Abstract: A system, apparatus and method to provide vendor independent access to secure memory devices via an abstraction layer, which can be implemented via an operating system kernel and one or more utility programs. After receiving a request to perform a function, the abstraction layer uses parameters provided in the request to generate at least one first command in a format independent of a specification of the memory device. The at least one first command is provided to a device driver of the memory device identified in the request, causing the memory device to generate at least one second command to the memory device according to the specification of the memory device. The second command includes a signature generated using a portion of the second command; and the function is implemented by execution of the at least one second command in the memory device.

Abstract: Methods, systems, and devices for a differential write operation are described. The operations described herein may be used to alter a portion of a program file from a first state to a second state. For example, a file (e.g., a patch file) that is associated with a signature may be received at a memory device. Based on an authentication process, the file may be used to alter the program file to the second state. In some examples, the program file may be altered to the second state using a buffer of the memory device. A host system may transmit a file that includes the difference between the first state and the second state. A signature may be associated with the file and may be used to authenticate the file.

Abstract: Methods, systems, and devices for authenticating software images are described. Software images may include different portions (e.g., different versions, different users) that may be authenticated using hashes associated with an underlying data structure of the portion of the software image. In some examples, hashes (e.g., first hashes) associated with the software image may be generated and stored using a tree structure, such that a previous hash may be used when calculating a hash associated with a new portion of the software image. To authenticate a portion of the software image, a command may be issued, and a second hash may be calculated using the current data structure of the software image. The second hash may be compared to the associated first hash, and the software image may be authenticated based on the hashes matching.

Abstract: A system, method and apparatus to record a file in a file system that is mounted in a secure section of a memory device. The memory device authenticates a requester to write data into secure section based on whether the requester is in possession of a cryptographic key. Nonprivileged modules of the operation system can write into a nonsecure section of the memory device. Requests to write or change a file can be recorded by nonprivileged modules into the nonsecure section for subsequent committing into the file system. In response to a request to commit the file, a security manager having the cryptographic key is called to identify, based on the records in the nonsecure section, data eligible to be written into the secure section. The security manager can generate commands, signed using the cryptographic key, to write the content of the file into the secure memory section.

Abstract: A system, method and apparatus to authenticate an endpoint having a secure memory device. For example, at boot time of the endpoint, a cryptographic hash value of the boot loader stored in the memory device is used to generate a device identifier of the memory device; and identification data of multiple components of the endpoint is used with the device identifier of the memory device to generate a first key pair key and a second key. A counter value is retrieved from a monotonic counter to generate a certificate signed using a private key in the first key pair. The certificate can be sent over the computer network to a remote server for authentication using a public key in the first key pair. The second key pair can be authenticated and used to establish encryption for a communication connection between the endpoint and the server.

Abstract: A system, method and apparatus to authenticate an endpoint having a secure memory device. For example, at boot time of the endpoint, a cryptographic hash value of the boot loader stored in the memory device is used to generate a device identifier of the memory device; and identification data of multiple components of the endpoint is used with the device identifier of the memory device to generate a first key pair key and a second key. A counter value is retrieved from a monotonic counter to generate a certificate signed using a private key in the first key pair. The certificate can be sent over the computer network to a remote server for authentication using a public key in the first key pair. The second key pair can be authenticated and used to establish encryption for a communication connection between the endpoint and the server.

Abstract: Methods, systems, and devices for authenticating software images are described. Software images may include different portions (e.g., different versions, different users) that may be authenticated using hashes associated with an underlying data structure of the portion of the software image. In some examples, hashes (e.g., first hashes) associated with the software image may be generated and stored using a tree structure, such that a previous hash may be used when calculating a hash associated with a new portion of the software image. To authenticate a portion of the software image, a command may be issued, and a second hash may be calculated using the current data structure of the software image. The second hash may be compared to the associated first hash, and the software image may be authenticated based on the hashes matching.

Abstract: Various examples are directed to systems and methods for programming memory. A programming appliance may receive a command file comprising a first pre-generated digital signature. The first pre-generated digital signature may be associated with a memory system, with a first command and with a first memory system counter value. The programming appliance may send to a memory system a first command message. The first command system may comprise the first command and the first pre-generated digital signature.

Abstract: Methods, systems, and devices for security descriptor generation are described. An end device may be authenticated based on a certificate and a device key based on a security descriptor. The security descriptor may be generated based on publicly-available information such as time of day information, geographical information, or a default set of information. The security descriptor may be used for generation of a certificate accessible by a server used for authenticating the device and also may be used by an end device to generate a device key for verification by the server authenticating the device.

Abstract: A system, method and apparatus to record a file in a file system that is mounted in a secure section of a memory device. The memory device authenticates a requester to write data into secure section based on whether the requester is in possession of a cryptographic key. Nonprivileged modules of the operation system can write into a nonsecure section of the memory device. Requests to write or change a file can be recorded by nonprivileged modules into the nonsecure section for subsequent committing into the file system. In response to a request to commit the file, a security manager having the cryptographic key is called to identify, based on the records in the nonsecure section, data eligible to be written into the secure section. The security manager can generate commands, signed using the cryptographic key, to write the content of the file into the secure memory section.

Abstract: Methods, systems, and devices for authenticating a device using a remote host are described. In some systems, a management server may identify a software update for a device and transmit a notification that the software update is sent to the device. In some cases, the system may also include a field server. The field server may receive the notification and set a flag, in a memory, that indicates an association between the device and the software update. The field server may receive, from the device, a connection request that includes a certificate associated with a key for authenticating the device and accept the key as valid based on the flag indicating the update to the software.

Abstract: Methods, systems, and devices for authenticating a device using a remote host are described. In some systems, a management server may identify a software update for a device and transmit a notification that the software update is sent to the device. In some cases, the system may also include a field server. The field server may receive the notification and set a flag, in a memory, that indicates an association between the device and the software update. The field server may receive, from the device, a connection request that includes a certificate associated with a key for authenticating the device and accept the key as valid based on the flag indicating the update to the software.

Abstract: A security server to provide security services over a computer network based on security features of memory devices connected to host systems. For example, the security features of a memory device can include a unique device secret, a cryptographic engine, and an access controller to implement access privileges represented by cryptographic keys. After receiving identity data that is generated by the memory device and represented by a cryptographic key, the security server can determine authenticity of the memory device based on its copy of the unique device secret of the memory device. The security server can generate a verification code for a command and cause the command and the verification code to be communicated to the memory device, where the access controller of the memory device validates the verification code in determining whether to block execution of the command in the memory device.

Abstract: A system, method and apparatus to authenticate an endpoint having a secure memory device. For example, at boot time of the endpoint, a cryptographic hash value of the boot loader stored in the memory device is used to generate a device identifier of the memory device; and identification data of multiple components of the endpoint is used with the device identifier of the memory device to generate a first key pair key and a second key. A counter value is retrieved from a monotonic counter to generate a certificate signed using a private key in the first key pair. The certificate can be sent over the computer network to a remote server for authentication using a public key in the first key pair. The second key pair can be authenticated and used to establish encryption for a communication connection between the endpoint and the server.

Abstract: A server system to customize firmware of an endpoint via an online firmware store in connection with validating authenticity of the endpoint. For example, a customized version of firmware can be ordered for the endpoint prior to the use of the endpoint. After receiving a request having identity data generated by a memory device configured in the endpoint, the server system can determine, based on a secret of the memory device, the authenticity of the endpoint having the current firmware. An update to firmware stored in the memory device and executed in the endpoint to generate the request is identified. The server system generates a verification code for a command executable in the memory device to perform the update. After receiving the command and the verification code, the memory device validates the verification code to determine whether to execute the command for firmware update.

Abstract: A server system stores data associating a secret of the memory device configured in an endpoint, a first identification, and device information of the endpoint. After receiving a request to bind a second identification to the endpoint, the server system can tie identity data of the endpoint to the second identification. For example, after receiving a validation request containing identity data generated by the memory device, the server system can verify a verification code in the identity data based at least in part on the secret of the memory device. The verification code is generated from a message presented in the identity data and a cryptographic key derived at least in part from the secret. Based on validating the identity data, the server system can provide a validation response to indicate that the identity data is generated by the endpoint having the second identification.

Abstract: A security server to implement security operations during validation of the identity of an endpoint based on activity data of the endpoint. For example, a server system stores data representative of preferences for the endpoint. After receiving, a validation request containing identity data generated by a memory device configured in the endpoint, the server system can validate the identity data based at least in part on a secret of the memory device. If the identity data is valid, the server system can further determine whether an activity, as identified by the identity data and/or the validation request, satisfies a condition specified for the endpoint. If so, the server system can perform a security operation associated with the condition in providing a validation response in responding to the validation request.

Abstract: A security server to manage integrity of packages stored in an endpoint based on identity authentication implemented using security features of a memory device configured in the endpoint. For example, the security server validates identity data generated by the memory device based at least in part on a secret of the memory device. The server can extract, from the identity data, health information of a package stored in the endpoint and determined, based at least in part on the health information, whether or not to update or repair the package currently stored in the endpoint.

Abstract: A server system configured to allow a group of endpoints to share a subscription. For example, data can be stored to associate the endpoint group with at least one subscriber identifier. After receiving a validation request containing identity data generated by a memory device configured in an endpoint in the group, the server system can validate the identity data based at least in part on a secret of the memory device. In response to a determination that the identity data is valid, the system can determine that the subscriber identifier is not currently assigned to any endpoint in the group and thus assign, based on the data associating the endpoint group with the subscriber identifier, the subscriber identifier to the endpoint to cause a service offered to an account represented by the subscriber identifier to be provided to the endpoint.

Abstract: A system, method and apparatus to authenticate an endpoint having a secure memory device. For example, a card profile can be selected, configured, and/or stored into the secure memory device based on endpoint identity data representative of a component configuration of the endpoint, including the device identity representative of the memory device and other components. The card profile can be used by the endpoint to emulate a physical smart card and can be viewed a virtual smart card, such as a virtual subscriber identification module (SIM) card for accessing a cellular connection.