A system and method for authenticating and enabling an electronic device in an electronic system are disclosed. A particular embodiment includes: an electronic system comprising: a protected device; a requesting device node, executing on a computing system, the requesting device node including: a device query data packet generator to generate a device query packet including data representing one or more identifiers of the protected device and a particular paired system; and an authentication key retriever to obtain an authentication key based on the device query data packet from an authentication provisioning node using an external data communication; and an obfuscation state machine of the particular paired system configured with a pre-defined quantity of state elements, a pre-defined quantity of the state elements being functional state elements, the obfuscation state machine being programmed with the authentication key to cause the obfuscation state machine to transition the protected device from an initial obfuscation state to a functional state.

Systems and methods for implementing a Transport I/O system are described. Network encrypted content may be received by a device. The device may provide the network encrypted content to a secure processor, such as, for example, a smart card. The secure processor obtains a network control word that may be used to decrypt the network encrypted content. The secure processor may decrypt the network encrypted content to produce clear content. In embodiments, the secure processor may then use a local control word to generate locally encrypted content specific to the device. The device may then receive the locally encrypted content from the secure processor and proceed to decrypt the locally encrypted content using a shared local encryption key. The Transport I/O system ensures the protection of the network control word by maintaining the network control word on the secure processor.

The disclosure relates to a method and a device for authenticating an FPGA configuration. The method includes at least partly reading the configuration of a FPGA by the FPGA itself and calculating a first checksum using the read configuration. The method further includes providing an authentication response which confirms that the FPGA configuration is authentic when the first checksum matches a specified checksum, wherein the reading, calculating, and providing are carried out in an obfuscated manner. The authentication response confirming that the FPGA configuration is authentic is not provided or is only provided with a very low degree of probability when the first checksum and the specified checksum do not match. In this regard, an FPGA may check its own configuration.

A collation system 20, which is provided with a client 30 and a server 40, the client 30 includes: a random number generation unit 31 which generates a random number; a concealed information storage unit 32 which stores concealed information generated by concealing registered information and the generated random number using a concealment key; and a concealed index computation unit 33 which, on the basis of the collation information input for collation with the registered information and the concealed information, computes a concealed index, generated by concealing an index indicating closeness between the registered information and the collation information; the server 40 includes a determination unit 41 which uses a release key corresponding to the concealment key and the random number transmitted from the client 30 to determine whether or not the index can be acquired from the concealed index transmitted from the client 30.

An application code obfuscating apparatus includes a secret code divider, a secret code caller, a code converter and an obfuscating part. The secret code divider is configured to divide an application code having a first type into a secret code and a normal code. The secret code caller generating part is configured to generate a secret code caller to call the secret code. The code converter is configured to convert the secret code having the first type to a second type. The obfuscating part is configured to generate a first table and a second table. The first table includes an obfuscated signature of the secret code and a first random vector. The second table includes an offset of the secret code which corresponds to the obfuscated signature of the secret code and a second random vector which is liked with the first random vector.

A method of operation concealment for a cryptographic system includes randomly selecting which one of at least two cryptographic operation blocks receives a key to apply a valid operation to data and outputs a result that is used for subsequent operations. Noise can be added by operating the other of the at least two cryptographic operation blocks using a modified key. The modified key can be generated by mixing the key with a block-unique-identifier, a device secret, a slowly adjusting output of a counter, or a combination thereof. In some cases, noise can be added to a cryptographic system by transforming input data of the other cryptographic operation block(s) by mixing the input data with the block-unique-identifier, device secret, counter output, or a combination thereof. A cryptographic system with operation concealment can further include a distributed (across a chip) or interweaved arrangement of subblocks of the cryptographic operation blocks.

Described are various embodiments of a machine executable code deployment method and system. In one such embodiment, a machine executable code deployment method is described to comprise: compiling machine readable code in a secure digital processing environment to produce a unique ephemeral machine executable code instance representative thereof; deploying the unique ephemeral machine executable code instance to a distinct digital processing environment to be executed thereon for a predetermined runtime period, wherein execution of the unique ephemeral machine executable code instance is automatically terminated after the predetermined runtime period; and repeating the deploying for subsequent unique ephemeral machine executable code instances.

Various embodiments relate to a method of generating a shared secret for use in a symmetric cipher, including: receiving, by a processor, an encoded key Enc(K) and a white-box implementation of the symmetric cipher, where the encoded key Enc(K) is used in the white-box implementation; selecting, by the processor, homomorphic functions ⊙ and .Math. and the values c.sub.1 and c.sub.3 such that Enc(K)⊙c.sub.1=Enc(K.Math.c.sub.3); and transmitting, by the processor, .Math. and c.sub.3 to another device.

This disclosure relates to, among other things, electronic device security systems and methods. Certain embodiments disclosed herein provide for protection of cryptographic keys and/or associated operations using both an operating system security service and a software-based whitebox cryptographic security service executing on a device. Leveraging operating system security services and software-based whitebox cryptographic security services may provide enhanced security when compared to using either service alone to protect cryptographic keys and associated operations. In additional embodiments, server-side cryptographic security solutions may be further used to enhance device security implementations.

The present invention relates to a method to counter DCA attacks of order 2 and higher order applied on an encoded table-based (TCabi,j) implementation of block-cipher of a cryptographic algorithm to be applied to a message (m), said method comprising the steps of: —translating a cryptographic algorithm block-cipher to be applied on a message (m) into a series of look-up tables (Tabi,j),—applying secret invertible encodings to get a series of look-up tables (TCi,j),—computing message-dependent masking values, comprising the computation of at least two shares of masking value (mmask1, mmask2) for the input of the table network based on at least two different message derivation functions (F1, F2),—re-randomizing the tables (TCi,j) using the computed message-dependent masking values (mmask1, mmask2),—computing rounds to be applied on the message (m) based on the randomized network of tables (TCi,j).