Abstract: Methods and systems are described that secure application data being maintained in transient data buffers that are located in a memory that is freely accessible to other components, regardless as to whether those components have permission to access the application data. The system includes an application processor, a memory having a portion configured as a transient data buffer, a hardware unit, and a secure processor. The hardware unit accesses the transient data buffer during execution of an application at the application processor. The secure processor is configured to manage encryption of the transient data buffer as part of giving the hardware unit access to the transient data buffer.

Abstract: A multi-purpose smartcard is disclosed. a computer-implemented method of controlling a smartcard. The smartcard can include a near-field communication (NFC) system. The NFC system can be configured to communicate with remote computing systems. The smartcard can include one or more computing chips embedded in the smartcard. The smartcard receives, from a provisioning computing system accessible to a user, a transaction type indicator and transaction data, the transaction type indicator indicating a particular transaction type from a plurality of potential transaction types. The smartcard stores, in the one or more computer-readable media of the one or more computing chips, the transaction data. The smartcard communicates, using the NFC communication system and in accordance with the transaction type, the transaction data to an authentication computing system.

Abstract: Methods and systems are described that secure application data being maintained in transient data buffers that are located in a memory that is freely accessible to other components, regardless as to whether those components have permission to access the application data. The system includes an application processor, a memory having a portion configured as a transient data buffer, a hardware unit, and a secure processor. The hardware unit accesses the transient data buffer during execution of an application at the application processor. The secure processor is configured to manage encryption of the transient data buffer as part of giving the hardware unit access to the transient data buffer.

Abstract: Methods and systems are described that secure application data being maintained in transient data buffers that are located in a memory that is freely accessible to other components, regardless as to whether those components have permission to access the application data. The system includes an application processor, a memory having a portion configured as a transient data buffer, a hardware unit, and a secure processor. The hardware unit accesses the transient data buffer during execution of an application at the application processor. The secure processor is configured to manage encryption of the transient data buffer as part of giving the hardware unit access to the transient data buffer.

Abstract: A system is described that secures application data being maintained in transient data buffers that are located in a memory that is freely accessible to other components of the system, regardless as to whether those components have permission to access the application data. The system includes an application processor, a memory having a portion configured as a transient data buffer, a hardware unit, and a secure processor. The hardware unit accesses the transient data buffer during execution of an application at the application processor. The secure processor is configured to manage encryption of the transient data buffer as part of giving the hardware unit access to the transient data buffer.

Abstract: A system is described that secures application data being maintained in transient data buffers that are located in a memory that is freely accessible to other components of the system, regardless as to whether those components have permission to access the application data. The system includes an application processor, a memory having a portion configured as a transient data buffer, a hardware unit, and a secure processor. The hardware unit accesses the transient data buffer during execution of an application at the application processor. The secure processor is configured to manage encryption of the transient data buffer as part of giving the hardware unit access to the transient data buffer.

Abstract: Aspects of the subject technology relate to systems and methods for remote storage security. An encryption key is generated based at least on data stored locally by a computing device. The encryption key is bound to a context of the computing device. Data is encrypted using the encryption key. The encrypted data and information associated with the binding of the encryption key are provided for transmission to another computing device.

Abstract: A device including a NAND-flash memory comprising a read-only portion storing boot code and a key, and a system on a chip (SoC) coupled to the NAND-flash memory is provided. The SoC includes a read-only memory (ROM) storing one or more instructions and a processor configured to execute, upon startup, the one or more instructions stored in the ROM to request from the NAND-flash memory the boot code and the key. The processor further configured to load and execute the boot code to perform a chain of trust verification process on subsequent code during a booting process using the key. A method for using the device is also presented.

Abstract: Techniques for peer to peer attestation are provided. An example method includes receiving, at a first device, a discovery message from a second device, based on the discovery message, establishing a communication channel between the first device and the second device, receiving, at the first device, identity information from the second device, the identity information including one or more of: a trusted platform module (TPM) endorsement key certificate, a public portion of an identity key, one or more platform control register (PCR) values or a quote of the PCR values with the identity key, verifying, at the first device, one or more of the PCR values, the quote or the endorsement key certificate and authenticating one or more of the communication channel or the identity information of the second device based on the verification of a signature received from the second device.

Abstract: A device including a NAND-flash memory comprising a read-only portion storing boot code and a key, and a system on a chip (SoC) coupled to the NAND-flash memory is provided. The SoC includes a read-only memory (ROM) storing one or more instructions and a processor configured to execute, upon startup, the one or more instructions stored in the ROM to request from the NAND-flash memory the boot code and the key. The processor further configured to load and execute the boot code to perform a chain of trust verification process on subsequent code during a booting process using the key. A method for using the device is also presented.

Abstract: Techniques for peer to peer attestation are provided. An example method includes receiving, at a first device, a discovery message from a second device, based on the discovery message, establishing a communication channel between the first device and the second device, receiving, at the first device, identity information from the second device, the identity information including one or more of: a trusted platform module (TPM) endorsement key certificate, a public portion of an identity key, one or more platform control register (PCR) values or a quote of the PCR values with the identity key, verifying, at the first device, one or more of the PCR values, the quote or the endorsement key certificate and authenticating one or more of the communication channel or the identity information of the second device based on the verification of a signature received from the second device.

Abstract: Systems and methods for updating operating system software are provided. In some aspects, an update for an operating system of a computing device is received, at a first time, at the computing device. A pre-reboot state of the computing device is stored at a second time. The pre-reboot state includes login information for logging into the computing device as a specified user of the computing device, the specified user of the computing device being logged into the computing device at the second time. The computing device is rebooted. Prior to or during rebooting of the computing device, the operating system of the computing device is updated according to the received update. After rebooting the computing device, user access is provided to the updated operating system according to the stored pre-reboot state of the computing device.

Abstract: A system to facilitate media content protection is provided. The system includes a partitioning component, a key derivation component and an output component. The partitioning component partitions encrypted media content associated with a master key into a plurality of media content segments. The key derivation component generates respective subkeys for the plurality of media content segments based at least in part on the master key and one or more parameters associated with one or more memory operations. The output component generates decrypted media content based at least in part on the respective subkeys.

Abstract: Systems and methods for installing policy settings on a client computing device are provided. In some aspects, the client computing device receives policy data and a public key from a server. The policy data are authenticated based on the public key. Policy settings based on the authenticated policy data are installed on the client computing device. Installing the policy settings based on the authenticated policy data on the client computing device includes storing information based on the policy data in a module on the client computing device. The module is secured by the public key from the server and a signature generated on the client computing device to prevent the stored information from being moved or copied by a user of the client computing device.

Abstract: Systems and methods for enterprise platform verification are provided. In some aspects, a computing device includes a trusted platform module (TPM). The TPM includes an endorsement key (EK) physically embedded in the TPM. The TPM includes an attestation identity key (AIK), the AIK being used to verify that at least one TPM-protected key different from the EK and different from the AIK is generated at the TPM and is non-migratable. The TPM includes an enterprise machine key (EMK), the EMK being certified by the AIK, the EMK being uniquely associated with the client computing device, and the EMK being generated during enrollment of the client computing device with an enterprise and remaining active until a factory reset of the client computing device.

Abstract: To provide a secure installation and execution software environment, locked version numbers are maintained. A locked version number associated with a software program may be stored. When a request is received to update the software program with an update package, a package number of the update package may be compared to the locked version number. The software program may be updated with the update package if the package number is at least as recent as the locked version number, and the updating of the software program with the update package may be restricted if the package number is earlier than the locked version number.

Abstract: A system to facilitate media content protection is provided. The system includes a partitioning component, a key derivation component and an output component. The partitioning component partitions encrypted media content associated with a master key into a plurality of media content segments. The key derivation component generates respective subkeys for the plurality of media content segments based at least in part on the master key and one or more parameters associated with one or more memory operations. The output component generates decrypted media content based at least in part on the respective subkeys.

Abstract: A method includes receiving a request for a device to replace a unique identifier associated with the device with a revocable identifier, generating a revocable identifier for the device, wherein the revocable identifier comprises at least a cryptographic representation of the unique identifier associated with the device and a counter value, checking the generated revocable identifier to determine that the generated revocable identifier has not previously been generated for the device and associating the generated revocable identifier with the device.

Abstract: A sandboxed application issues a request to enable content protection for audio and video content. The request is sent via an application programming interface to an unsandboxed application. The request is received from the unsandboxed application by an output device. After receiving the request, content protection is enabled and the output device employs a certificate to create a signed message indicating the content protection is enabled. The sandboxed application verifies the request has been fulfilled based on the signed message, and provides protected audio and video content.

Abstract: A system and a method for registering an electronic device are provided. An auto-enrollment status of an electronic device by an enterprise is determined based on hash information associated with an identifier for the electronic device. In a case where the auto-enrollment status of the electronic device is determined to require auto-enrollment of the electronic device by the enterprise, one or more configuration settings for the electronic device as designated by the enterprise are identified, and the electronic device is requested to adopt the one or more configuration settings as designated by the enterprise in response to providing the auto-enrollment login interface to the electronic device.