Abstract: A system and process for performing a touchless key provisioning operation for a communication device. In operation, a key management facility (KMF) imports a public key and a public key identifier uniquely identifying the public key of the communication device. The public key is associated with an asymmetric key pair generated at the communication device during its factory provisioning and configuration. The KMF registers the communication device and assigns a key encryption key (KEK) for the communication device. The KMF then provisions the communication device by deriving a symmetric touchless key provisioning (TKP) key based at least in part on the public key of the communication device, encrypting the KEK with the symmetric TKP key to generate a key wrapped KEK, and transmitting the key wrapped KEK to the communication device for decryption by the communication device.

Abstract: A system and process for performing a touchless key provisioning operation for a communication device. In operation, a key management facility (KMF) imports a public key and a public key identifier uniquely identifying the public key of the communication device. The public key is associated with an asymmetric key pair generated at the communication device during its factory provisioning and configuration. The KMF registers the communication device and assigns a key encryption key (KEK) for the communication device. The KMF then provisions the communication device by deriving a symmetric touchless key provisioning (TKP) key based at least in part on the public key of the communication device, encrypting the KEK with the symmetric TKP key to generate a key wrapped KEK, and transmitting the key wrapped KEK to the communication device for decryption by the communication device.

Abstract: Provisioning device certificates for electronic processors. One example method includes receiving a flashloader at the electronic processor. The method also includes validating the flashloader with the electronic processor. After validating the flashloader, the method includes receiving an encrypted provisioned key bundle at the electronic processor. The method also includes decrypting the encrypted provisioned key bundle with the electronic processor using a provisioning key to create a decrypted provisioned key bundle. The method further includes executing a provisioning process on the electronic processor using the decrypted provisioned key bundle.

Abstract: Provisioning device certificates for electronic processors. One example method includes receiving a flashloader at the electronic processor. The method also includes validating the flashloader with the electronic processor. After validating the flashloader, the method includes receiving an encrypted provisioned key bundle at the electronic processor. The method also includes decrypting the encrypted provisioned key bundle with the electronic processor using a provisioning key to create a decrypted provisioned key bundle. The method further includes executing a provisioning process on the electronic processor using the decrypted provisioned key bundle.

Abstract: At least one embodiment takes the form of a process carried out by a key-management infrastructure (KMI). The KMI receives first and second disassembly products of a high-security cryptographic key and provides the first and second disassembly products to a mobile radio for reassembly of the high-security cryptographic key. Providing the first disassembly product to the mobile radio includes providing the first disassembly product to the mobile radio over a local connection via a restricted-access key variable loader. Providing the second disassembly product to the mobile radio includes (i) generating a medium-security-encrypted second disassembly product at least in part by encrypting the second disassembly product based on at least one medium-security cryptographic key, and (ii) providing the medium-security-encrypted second disassembly product to the mobile radio over an air interface.

Abstract: Systems and methods for vetting data include receiving a notification at a second processor that a first processor has written first output data to an output data buffer in an output device. A hardware-implemented buffer access flag controls a permission for the first processor to write data to the output data buffer. The second processor sets the hardware-implemented buffer access flag to a first setting that prevents the first processor from writing additional output data to the output data buffer while the first output data in the output data buffer is being inspected. The second processor has a read-write permission to the hardware-implemented buffer access flag. The first processor has a read-only permission to the hardware-implemented buffer access flag.

Abstract: Methods of automatically populating a secure group list in a key variable loader and of providing keys to a secure group are presented. After a user selects a secure group and encryption algorithm using inputs of the loader, the loader provides a group identifier and corresponding key for the group. The group identifier, encryption algorithm, and key are transmitted to a portable communication device over a physical connection between the two while a device identifier of the communication device is transmitted concurrently to the loader. The key variable loader automatically populates a stored list of subscribers of the group with the device identifier. When it is desired to transmit a new key to all of or fewer than all of the subscribers, one of the subscribers is connected with the loader and used to wirelessly transmit a new key to the remaining subscribers.

Abstract: A system and method of providing secure communications is provided. Messages are encrypted or decrypted in protected memory of a processor. Outbound messages from a secure network are prepared for encryption by adding a header outside of the protected memory and then encrypted in the protected memory. The encryption is performed by retrieving a key from a key cache as designated by rules in the header. The encrypted message is sent to the unsecure network. An inbound message from an unsecure network that is received in unprotected memory is sent to a decryption module in protected memory. The inbound message is decrypted using a key designated in its header and retrieved from the key cache. The decrypted message is returned to the unprotected memory, where it is stripped of the encryption header and then sent to its destination within the secure network.

Abstract: A security module includes non-volatile memory, a key protection key generator, and volatile memory. The security module performs a method for protecting security parameters that includes: storing a secret key in the non-volatile memory, wherein the secret key is unique to the security module; applying a key split algorithm to a plurality of key split components to generate a key protection key, wherein the plurality of key split components includes the secret key; decrypting an encrypted first key using the key protection key; performing at least one of media encryption or media decryption using the decrypted first key; storing the key protection key and the decrypted first key in volatile memory.

Abstract: Systems and methods for vetting data include receiving a notification at a second processor that a first processor has written first output data to an output data buffer in an output device. A hardware-implemented buffer access flag controls a permission for the first processor to write data to the output data buffer. The second processor sets the hardware-implemented buffer access flag to a first setting that prevents the first processor from writing additional output data to the output data buffer while the first output data in the output data buffer is being inspected. The second processor has a read-write permission to the hardware-implemented buffer access flag. The first processor has a read-only permission to the hardware-implemented buffer access flag.

Abstract: A system and method of providing secure communications is provided. Messages are encrypted or decrypted in protected memory of a processor. Outbound messages from a secure network are prepared for encryption by adding a header outside of the protected memory and then encrypted in the protected memory. The encryption is performed by retrieving a key from a key cache as designated by rules in the header. The encrypted message is sent to the unsecure network. An inbound message from an unsecure network that is received in unprotected memory is sent to a decryption module in protected memory. The inbound message is decrypted using a key designated in its header and retrieved from the key cache. The decrypted message is returned to the unprotected memory, where it is stripped of the encryption header and then sent to its destination within the secure network.

Abstract: Methods of automatically populating a secure group list in a key variable loader and of providing keys to a secure group are presented. After a user selects a secure group and encryption algorithm using inputs of the loader, the loader provides a group identifier and corresponding key for the group. The group identifier, encryption algorithm, and key are transmitted to a portable communication device over a physical connection between the two while a device identifier of the communication device is transmitted concurrently to the loader. The key variable loader automatically populates a stored list of subscribers of the group with the device identifier. When it is desired to transmit a new key to all of or fewer than all of the subscribers, one of the subscribers is connected with the loader and used to wirelessly transmit a new key to the remaining subscribers.

Abstract: A single-chip integrated circuit comprising a first processor for executing a plurality of applications, a second processor for executing a plurality of applications, at least one of a) at least one embedded peripheral and b) at least one memory, and a bus monitor for allowing access to the at least one of a) the at least one embedded peripheral and b) the at least one memory, if the access is allowed, wherein the bus monitor comprises a mapping of access rights to the at least one of a) the at least one embedded peripheral and b) the at least one memory for the first processor and the second processor is disclosed.

Abstract: A squaring amplifier circuit (300) generates a substantially rectangular output signal from an a.c. input signal. An amplifier stage (303) is biased at a low quiescent current by a current source network (305) and a coupling network (306). Since the amplifier stage (303) current is a non-linear function of its input voltage, application of a low-level a.c. input signal (313), through an input signal coupling network (302), results in a substantially rectangular output signal having frequency and duty cycle that are substantially identical to the frequency and duty cycle of the input signal.