Abstract: Embodiments of systems and methods disclosed herein include an embedded secret provisioning system that is based on a shared-derivative mechanism. Embodiments of this mechanism use a trusted third-party topology, but only a single instance of a public-private key exchange is required for initialization. Embodiments of the system and methods are secure and any of the derived secret keys are completely renewable in untrusted environments without any reliance on asymmetric cryptography. The derived secrets exhibit zero knowledge attributes and the associated zero knowledge proofs are open and available for review. Embodiments of systems and methods can be implemented in a wide range of previously-deployed devices as well as integrated into a variety of new designs using minimal roots-of-trust.

Abstract: Embodiments of systems and methods disclosed herein include an embedded secret provisioning system that is based on a shared-derivative mechanism. Embodiments of this mechanism use a trusted third-party topology, but only a single instance of a public-private key exchange is required for initialization. Embodiments of the system and methods are secure and any of the derived secret keys are completely renewable in untrusted environments without any reliance on asymmetric cryptography. The derived secrets exhibit zero knowledge attributes and the associated zero knowledge proofs are open and available for review. Embodiments of systems and methods can be implemented in a wide range of previously-deployed devices as well as integrated into a variety of new designs using minimal roots-of-trust.

Abstract: Symmetric key identification systems and methods are disclosed herein. An example system includes a distributed device service that distributes, to devices, dynamic portions of the keyed hashing function, the devices embedding static portions of the keyed hashing function and are each configured to create a secret key from pairs of the static portions and the dynamic portions, the secret key used to generate encrypted session keys that are utilized to facilitate secure sessions and trusted relationships between one or more of the devices, the secret key unknown to a processor of the device to which it belongs.

Abstract: Authorization using symmetric key systems and methods are disclosed herein. An example method includes authenticating nodes by verifying symmetric keys that comprise a static portion and a dynamic portion of a keyed-hashing function having been cryptographically processed, each of the nodes having one of the symmetric keys, comparing the symmetric keys to values stored by a rubicon identity service, exchanging symmetric keys between the nodes when authenticated, pre-provisioning an authorization policy to the nodes, and authorizing a node of the nodes to perform an action defined within the authorization policy.

Abstract: Embodiments as described herein provide systems and methods for sharing secrets between a device and another entity. The shared secret may be generated on the device as a derivative of a secret value contained on the device itself in a manner that will not expose the secret key on the device and may be sent to the entity. The shared secret may also be stored on the device such that it can be used in future secure operations on the device. In this manner, a device may be registered with an external service such that a variety of functionality may be securely accomplished, including, for example, the generation of authorization codes for the device by the external service based on the shared secret or the symmetric encryption of data between the external service and the device using the shared secret.

Abstract: Embodiments of systems and methods disclosed herein include an embedded secret provisioning system that is based on a shared-derivative mechanism. Embodiments of this mechanism use a trusted third-party topology, but only a single instance of a public-private key exchange is required for initialization. Embodiments of the system and methods are secure and any of the derived secret keys are completely renewable in untrusted environments without any reliance on asymmetric cryptography. The derived secrets exhibit zero knowledge attributes and the associated zero knowledge proofs are open and available for review. Embodiments of systems and methods can be implemented in a wide range of previously-deployed devices as well as integrated into a variety of new designs using minimal roots-of-trust.

Abstract: Embodiments as described herein provide systems and methods for sharing secrets between a device and another entity. The shared secret may be generated on the device as a derivative of a secret value contained on the device itself in a manner that will not expose the secret key on the device and may be sent to the entity. The shared secret may also be stored on the device such that it can be used in future secure operations on the device. In this manner, a device may be registered with an external service such that a variety of functionality may be securely accomplished, including, for example, the generation of authorization codes for the device by the external service based on the shared secret or the symmetric encryption of data between the external service and the device using the shared secret.

Abstract: Embodiments of systems and methods disclosed herein include a distributed device activation mechanism involving a group of external entities without using asymmetric cryptography. Systems and methods include techniques for deriving a device secret using a hardware secret and authenticated unique input data provided to the device by one or more external entities. A hardware hash function uses the hardware secret as a key and the authenticated unique input data as input data to output the derived device secret. The derived device secret is written to a security register of the device to enter a new security layer.

Abstract: A server receives a video content identifier and a video player identifier from a video player through a network. The video content identifier identifies video content. The video player identifier identifies a video player. Further, the video player identifier is provided to a hash generator to generate a hash of the video player. In addition, the plaintext of the video content is encrypted with the encryption key to generate ciphertext. The encryption key is encrypted with the hash to generate an encrypted encryption key.

Abstract: A video player sends a video content identifier and a video player identifier through a network to a server. The video content identifier identifies video content. The video player identifier identifies the video player. Further, a first subset of encrypted video content and an initialization vector are received from a server. In addition, a hash of the video player identifier is generated. The first subset of the encrypted video content is decrypted with a decryption key to generate a first result. Further, a first operation on the initialization vector and the hash is performed to generate a second result. In addition, a second operation is performed on the first result and the second result to generate a first subset of plaintext of video content.

Abstract: A server receives a video content identifier and a video player identifier from a video player through a network. The video content identifier identifies video content. The video player identifier identifies a video player. Further, the video player identifier is provided to a hash generator to generate a hash of the video player. In addition, the plaintext of the video content is encrypted with the encryption key to generate ciphertext. The encryption key is encrypted with the hash to generate an encrypted encryption key.

Abstract: A video player sends a video content identifier and a video player identifier through a network to a server. The video content identifier identifies video content. The video player identifier identifies the video player. Further, a first subset of encrypted video content and an initialization vector are received from a server. In addition, a hash of the video player identifier is generated. The first subset of the encrypted video content is decrypted with a decryption key to generate a first result. Further, a first operation on the initialization vector and the hash is performed to generate a second result. In addition, a second operation is performed on the first result and the second result to generate a first subset of plaintext of video content.