Abstract: A system and method for receiving secure data in a client device. In one embodiment, the method comprises (a) receiving a token having a token ID and a digital certificate generated by a certificate authority (CA) having client device fingerprint data generated from client device parameters, (b) accepting a request in the client device to provide secure data to the client device, (c) regenerating the client device fingerprint data from the client device parameters, (d) determining, in the client device, differences between the client device fingerprint data of the digital certificate from the regenerated client device fingerprint data, and (e) transmitting a request to a secure data service to provide secure data based upon the determination.

Abstract: A method for signing data such as software images is provided that uses modules executable by a generic client to sign hashes of the software images rather than the images themselves. The method avoids both the requirement for new or updated client software and the uploading of full software images to the signing system. This approach uses a generic client that requests and downloads processing modules from the signing system to perform the pre-processing operations in signing software images, as well as optionally for post-processing operations.

Abstract: A method and apparatus, and system for providing device credentials to a plurality of devices is disclosed.

Abstract: A system and method described below prevents exploitation of a client's PKI station using the a token installed on other host (attackers') processors. This is accomplished by binding the token to the approved PKI client station (host) using the a software development kit installed in the PKI client station. Once a token is bound to a PKI client station, the token can no longer be used on another station unless permitted by authorized personnel.

Abstract: A system and method for providing secure data to a client device having a token is disclosed. In one embodiment, the method comprises (a) binding the token to the client device according to first token binding information comprising a first token identifier (ID), first client device fingerprint data, and a first timestamp, (b) receiving a request to provide secure data to the client device in a secure data service, (c) determining if the request to provide the secure data to the client device was received within an acceptable temporal range of the stored timestamp, and (d) providing the requested secure data according to the determination.

Abstract: A system and method for providing secure data to a client device having a token is disclosed. In one embodiment, the method comprises: (a) binding the token to the client device according to first token binding information comprising a first token identifier (ID), first client device fingerprint data, and a first timestamp, (b) receiving a request to provide secure data to the client device in a service, the request comprising the signed first token binding information and timestamp, (c) determining if the request to provide the secure data to the client device was received within an acceptable temporal range of the stored timestamp; and (d) providing the requested secure data according to the determination.

Abstract: A method and apparatus for revoking and replacing digital certificates issued by distributed servers is disclosed. An architecture in which issued certificates from distributed factory and field provisioning servers are gathered into a centrally managed certificate authority which manages the full certificate lifecycle. Revocation and rekey approvals are performed through this central certificate authority, while the resulting revocation status and rekey approvals are made available for consumption by those same distributed servers.

Abstract: A system is provided for distribution of device key sets over a network in a protected software environment (PSE). In the system, a client device includes a connection interface for receiving a crypto hardware (CH) token belonging to a user, untrusted software, a quoting enclave, and a PSE for generating a provisioning request for a device key set. An attestation proxy server (APS) receives the provisioning message using a first network connection, and transmits the provisioning message to an online provisioning server (OPS) using a second network connection. The OPS constructs a provisioning response and an encrypted device key set, and delivers the provisioning response to the untrusted software using the first and second network connections. The PSE decrypts the encrypted device key set to obtain the device key set, re-encrypts the device key set with a local chip-specific key, and stores the re-encrypted device key set.

Abstract: In a system comprising an customer providing a service to a plurality of client devices, a method and system for providing an customer-specific digital certificate to a client device of the plurality of client devices is disclosed. The method comprises receiving, in an intermediate certificate authority, a pre-generated digital certificate and an encrypted client device private key encrypted according to a private key encryption key PrKEK, receiving, from the client device, a request for the customer-specific digital certificate, the request comprising at least one of client device identifying information and information identifying the customer, the request signed according to a pre-provisioned client device digital certificate, and transmitting the customer-specific digital certificate and the encrypted client device private key to the client device.

Abstract: A method and system provide the ability to authenticate client services. A private key and a client certificate are created and delivered to a client. Based on the private key and the certificate, a client account is created for the client on a server. One or more signing or feature licensing configurations are created and authorized on the server for the client account. The client certificate and a request to perform a requested client service are received on the server from a client. The request includes configuration information for the requested client service. The server verifies the client certificate and determines whether the client is authorized to perform the requested client service. The determination is based on the configuration information and the one or more authorized client operations. Upon determining that the client is authorized to perform the requested client service, the request is processed the authorization is sent to the client.

Abstract: A method for signing data such as software images is provided that uses modules executable by a generic client to sign hashes of the software images rather than the images themselves. The method avoids both the requirement for new or updated client software and the uploading of full software images to the signing system. This approach uses a generic client that requests and downloads processing modules from the signing system to perform the pre-processing operations in signing software images, as well as optionally for post-processing operations.

Abstract: A system and method described below prevents exploitation of a client's PKI station using the a token installed on other host (attackers') processors. This is accomplished by binding the token to the approved PKI client station (host) using the a software development kit installed in the PKI client station. Once a token is bound to a PKI client station, the token can no longer be used on another station unless permitted by authorized personnel.

Abstract: A system is provided for distribution of device key sets over a network in a protected software environment (PSE). In the system, a client device includes a connection interface for receiving a crypto hardware (CH) token belonging to a user, untrusted software, a quoting enclave, and a PSE for generating a provisioning request for a device key set. An attestation proxy server (APS) receives the provisioning message using a first network connection, and transmits the provisioning message to an online provisioning server (OPS) using a second network connection. The OPS constructs a provisioning response and an encrypted device key set, and delivers the provisioning response to the untrusted software using the first and second network connections. The PSE decrypts the encrypted device key set to obtain the device key set, re-encrypts the device key set with a local chip-specific key, and stores the re-encrypted device key set.

Abstract: In a system comprising an customer providing a service to a plurality of client devices, a method and system for providing an customer-specific digital certificate to a client device of the plurality of client devices is disclosed. The method comprises receiving, in an intermediate certificate authority, a pre-generated digital certificate and an encrypted client device private key encrypted according to a private key encryption key PrKEK, receiving, from the client device, a request for the customer-specific digital certificate, the request comprising at least one of client device identifying information and information identifying the customer, the request signed according to a pre-provisioned client device digital certificate, and transmitting the customer-specific digital certificate and the encrypted client device private key to the client device.

Abstract: A system and method for providing secure data to a client device having a token is disclosed. In one embodiment, the method comprises (a) binding the token to the client device according to first token binding information comprising a first token identifier (ID) , first client device fingerprint data, and a first timestamp, (b) receiving a request to provide secure data to the client device in a secure data service, (c) determining if the request to provide the secure data to the client device was received within an acceptable temporal range of the stored timestamp, and (d) providing the requested secure data according to the determination.

Abstract: A system and method for receiving secure data in a client device. In one embodiment, the method comprises (a) receiving a token having a token ID and a digital certificate generated by a certificate authority (CA) having client device fingerprint data generated from client device parameters, (b) accepting a request in the client device to provide secure data to the client device, (c) regenerating the client device fingerprint data from the client device parameters, (d) determining, in the client device, differences between the client device fingerprint data of the digital certificate from the regenerated client device fingerprint data, and (e) transmitting a request to a secure data service to provide secure data based upon the determination.

Abstract: A system and method for providing secure data to a client device having a token is disclosed. In one embodiment, the method comprises: (a) binding the token to the client device according to first token binding information comprising a first token identifier (ID), first client device fingerprint data, and a first timestamp, (b) receiving a request to provide secure data to the client device in a service, the request comprising the signed first token binding information and timestamp, (c) determining if the request to provide the secure data to the client device was received within an acceptable temporal range of the stored timestamp; and (d) providing the requested secure data according to the determination.

Abstract: A method is provided that permits user to submit a password to the private key that is to be used to decrypt files either at the time of user account setup or at the time of submitting the files. The password is stored securely in the system, permanently or temporarily, and is used later to decrypt the files right before the system is ready to process the files.

Abstract: A system is provided for distribution of device key sets over a network in a protected software environment (PSE). In the system, a client device includes a connection interface for receiving a crypto hardware (CH) token belonging to a user, untrusted software, a quoting enclave, and a PSE for generating a provisioning request for a device key set. An attestation proxy server (APS) receives the provisioning message using a first network connection, and transmits the provisioning message to an online provisioning server (OPS) using a second network connection. The OPS constructs a provisioning response and an encrypted device key set, and delivers the provisioning response to the untrusted software using the first and second network connections. The PSE decrypts the encrypted device key set to obtain the device key set, re-encrypts the device key set with a local chip-specific key, and stores the re-encrypted device key set.

Abstract: A method and system provide the ability to authenticate client services. A private key and a client certificate are created and delivered to a client. Based on the private key and the certificate, a client account is created for the client on a server. One or more signing or feature licensing configurations are created and authorized on the server for the client account. The client certificate and a request to perform a requested client service are received on the server from a client. The request includes configuration information for the requested client service. The server verifies the client certificate and determines whether the client is authorized to perform the requested client service. The determination is based on the configuration information and the one or more authorized client operations. Upon determining that the client is authorized to perform the requested client service, the request is processed the authorization is sent to the client.