Abstract: A method and system for secure and scalable key management for cryptographic processing of data is described herein. In the method, a General Purpose Cryptographic Engine (GPE) receives key material via a secure channel from a key server and stores the received Key encryption keys (KEKs) and/or plain text keys in a secure key cache. When a request is received from a host to cryptographically process a block of data, the requesting entity is authenticated using an authentication tag included in the request. The GPE retrieves a plaintext key or generate a plaintext using a KEK if the authentication is successful, cryptographically processes the data using the plaintext key and transmits the processed data. The system includes a key server that securely provides encrypted keys and/or key handles to a host and key encryption keys and/or plaintext keys to the GPE.

Abstract: A system and method for the secure storage of executable code and the secure movement of such code from memory to a processor. The method includes the storage of an encrypted version of the code. The code is then decrypted and decompressed as necessary, before re-encryption in storage. The re-encrypted executable code is then written to external memory. As a cache line of executable code is required, a fetch is performed but intercepted. In the interception, the cache line is decrypted. The plain text cache line is then stored in an instruction cache associated with a processor.

Abstract: Systems and methods for binding a smartcard and a smartcard reader are provided. A smartcard is provision to store a first set of credentials for use in traditional transactions such as at a brick and mortar retail store and a second set of credentials for use when performing a transaction using a smartcard reader associated with a user such as an on-line transaction. The user smartcard reader registers with a smartcard issuer server by cryptographically authenticating a secure processor associated with the smartcard reader. As a result of the registration, the secure processor obtains a set of private keys associated with the second set of credentials. When a request for a authorizing a transaction via the user's smartcard reader is received, the smartcard reader cryptographically authenticates itself to the smartcard using a private key associated with a credential to be used to authorize the transaction.

Abstract: One or more methods and/or systems of utilizing a memory external to an integrated circuit chip are presented. In one embodiment, the system comprises an Integrated circuit containing a logic circuitry, a one time programmable memory, a control processor, and a data interface. In one embodiment, a method of storing data into a memory comprises programming one or more bits of a one time programmable memory, generating an Identifier from the integrated circuit chip, and using the identifier to store data within the memory.

Abstract: A sensor is implemented in an integrated circuit. The sensor includes one or more sensor pads that are provided at or near a surface of the integrated circuit. One or more integrated circuit components such as a sense amplifier are provided in the integrated circuit die adjacent the sensor pads. One or more other components are provided in the integrated circuit die adjacent the sensor pads.

Abstract: A system and method for the secure storage of executable code and the secure movement of such code from memory to a processor. The method includes the storage of an encrypted version of the code. The code is then decrypted and decompressed as necessary, before re-encryption in storage. The re-encrypted executable code is then written to external memory. As a cache line of executable code is required, a fetch is performed but intercepted. In the interception, the cache line is decrypted. The plain text cache line is then stored in an instruction cache associated with a processor.

Abstract: A sensor is implemented in an integrated circuit. The sensor includes one or more sensor pads that are provided at or near a surface of the integrated circuit. One or more integrated circuit components such as a sense amplifier are provided in the integrated circuit die adjacent the sensor pads. One or more other components are provided in the integrated circuit die adjacent the sensor pads.

Abstract: Secure processing systems providing host-isolated security are provided. An exemplary secure processing system includes a host processor and a virtual machine instantiated on the host processor. A virtual unified security hub (USH) is instantiated on the virtual machine to provide security services to applications executing on the host processor. The virtual USH may further include an application programming interface (API) operable to expose the security services to the applications. A further exemplary secure processing system includes a host processor running a windows operating system for example, a low power host processor, and a USH processor configured to provide secure services to both the host processor and the low power host processor isolating the secure services from the host processor and the low power processor. The USH processor may also include an API to expose the security services to applications executing on the host processor and/or the low power host processor.

Abstract: Methods and systems are provided that use smartcards, such as subscriber identity module (SIM) cards to provide secure functions for a mobile client. One embodiment of the invention provides a mobile communication network system that includes a mobile network, a mobile terminal, a server coupled to the mobile terminal via the mobile network, and a subscriber identity module (SIM) card coupled to the mobile terminal. The SIM card includes a first key and a second key. The first key is used to authenticate an intended user of the mobile terminal to the mobile network. Upon successful authentication of the intended user to the mobile network, the mobile terminal downloads a function offered from the server through the mobile network. The second key is then used by the mobile terminal to authenticate the intended user to the downloaded function so that the intended user can utilize the function.

Abstract: Systems and methods that may program a non-volatile memory for use in configuring features of a device, such as a set top box, for example, are disclosed. One method may include the steps of beginning a programming cycle; programming mode control bits of the non-volatile memory that correspond to configurations of features of the device; if an interruption occurs during the programming cycle, then rendering the non-volatile memory invalid; and if no interruption occurs during the programming cycle, then rendering the non-volatile memory operational.

Abstract: Methods and systems are provided that use smartcards, such as subscriber identity module (SIM) cards to provide secure functions for a mobile client. One embodiment of the invention provides a mobile communication network system that includes a mobile network, a mobile terminal, a server coupled to the mobile terminal via the mobile network, and a subscriber identity module (SIM) card coupled to the mobile terminal. The SIM card includes a first key and a second key. The first key is used to authenticate an intended user of the mobile terminal to the mobile network. Upon successful authentication of the intended user to the mobile network, the mobile terminal downloads a function offered from the server through the mobile network. The second key is then used by the mobile terminal to authenticate the intended user to the downloaded function so that the intended user can utilize the function.

Abstract: According to one general aspect, a method of using a network device may include receiving, via an ingress port, a data packet that includes a payload portion, a source network address and a destination network address. In various embodiments, the method may also include determining if the data packet includes a security tag that includes a role based authentication tag. In some embodiments, the method may include, if the data packet includes a security tag that includes a role based authentication tag, transmitting, via an egress port, at least the payload portion and the role based authentication tag towards, in a topological sense, the destination network address.

Abstract: Methods and apparatus are provided for an entity such as a CPU to efficiently call a cryptography accelerator to perform cryptographic operations. A function call causes the cryptography accelerator to execute multiple cryptographic operations in a manner tailored for specific processing steps, such as steps during a handshake phase of a secured session. The techniques provide efficient use of hardware processing resources, data interfaces, and memory interfaces.

Abstract: Methods and systems are provided for secure transaction processing. A secure processor may include an integrated wireless card reader and optionally a secure memory. When a request for payment information associated with an on-line transaction is received, the integrated wireless card reader reads data from the payment card. The secure processor may retrieve a set of transaction identifiers from the payment card issuer or optionally a trusted third party. The secure processor transmits one of the retrieve transaction identifiers to the on-line merchant instead of payment card data. The on-line merchant communicates the transaction identifier to the payment card issuer or the trusted third party for validation. Alternatively, the secure processor may encrypt the read payment card data utilizing the payment card number as the shared secret required by the cryptographic algorithm. The secure processor then forwards the encrypted payment card data to the on-line merchant.

Abstract: Methods and apparatus are provided for decoupling a cryptography accelerator interface from cryptographic processing cores. A shared resource is provided at the cryptography accelerator interface having multiple input ports. References to data in the shared resource are provided to allow processing and ordering of data in preparation for processing by cryptographic processing cores without substantial numbers of separate buffers in the cryptographic processing data paths.

Abstract: Systems and methods for embedded tamper mesh protection are provided. The embedded tamper mesh includes a series of protection bond wires surrounding bond wires carrying sensitive signals. The protection bond wires are positioned to be vertically higher than the signal bond wires. The protection wires may be bonded to outer contacts on the substrate while the signal bond wires are bonded to inner contacts, thereby creating a bond wire cage around the signal wires. Methods and systems for providing package level protection are also provided. An exemplary secure package includes a substrate having multiple contacts surrounding a die disposed on an upper surface of the substrate. A mesh die including a series of mesh die pads is coupled to the upper surface of the die. Bond wires are coupled from the mesh die pads to contacts on the substrate thereby creating a bond wire cage surrounding the die.

Abstract: The present invention provides systems, methods, and computer program products for identifying possible attempts to tamper with a terminal using geographic position data. For a terminal, a geographic usage policy is defined that identifies an allowable geographic operational zone for the terminal. The geographic usage policy may also include corrective action or actions based on violations of the usage policy. The type of corrective action may vary based on the details associated with the violation (e.g., distance from the operational zone, time of day, etc.). A tamper identification module receives geographic position data from a global positioning system within the terminal. The tamper identification module then determines whether the received position data is within the allowable geographic operation zone for the terminal. If the position data is not within the allowable geographic operation zone, then the appropriate corrective action is performed.

Abstract: A mesh grid protection system is provided. The protection system includes a plurality of grid lines forming a mesh grid proximate to operational logic. The protection system also includes tamper-detection logic coupled to the plurality of grid lines and configured to toggle a polarity of a signal on at least one grid line at each clock cycle and to detect attempts to access the operational logic by comparing a reference signal driving a first end of a grid line to a signal at the opposite end of the grid line.

Abstract: Methods and apparatus are provided for implementing a cryptography engine for cryptography processing. A variety of techniques are described. A cryptography engine such as a DES engine can be decoupled from surrounding logic by using asynchronous buffers. Bit-sliced design can be implemented by moving expansion and permutation logic out of the timing critical data path. An XOR function can be decomposed into functions that can be implemented more efficiently. A two-level multiplexer can be used to preserve a clock cycle during cryptography processing. Key scheduling can be pipelined to allow efficient round key generation.

Abstract: Methods and systems are provided for the secure entry and maintenance of data entered via a user input device. A computing device includes a secure processor coupled to one or more user devices. The user devices may be peripheral devices coupled to the secure processor via a wired connection such as a USB or PS/2 interface or via a wireless connection such as Bluetooth. A security boundary associated with the secure processor is established using hardware or cryptographic techniques. Input data received from the user device is stored within the security boundary. Additionally, the secure processor is configured to identify the user peripheral device coupled to the secure processor and to determine whether a request received to access the user peripheral device is allowable based on security policies defined for the user peripheral device.