the content. Further, the apparatus and methods include the communications devices ordering content from across the network based on the referral messages, where a reward is generated for one or more referring devices based on the one or more referral messages. Additionally, the application of privacy and authentication mechanisms protects the privacy and verifies the identities of the parties involved in the transaction.

Abstract: A system and method for inputting a password. The system and method operates to associate unique non-descriptive graphical features with unique text-based characters. The system and method operates to receive in sequence, a plurality of text-based characters. The system and method operates to display in sequence, in accordance with a sequence scheme, the non-descriptive graphical features associated with the plurality of text-based characters. The system and method also operates to process the plurality of text-based characters as the password. In addition, the system and method operates wherein the password, including text-based characters, may be deciphered from both the display of the non-descriptive graphical features associated with the plurality of text-based characters and the sequence scheme.

Abstract: A system and method for providing secure communications between client communication devices and servers. A server generates a random offset. The server alters a server communication device dynamic credential by applying the random offset to the server communication device dynamic credential. The server stores the server communication device dynamic credential. The server sends, via a network, a signal including the random offset. The server receives, via a network, a signal including a dynamic credential. The server determines a difference between the server communication device dynamic credential and the received dynamic credential. In addition, the server detects a presence of a cloned communications device based on the difference.

Abstract: A system and method for providing secure communications between remote computing devices and servers. A network, device sends characteristics of a client computing device over the network. A network device receives characteristics of a client computing device over the network. A plurality of credentials are generated where at least one of the plurality of credentials based on both the received characteristics of the client computing device and a unique client key, and at least one of the plurality of credentials based on both the received characteristics of the client computing device and a generic key. A network device sends the plurality of credentials over the network. A network device receives the plurality of credentials via the network.

Abstract: Methods and apparatus for determining the integrity of a device. A method is provided for use in a server to provide a dynamic integrity check of a client device. The method includes selecting a selected integrity application from one or more integrity applications, wherein the selected integrity application operates to generate a unique preselected integrity response. The method also includes downloading the selected integrity application for execution on the client device, and receiving a response from the selected integrity application. The method also includes determining whether or not the response is the preselected integrity response.

Abstract: Noise-reducing earplugs include a configuration and surface ornamentation to resemble a product other than earplugs, or a container for such a product. For example, such earplugs may have a generally cylindrical configuration and appropriate surface ornamentation to resemble can-type containers as are used for beverages (e.g., soft drinks or beer) and other liquid products (e.g., paints, oils, fuel additives, etc.).