A system for rendering a content, the rendering of which is subject to conditional access security conditions. The system includes a host device and a detachable security device, the security device configured to decrypt the encrypted content, re-encrypt it under a local key and to deliver the re-encrypted content to the host device while ensuring that the host device applies or otherwise enforces any conditions associated with the rendering of the content.

The integrated circuit includes a CPU configured to operate according to a program, a PUF information output unit configured to output PUF information while power is being supplied, a key pair output unit configured to output a public key and a private key based on the PUF information while power is being supplied, a public key transmitter configured to transmit the public key output from the key pair output unit to the outside, and a shared encryption key decryption unit configured to decrypt encrypted information produced through encryption with the public key and received from the outside with the private key output from the key pair output unit.

A secure programming system and method for provisioning and programming a target payload into a programmable device mounted in a programmer. The programmable device can be authenticated before programming to verify the device is a valid device produced by a silicon vendor. The target payload can be programmed into the programmable device and linked with an authorized manufacturer. The programmable device can be verified after programming the target payload by verifying the silicon vendor and the authorized manufacturer.

An enhanced information assurance system may comprise an improved computer including a central processing unit (CPU) emulator configured to extend the available machine instruction set. The CPU emulator may be configured to emulate machine language instructions taken from a nonnative set of secure opcodes. The CPU emulator may ensure that instructions and data in random access memory (RAM) remain encrypted at all times when in RAM, for example by storing the instructions and data in CPU registers when decrypted on an as-needed basis.

Methods and apparatus provide for: establishing communications between a controller for operation by a user and a center device, wherein the center device is operable to execute at least one application program and to produce an output for display that is manipulated in accordance with inputs received by the center device from the controller device; measuring one or more pieces of biometric information of the user via a biometric sensor circuit of the controller; storing one or more pieces of predetermined user information, including authentication key information about the user in a memory element of the controller; and performing authentication of the user by comparing the measured biometric information with the predetermined authentication key information via a control circuit of the controller, where authentication is satisfied when the comparison indicates a predetermined threshold of concurrence between the measured biometric information and the predetermined authentication key information.

Systems and methods are provided for adding security to client data by maintaining keys providing access to the client data remotely from the client data. In some circumstances, the systems encrypt a cluster of data using an encryption key, associate the cluster of encrypted data with a unique identifier and send the unique identifier and the decryption key to a server for storage. The decryption key is then received from the server and is used to decrypt the cluster of encrypted data. A server can also perform policy checks or trigger additional authentication such as SMS, phone, or email notification before allowing access to a key. Furthermore, in some instances, the server can also prevent access to the stored keys in response to anomalies, such as decommissioning and other asset management events.

Systems and methods are provided for adding security to client data by maintaining decryption keys at a server that provide access to encrypted keys that are maintained at a client system with encrypted client data. A specialized protocol is utilized for accessing the decryption keys from the server. Once obtained, the decryption key is used to decrypt the encrypted key at the client and then the newly decrypted decryption key is used to decrypt the encrypted data. A server can also perform policy checks or trigger additional authentication such as SMS, phone, or email notification before allowing access to the server decryption key. Furthermore, in some instances, the server can also prevent access to the server decryption keys in response to anomalies, such as decommissioning and other asset management events.

An apparatus includes an arbiter circuit and a translation circuit. The arbiter circuit may be configured to generate a first address signal in a virtual memory space by arbitrating among a plurality of clients to access a physical memory space. The clients may be classified as either privileged clients or non-privileged clients. The physical memory space may comprise at least one secure space. The translation circuit may be configured to generate a second address signal by translating a page in the virtual memory space into the physical memory space based on the first address signal. The page may corresponds to a particular one of the clients that won the arbitration. The page may be translated (a) into the secure space if the particular client is one of the privileged clients and (b) outside the secure space otherwise.

A computing system for a secure and reliable firmware update through a verification process, dynamic validation and continuous monitoring for error or failure and speedy correction of Internet of Things (IoT) device operability. The invention uses a Trusted Execution Environment (TEE) for hardware-based isolation of the firmware update, validation and continuous monitoring services. The isolation is performed by hardware System on a Chip (SoC) Security Extensions such as ARM TrustZone or similar technologies on other hardware platforms. The invention therefore comprises Firmware Update Service (FUS), System Validation Service (SMS) and Continuous Monitoring Service (CMS) running in the TEE with dedicated memory and storage, thus providing a trusted configuration management functionality for the operating system (OS) code and applications on IoT devices.

Services running in the TEE use both direct (hardware level) and indirect (software agents inside main execution environment (MEE)) methods of control of the MEE. Embodiments of the invention apply all updates to a staging (new) execution environment (SEE) without changing of the MEE.

Systems and methods are provided for adding security to client data by maintaining keys providing access to the client data remotely from the client data. In some circumstances, the systems encrypt a cluster of data using an encryption key, associate the cluster of encrypted data with a unique identifier and send the unique identifier and the decryption key to a server for storage. The decryption key is then received from the server and is used to decrypt the cluster of encrypted data. A server can also perform policy checks or trigger additional authentication such as SMS, phone, or email notification before allowing access to a key. Furthermore, in some instances, the server can also prevent access to the stored keys in response to anomalies, such as decommissioning and other asset management events.