A method for enforcing secure processes between a user and a device involves determining that the user has initiated installation of a secure application, installing the RA part of the secure application, triggering a trusted UI session upon realization that the TA part of the secure application is not installed, receiving, via the trusted UI session, user credentials for authenticating the user and enforcing user-specific and device-specific security, cryptographically signing combined user credentials with a cryptographic signature to obtain an authentication object, passing the authentication object to a service provider associated with the secure application for extraction of the user credentials, and generating an authorization token permitting the installation of the TA part of the secure application upon verification of the cryptographically signed authentication object.

A method for requesting a credential associated with token in a multiple token layer environment is disclosed. A tokenization certificate serves to validate the identity of a credential requestor and provide information about the requestor's authorization for de-tokenizing a token. Also, a public key in the tokenization certificate is used to encrypt the credential for secure transmission to the requestor.

Methods and systems for deploying management tunnels between managed and managing devices are provided. According to one embodiment, the use of PKI-authenticated serial numbers within network devices manufactured by a particular manufacturer enables one-step provisioning of one or more managed devices. A managed device is provisioned with the serial number of a management device manufactured by the particular manufacturer. When the managed device is installed within a network, the management device is located by the managed device with the assistance of a locator server and the managed device initiates establishment of an encrypted management tunnel with the management device. Prior to allowing the management device to use the management tunnel to perform management functionality in relation to the managed device, credentials of the management device are verified by the managed device by comparing the PKI-authenticated unique identifier of the management device to that which is stored within the managed device.

A wireless communications system comprises a sector controller that includes a wireless transmitter, and a mobile subscriber station that includes a wireless receiver, and a memory. The wireless transmitter continuously transmitting frames. Each frame comprising a control field and the control field comprising a portion of an encryption certificate associated with the sector controller. The wireless receiver receives each frame and extracts the portion of the encryption certificate and stores the portion of an encryption certificate in the memory. The mobile subscriber station combines the portions of the encryption certificate stored in the memory and verifies that a complete encryption certificate has been received. After this the mobile subscriber station transmits its encryption certificate to the sector controller. The encryption certificates are based on an elliptic curve digital signature algorithm.

A message including a digital signature of a message originator is received at a processor. In response to determining that the message originator is authorized by a data protection policy to originate the message, a determination is made as to whether a specific authorized certificate issuer is configured for the message originator within a data protection policy. In response to determining that the specific authorized certificate issuer is configured for the message originator within the data protection policy, a determination is made as to whether a message originator certificate used to generate the digital signature of the message originator is issued by the specific authorized certificate issuer configured for the message originator within the data protection policy.

A secure boot method includes: obtaining a certificate digest at a digest processor from a write-once, always-on memory; calculating a flash digest using the digest processor by cryptographically processing a sensitive information image; and comparing, using the digest processor, the flash digest with the certificate digest.

Various embodiments are disclosed that relate to security of a computer accessory device. For example, one non-limiting embodiment provides a host computing device configured to conduct an initial portion of a mutual authentication session with an accessory device, and send information regarding the host computing device and the accessory device to a remote pairing service via a computer network. The host computing device is further configured to, in response, receive a pairing certificate from the remote pairing service, the pairing certificate being encrypted via a private key of the remote pairing service, and complete the mutual authentication with the accessory device using the pairing certificate from the remote pairing service.

An improved method and system for digital rights management is described.

Methods and systems for deploying management tunnels between managed and managing devices are provided. According to one embodiment, the use of PKI-authenticated serial numbers within network devices manufactured by a particular manufacturer enables one-step provisioning of one or more managed devices. A managed device is provisioned with the serial number of a management device manufactured by the particular manufacturer. When the managed device is installed within a network, the management device is located by the managed device with the assistance of a locator server and the managed device initiates establishment of an encrypted management tunnel with the management device. Prior to allowing the management device to use the management tunnel to perform management functionality in relation to the managed device, credentials of the management device are verified by the managed device by comparing the PKI-authenticated unique identifier of the management device to that which is stored within the managed device.

A mobile device obtains an encryption key pair, including a public key and a private key, and engages in a process, that uses the private key, for requesting a digital certificate from a Public Key Infrastructure (PKI) Certificate Authority. The mobile device receives a digital certificate signed by the PKI Certificate Authority, and obtains, via a biometric input unit device, biometric data related to an identity of a user of the device. The mobile device derives a password using the biometric data, and stores, and password protects using the derived password, the public key, the private key, and the digital certificate in a secure key store.