Abstract: Systems and method for enforcing a policy of a configuration and continuously monitoring the policy on a Reconfigurable Hardware Device (RHD) are provided. In some embodiments, the RHD comprises a loader component, a validator component, and at least one region of programmable logic. The loader component is configured to receive a configuration from an external entity. The validator component is configured to obtain a policy, perform an evaluation of the policy based on information about the RHD, and perform one or more actions based on a result of the evaluation of the policy. In this way, some embodiments herein can restrict what properties the RHD must comply with before the configuration is deployed and possibly sensitive data is exposed. Further, by adopting some embodiments, the RHD can be used to quickly change behavior of a vehicle when encountering a new location or environmental condition.

Abstract: Systems and methods are disclosed herein for implementing a secure hardware component by dividing a single Physically Unclonable Function (PUF) into several PUF challenge space subsets and mapping each subset to each requesting entity. In one example of the secure hardware component, the controller divides a challenge space of the PUF into multiple challenge space subsets and performs a mapping of allowed requesting entities to the plurality of challenge space subsets, respectively. The secure hardware component receives a request for an output from the requesting entity, which comprises a set of parameters. The controller determines whether the request is a valid request based on the set of parameters and forwards the challenge to the response generation subsystem. The response generation subsystem generates the output based on the challenge and forwards it to the requesting entity.

Abstract: Systems and methods are disclosed herein for protecting data in a storage device by encrypting or decrypting the data with a Data Encryption Key (DEK). The storage device is communicatively coupled to a host. In one example, the storage device comprises at least one Physically Unclonable Function (PDF) configured to generate PDF responses based on challenges and an authentication output generation module configured to obtain a nonce from the host, obtain an input related to a first PDF response, generate an authentication output based on the input and the nonce using a One-Way Function (OWF), and provide the authentication output to the host. The storage device further comprises a DEK generation module configured to generate a DEK based on a second PDF response and a crypto module to perform encryption or decryption of data using the DEK.

Abstract: Systems and methods are disclosed herein for protecting data in a storage device by encrypting or decrypting the data with a Data Encryption Key (DEK). The storage device is communicatively coupled to a host. In one example, the storage device receives a credential from the host and authenticates the credential with a transformed credential. A Physically Unclonable Function (PUF) generates a PUF response based on a challenge, responsive to successful authentication of the credential from the host. Based on the PUF response, a DEK generation module in the storage device generates a DEK. A crypto module in the storage device uses the DEK and performs encryption of data to be stored in the storage device and/or decryption of data being assessed by the host.

Abstract: Systems and methods are disclosed herein for protecting data in a storage device by encrypting or decrypting the data with a Data Encryption Key (DEK). The storage device is communicatively coupled to a host and is locked with the host by secret sharing. In one example, the storage device comprises a Physically Unclonable Function (PUF) configured to, during a key generation phase of operation, generate a set of DEK responses based on a set of DEK challenges (chalDEK) and an assembler configured to obtain a set of SED DEK secret shares (SSSED) based on the first set of DEK responses, receive additional data, and assemble at least the set of SED DEK secret shares (SSSED) and the additional data to create a DEK master secret. The storage device also comprises a crypto module configured to receive a DEK based on the master secret and perform encryption and/or decryption of data using the DEK.

Abstract: Solutions and methods are disclosed herein for generating a key from outputs of a Physically Unclonable Function (PUF) and using the key for a cryptographic algorithm. In one embodiment, a device generates the key, which comprises (i) receiving a request to generate a key comprising a defined number of bits for a particular cryptography algorithm and (ii) responsive to receiving the request, generating a valid key for the particular cryptography algorithm. The step of generating the valid key further comprises (a) generating one or more first challenges for a PUF, which is one or more of a plurality of challenges in a challenge space of the PUF, (b) generating a first potential key based on one or more first responses by the PUF responsive to the one or more first challenges, and (c) determining whether the first potential key satisfies one or more predefined criteria for the particular cryptography algorithm.

Abstract: Systems and methods are disclosed herein for providing a secure hardware component for protecting cryptographic keys used in relation to a client device by using a Physically Unclonable Function (PUF) and, in some embodiments, client device authorization. In one embodiment, the secure hardware component comprises an Input/Output (I/O) port, a key generation subsystem, and a cryptographic module. The key generation subsystem comprises the PUF and receives first data related to at least one cryptographic algorithm from the client device, via the I/O port, and generates a key for the at least one cryptographic algorithm in accordance with the first data using the PUF. The cryptographic module receives second data from the client device and generates third data based on the second data and the key, and provides the third data to the client device. Accordingly, the client device is better protected from external attacks.

Abstract: A security component (102, 202) for a device (200) is disclosed. The security component (102) comprises a Physically Unclonable Function (PUF) (150) having a plurality of sub functions (152), and a management module (110) that is configured to manage the PUF (150) in accordance with a policy. The management module (110) comprises a measurement module (112) configured to receive, from a device boot process, at least one of a measurement of a component on the device or a measurement of a hardware state of the device, and a rule module (114) configured to compare the received measurement to at least one rule that implements the policy, and to enter a policy state on the basis of the comparison. The management module further comprises a control module (116) configured to configure the PUF (150) in accordance with a policy state entered by the rule module. Also disclosed is a method (300) for operating a security component.

Abstract: There is provided a verifiable OTP memory device, the memory device including an MTP memory block and an OTP memory block for storing data, and a memory controller. The memory controller is configured to handle write requests and read requests. Each write request and read request pertains to writing data to, and reading data from, respectively, a requested position in either the MTP memory block or the OTP memory block. The memory controller is configured to, in response to the write requests, write the data to the requested position in either the MTP memory block or the OTP memory block. The memory controller is configured to, in response to the read requests, output data as combined from the requested position in the MTP memory block and the requested position in the OTP memory block, regardless if the read requests are for the MTP memory block or the OTP memory block.

Abstract: There is provided mechanisms for generating a cryptographic key for a user. The method is performed by a cryptographic key generator device. The method comprises authenticating the user using biometrics data read from the user using a biometrics reader. The method comprises obtaining, only when having authenticated the user, a PUF response from a PUF entity by providing a challenge based on biometrics response data to the PUF entity. The biometrics response data is a function of the biometrics data. The method comprises generating the cryptographic key using a cryptographic function and by seeding the cryptographic function with the PUF response.

Abstract: A security component (102, 202) for a device (200) is disclosed. The security component comprises a Physically Unclonable Function (PUF) (150) that is operable to accept a plurality of challenges and to generate a corresponding plurality of responses. The security component further comprises control logic (110) configured to generate a challenge for submission to the PUF on the basis of at least one of measurements of components booted on the device or a measurement of a hardware state of the device. The PUF comprises a plurality of sub functions (152), and the challenge determines how the sub functions are used by the PUF to generate a PUF response. Also disclosed is a method (300) for operating a security component.