Abstract: A method of post-manufacture generation of the device certificate 20 for verifying an electronic device 2 according to a public key infrastructure is provided. The method comprises obtaining, at a certificate generating apparatus 40, a first key 42 associated with the device 2. A second key 22 for the electronic device is derived from the first key 42. The device certificate 20 for the PKI is generated with the second key acting as the public key 22 associated with the device certificate 20. In a corresponding way a private key 24 for the PKI can be generated by the electronic device 2 based on a shared first key 42. This approach enables the manufacturing cost for manufacturing an electronic device to be reduced whilst still enabling use of a PKI for attesting to properties of the device 2.

Abstract: A device has an installed cryptographic program that performs cryptographic operations in dependence upon a received diversification value. The diversification value is generated by an obfuscated personalisation program installed in the device and is dependent upon a personalisation input to the personalisation program. The personalisation input is characteristic of the particular execution environment provided by the device, and may take the form of a proper subset selected from among variables characterising the device, such as hardware properties, static software configuration and results from processing dynamic variables to check that they have expected properties. The diversification value generated by the personalisation program is returned (in encrypted form) to a server which also has a copy of the cryptographic program. Thus, the server and the device may communicate using a secure channel provided by the combination of the cryptographic program and the diversification value.

Abstract: A method of post-manufacture generation of the device certificate 20 for verifying an electronic device 2 according to a public key infrastructure is provided. The method comprises obtaining, at a certificate generating apparatus 40, a first key 42 associated with the device 2. A second key 22 for the electronic device is derived from the first key 42. The device certificate 20 for the PKI is generated with the second key acting as the public key 22 associated with the device certificate 20. In a corresponding way a private key 24 for the PKI can be generated by the electronic device 2 based on a shared first key 42. This approach enables the manufacturing cost for manufacturing an electronic device to be reduced whilst still enabling use of a PKI for attesting to properties of the device 2.

Abstract: A method for establishing a new cryptographic identity for an electronic device comprises providing in the electronic device at least one device key for encryption or decryption of data or commands or for proving the identity of the electronic device according to the new cryptographic identity; and uploading, to a public ledger for tracking a chain of cryptographic identities established for said electronic device, information indicative of an identity of a stakeholder establishing the new cryptographic identity and an order in which the new cryptographic identity was established with respect to other cryptographic identities in said chain.

Abstract: A device has an installed cryptographic program that performs cryptographic operations in dependence upon a received diversification value. The diversification value is generated by an obfuscated personalisation program installed in the device and is dependent upon a personalisation input to the personalisation program. The personalisation input is characteristic of the particular execution environment provided by the device, and may take the form of a proper subset selected from among variables characterising the device, such as hardware properties, static software configuration and results from processing dynamic variables to check that they have expected properties. The diversification value generated by the personalisation program is returned (in encrypted form) to a server which also has a copy of the cryptographic program. Thus, the server and the device may communicate using a secure channel provided by the combination of the cryptographic program and the diversification value.

Abstract: Various methods for implementing address privacy in communications networks are provided. One method may include receiving a lower layer address block. The lower layer address block may include a random component and a lower layer solution component. The random component may include a random value and the lower layer solution component may be based at least in part on the random value and a shared key. The method may also include verifying the lower layer address block via the random value and the shared key. The method may further include receiving a higher layer address block. The higher layer address block may include a higher layer solution component. The higher layer solution component may be based at least in part on the random value and a shared key. The method may further include verifying the higher layer address block via the random value and the shared key. Similar apparatuses and computer program products are also provided.

Abstract: The invention relates to the implementation of an access service in a telecommunications network comprising an access network, a network providing services, and user-operated terminals which are connected to the access network. The access service is offered by connecting the user terminal to the network providing the services through interface elements which connect the access network and the network providing the services. As a response to the access service at least one charging record is generated. The record is transferred to billing means for billing the access service subscriber for the access service. So that it would be possible to combine the access service with reliable and versatile billing in a connectionless network, the terminal is used to generate charging messages which are provided with a subscriber-specific digital signature, and the signatures generated by the terminal are verified outside of the terminal.