Providing authorization and authentication in a cloud for a user of a storage array includes: receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user, where the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user; receiving, by the storage array access module from the user, a user access request to one or more storage array services; and determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.

A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

A method for authenticating an object, comprising determining a physical dispersion pattern of a set of elements, determining a physical characteristic of the set of elements which is distinct from a physical characteristic producible by a transfer printing technology, determining a digital code associated with the object defining the physical dispersion pattern, and authenticating the object by verifying a correspondence of the digital code with the physical dispersion pattern, and verifying the physical characteristic.

Methods and systems are provided for power management and security for wireless modules in Machine-to-Machine communications. A wireless module operating in a wireless network and with access to the Internet can efficiently and securely communicate with a server. The wireless network can be a public land mobile network (PLMN) that supports wireless wide area network technology including 3.sup.rd generation (3G) and 4.sup.th generation (4G) networks, and future generations as well. The wireless module can (i) utilize sleep and active states to monitor a monitored unit with a sensor and (ii) communicate with wireless network by utilizing a radio. The wireless module can include power control steps to reduce the energy consumed after sending sensor data by minimizing a tail period of a radio resource control (RRC) connected state. Messages between the wireless module and server can be transmitted according to the UDP or UDP Lite protocol with channel coding in the datagram body for efficiency while providing robustness to bit errors. The wireless module and server can utilize public key infrastructure (PKI) such as public keys to encrypt messages. The wireless module and server can use private keys to generate digital signatures for datagrams sent and decrypt messages received. The communication system between the wireless module and the server can conserve battery life in the wireless module while providing a system that is secure, scalable, and robust.

The following description is directed to a logic repository service. In one example, a method of a logic repository service can include receiving a first request to generate configuration data for configurable hardware using a specification for application logic of the configurable hardware. The method can include generating the configuration data for the configurable hardware. The configuration data can include data for implementing the application logic. The method can include encrypting the configuration data to generate encrypted configuration data. The method can include signing the encrypted configuration data using a private key. The method can include transmitting the signed encrypted configuration data in response to the request.

A module with an embedded universal integrated circuit card (eUICC) can include a received eUICC profile and a set of cryptographic algorithms. The received eUICC profile can include an initial shared secret key for authentication with a wireless network. The module can receive a key K network token and send a key K module token to the wireless network. The module can use the key K network token, a derived module private key, and a key derivation function to derive a secret shared network key K that supports communication with the wireless network. The wireless network can use the received key K module token, a network private key, and the key derivation function in order to derive the same secret shared network key K derived by the module. The module and the wireless network can subsequently use the mutually derived key K to communicate using traditional wireless network standards.

Methods and systems are provided for efficient and secure Machine-to-Machine (M2M) between modules and servers. A module can communicate with a server by accessing the Internet, and the module can include a sensor and/or actuator. The module and server can utilize public key infrastructure (PKI) such as public keys to encrypt messages. The module and server can use private keys to generate digital signatures for datagrams sent and decrypt messages received. The module can internally derive pairs of private/public keys using cryptographic algorithms and a set of parameters. A server can use a shared secret key to authenticate the submission of derived public keys with an associated module identity. For the very first submission of a public key derived the module, the shared secret key can comprise a pre-shared secret key which can be loaded into the module using a pre-shared secret key code.

A host machine operated for a specific purpose can have restricted access to other components in a multi-tenant environment in order to provide for the security of the host machine. The access restriction can prevent the host machine from obtaining updates to critical system-level configurations, but such information can be obtained through a signed command received to an API for the host machine. The command can be signed by a quorum of operators, and the host machine can be configured to verify the signatures and the quorum before processing the command. The host machine can store the updates to ephemeral storage as well as persistent storage, such that upon a reboot or power cycle the host machine can operate with current configuration data.

A data-carrying device and methods of authenticating the same are disclosed. The data-carrying device is described as being capable of communicating via the Near Field Communications (NFC) protocol and may have one or more NFC Data Exchange Format (NDEF) records stored in its memory. The data-carrying device also comprises or has the ability to generate a signature that proves the data-carrying device is the authorized device for storing the one or more NDEF records. A data-carrying device that attempts to transmit an NDEF record without a valid signature may be identified as an unauthorized data-carrying device.

A method for authenticating an object, comprising determining a physical dispersion pattern of a set of elements, determining a physical characteristic of the set of elements which is distinct from a physical characteristic producible by a transfer printing technology, determining a digital code associated with the object defining the physical dispersion pattern, and authenticating the object by verifying a correspondence of the digital code with the physical dispersion pattern, and verifying the physical characteristic.