Abstract: A server system stores data associating a secret of the memory device configured in an endpoint, a first identification, and device information of the endpoint. After receiving a request to bind a second identification to the endpoint, the server system can tie identity data of the endpoint to the second identification. For example, after receiving a validation request containing identity data generated by the memory device, the server system can verify a verification code in the identity data based at least in part on the secret of the memory device. The verification code is generated from a message presented in the identity data and a cryptographic key derived at least in part from the secret. Based on validating the identity data, the server system can provide a validation response to indicate that the identity data is generated by the endpoint having the second identification.

Abstract: A system, method and apparatus to authenticate an endpoint having a secure memory device. For example, a card profile can be selected, configured, and/or stored into the secure memory device based on endpoint identity data representative of a component configuration of the endpoint, including the device identity representative of the memory device and other components. The card profile can be used by the endpoint to emulate a physical smart card and can be viewed a virtual smart card, such as a virtual subscriber identification module (SIM) card for accessing a cellular connection.

Abstract: An online service store to configure services for endpoints in connection with validating authenticity of the endpoints. For example, a service can be ordered for an endpoint prior to the use of the endpoint. After receiving a request having identity data generated by a memory device configured in the endpoint, a server system can determine, based on a secret of the memory device and other data stored about the endpoint, the validity of the identity data and thus the authenticity of the endpoint. Based on the service ordered for the endpoint, the server system causes the endpoint to be connected to a client server to receive the service. The server system can cause the firmware of the endpoint to be updated to enable the endpoint to receive the service from the client server.

Abstract: A security server to manage integrity of packages stored in an endpoint based on identity authentication implemented using security features of a memory device configured in the endpoint. For example, the security server validates identity data generated by the memory device based at least in part on a secret of the memory device. The server can extract, from the identity data, health information of a package stored in the endpoint and determined, based at least in part on the health information, whether or not to update or repair the package currently stored in the endpoint.

Abstract: A security server to implement security operations during validation of the identity of an endpoint based on activity data of the endpoint. For example, a server system stores data representative of preferences for the endpoint. After receiving, a validation request containing identity data generated by a memory device configured in the endpoint, the server system can validate the identity data based at least in part on a secret of the memory device. If the identity data is valid, the server system can further determine whether an activity, as identified by the identity data and/or the validation request, satisfies a condition specified for the endpoint. If so, the server system can perform a security operation associated with the condition in providing a validation response in responding to the validation request.

Abstract: A server system configured to allow a group of endpoints to share a subscription. For example, data can be stored to associate the endpoint group with at least one subscriber identifier. After receiving a validation request containing identity data generated by a memory device configured in an endpoint in the group, the server system can validate the identity data based at least in part on a secret of the memory device. In response to a determination that the identity data is valid, the system can determine that the subscriber identifier is not currently assigned to any endpoint in the group and thus assign, based on the data associating the endpoint group with the subscriber identifier, the subscriber identifier to the endpoint to cause a service offered to an account represented by the subscriber identifier to be provided to the endpoint.

Abstract: A server system to onboard an endpoint having a host system connected to a host interface of a memory device for a cloud service without prior customization of the endpoint to identify an account for accessing the cloud service. For example, after receiving a request associated with the service and containing identity data generated by the memory device, the server system determines authenticity of the memory device and the endpoint based on a secret of the memory device and the identity data. In response to the request, the server system further identifies, based on the identity data, a subscriber among a plurality of subscribers based on ownership data of the endpoint. As a result of the identifying of the subscriber based on the identity data, the server system determines an account of the subscriber to provide the service to the endpoint based on the account.

Abstract: A security server to provide security services over a computer network based on security features of memory devices connected to host systems. For example, the security features of a memory device can include a unique device secret, a cryptographic engine, and an access controller to implement access privileges represented by cryptographic keys. After receiving identity data that is generated by the memory device and represented by a cryptographic key, the security server can determine authenticity of the memory device based on its copy of the unique device secret of the memory device. The security server can generate a verification code for a command and cause the command and the verification code to be communicated to the memory device, where the access controller of the memory device validates the verification code in determining whether to block execution of the command in the memory device.

Abstract: The disclosed embodiments are related to securely updating a semiconductor device. In one embodiment, a method comprises receiving a command; generating, by the semiconductor device, a response code in response to the command; returning the response code to a processing device; receiving a command to replace a storage root key of the device; generating a replacement key based on the response code; and replacing an existing key with the replacement key.

Abstract: The disclosed embodiments are related to securely updating a semiconductor device and in particular to a key management system. In one embodiment, a method is disclosed comprising receiving a request for an activation code database from a remote computing device, the request including at least one parameter; retrieving at least one pair based on the at least one parameter, the pair including a unique ID (UID) and secret key; generating an activation code for the UID; and returning the activation code to the remote computing device.

Abstract: The disclosed embodiments are related to securely updating a semiconductor device. In one embodiment, a method comprises receiving a command; generating, by the semiconductor device, a response code in response to the command; returning the response code to a processing device; receiving a command to replace a storage root key of the device; generating a replacement key based on the response code; and replacing an existing key with the replacement key.

Abstract: The disclosed embodiments are related to securely updating a semiconductor device and in particular to a key management system. In one embodiment, a method is disclosed comprising storing a plurality of activation codes, each of the activation codes associated with a respective unique identifier (UID) of semiconductor device; receiving, over a network, a request to generate a new storage root key (SRK), the request including a response code and a requested UID; identifying a selected activation code from the plurality of activation codes based on the requested UID; generating the SHRSRK value using the response code and the selected activation code; associating the SHRSRK value with the requested UID and storing the SHRSRK value; and returning an acknowledgement in response to the request.

Abstract: Methods, systems, and devices for security techniques for low power state of memory device are described. A host device may initiate a low power state of a memory device. The host device may store a first value of a counter associated with the memory device operating in the low power state and transmit a command to the memory device to enter the low power state. The memory device may increment the counter based on receiving the command and increment the counter to a second value. The host device may validate the memory device based on a difference between the first value of the counter stored by the host device and the second value of the counter.

Abstract: Methods, systems, and devices for host verification for a memory device are described. A memory device may receive a first value from a host device that is associated with an identification of the host device after an event. The memory device may transmit a second value to the host device that is based on the first value and comprises a random set of bits. The memory device may receive from the host device data or a command that comprises an encrypted third value that is based at least in part on the second value and a secret shared between the host device and the memory device. The memory device may also enable a functionality of the memory device based on the encrypted third value.

Abstract: Methods, systems, and devices for safety and security for memory are described. In some examples, data associated with a memory device may be authenticated before an associated operation is executed. The data may be authenticated before it is executed at a volatile memory. The data may be associated with a hash (e.g., a first hash) and may be communicated from the memory device to a host device. At the host device, the data and the first hash may be written (e.g., stored) to temporary storage, such as a cache. Once stored to the cache, the host device may generate an additional hash (e.g., a second hash) related to the data using a key inaccessible to the memory device. If the first hash and second hash match, the data may be authenticated and one or more operations may be executed.

Abstract: A secure memory device is disclosed. In one embodiment, the memory device includes a controller configured to decode and execute commands issued by a host device; a cryptographic engine, the cryptographic engine configured to authenticate a subset of the commands, the subset of the commands each including a digital signature; and a first monotonic counter, the first monotonic counter being incremented after executing at least some of the subset of the commands, wherein a value of the first monotonic counter is used to generate the digital signature.

Abstract: Various examples are directed to systems and methods for providing a digital fingerprint of a selected portion of a memory device to a host device. A host device executing at a host device may send a to a driver a command to produce digital fingerprint data. The command may include an output pointer indicating a memory location of the local memory. The driver may generate a modified command that does not include the output pointer. The driver may send the modified command to a memory device. The driver may receive a reply comprising the digital fingerprint data and write the digital fingerprint data to a location at the memory location of local memory of the host device indicated by the output pointer.

Abstract: A secure memory device for secure data storage and related method are provided. The device may include an accessible data storage area configured to store data, a start location register that points to a start of the accessible data storage area, and a size-related register that allows a size of the accessible data storage area to be determined. A secret area comprises a device secret that is a value unique to the device, and that is not accessible from external to the device, and is accessible under at least one predefined conditions internal to the device, an access control element configured to prevent external access to the secret data. A generator generates a derived secret based on the storage data and the secret data that is usable to authenticate the storage data. The device may also include a memory bus over which the derived secret is communicated.

Abstract: A storage device includes a memory storage region and a controller having a processor. The processor retrieves user data from the memory storage region using a physical block address corresponding to a logical block address (LBA), in response to a read command. The retrieved user data includes a first hash received through a host interface in a prior host data transmission. The processor further performs error correction on the user data to generate error-corrected user data. The processor further causes a cryptographic engine to produce a second hash of the error-corrected user data. The first hash is compared to the second hash associated with the error-corrected user data to determine a match result. A notification is generated in response to the match result.

Abstract: A secure memory device for secure data storage and related method are provided. The device may include an accessible data storage area configured to store data, a start location register that points to a start of the accessible data storage area, and a size-related register that allows a size of the accessible data storage area to be determined. A secret area comprises a device secret that is a value unique to the device, and that is not accessible from external to the device, and is accessible under at least one predefined conditions internal to the device, an access control element configured to prevent external access to the secret data. A generator generates a derived secret based on the storage data and the secret data that is usable to authenticate the storage data. The device may also include a memory bus over which the derived secret is communicated.