An elliptic curve random number generator avoids escrow keys by choosing a point Q on the elliptic curve as verifiably random. An arbitrary string is chosen and a hash of that string computed. The hash is then converted to a field element of the desired field, the field element regarded as the x-coordinate of a point Q on the elliptic curve and the x-coordinate is tested for validity on the desired elliptic curve. If valid, the x-coordinate is decompressed to the point Q, wherein the choice of which is the two points is also derived from the hash value. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random number with the escrow key.

A method for securely supplying data to be used in parameterizing a device for an industrial automation system includes a first party supplying a second party with a machine-readable standardized container for the exchange of device parameters in industrial automation systems, wherein the supplying comprises writing into the container an encrypted primary security credential to be used by the device for establishing trust with the industrial automation system. In another aspect, a method for securely obtaining data to be used in parameterizing a device for an industrial automation system includes obtaining, from a first party, by a second party, a machine-readable standardized container for the exchange of device parameters in industrial automation systems, the container comprising an encrypted primary security credential to be used by the device for establishing trust with the industrial automation system.

A method may include allocating a number of public keys, where each respective public key is allocated to a respective entity of a number of entities; storing a number of private keys, where each respective private corresponds to a respective public key; storing one or more decryption algorithms, where each respective decryption algorithm is configured to decrypt data previously encrypted using at least one encryption algorithm of the encryption algorithms. Each respective encryption algorithm may be configured to encrypt data using at least one public key. Each respective decryption algorithm may be configured to decrypt data using at least one private key. The method may include receiving encrypted data, where the encrypted data is encrypted using a first public key and a first encryption algorithm, and the encrypted data is provided over a network.

Secure computing environments are employed to effectuate execution of algorithms to process datasets. For this purpose a secure data pipeline is used in which trusted and isolated computing environments receive and process the algorithms and datasets. A trusted and isolated computing environment is a computing environment whose computer code is able to be attested by comparing a digest of the computing environment to a baseline digest of the computing environment that is available to third parties to thereby verify computing environment integrity while also being a computing environment in which only a specified maximum number of application processes and specified system processes implementing the computing environment are able to operate.

A system and method for an eSync bus protocol is provided. The eSync bus protocol uses a broker to route communications between electronic devices within an electronic environment, such as within a vehicle or the like. The electronic devices may first register with the broker, and thereafter send messages to the broker for routing to other registered electronic devices. In this way, the broker may act as an intermediary to route communications using the eSync bus protocol. A multi-client architecture is also provided in which multiple domains may be defined by the functions performed by electronic devices within a respective domain.

A method for managing a storage system includes initiating, by a hardware resource manager, a boot-up of a storage controller managing the storage system comprising a plurality of storage devices, making a determination, by the storage controller, that the storage controller is in a secured mode, based on the determination: identifying a security state of each of the plurality of storage devices, determining that a storage device of the plurality of storage devices is in an unsecured state, and based on the unsecured state, sending, by the storage controller, a security operation request for securing the storage device, obtaining a secure state response from the hardware resource manager corresponding to securing the storage device, and based on the secure state response, resuming operation of the storage controller based on the secure mode.

A method for protected communication is provided. The method comprises defining master keys for different service domains within the scope of influence of a vehicle manufacturer generating a master key reference for the vehicle within the range of influence of the vehicle manufacturer, securely introducing one or more of the cryptographic keys derived from at least one of the defined master keys and the associated master key reference into the vehicle, and transmitting to an external server a message signed with one of the derived cryptographic keys, which is additionally provided with the master key reference and the current status of the vehicle. The method further comprises deriving the at least one cryptographic key in the external server from the master key identified by the master key reference depending on the key status of the vehicle, and checking the authenticity of the signed message with the derived cryptographic key.

Systems, methods, and techniques to update a distributed data structure. In one example, a service provider provides a computer-implemented service accessible to users, in which, upon use of the service by a user, the service provider broadcasts an entry to a distributed data structure of behalf of the user to a network that manages the distributed data structure such that the user can use the service. The entry can relate to various entities associated with the service, such as other users of the service.

A method performed by one or more network node(s) of a wireless telecommunications network to dynamically manage encryption keys for multiple narrowband Internet of Things (NB-IoT) devices of the network. The network node(s) can maintain a database that stores a device profile for each of the NB-IoT devices and obtain multiple encryption keys for the multiple NB-IoT devices. The encryption keys are associated with different encryption strengths ranging from high to ultra-low encryption strengths. The network node(s) can allocate the encryption keys to the NB-IoT devices, detect a change in the condition of the network, capability or communications service of NB-IoT devices, and refresh the encryption keys accordingly to ensure that the network nodes properly balance encryption while providing efficient network performance.

An integrated circuit comprises an interface controller to receive a message, wherein at least a portion of the message is encrypted, a primary processor coupled to the interface controller and configured to process the received message, and a secondary secure processor coupled to the primary processor and to the interface controller. The secondary secure processor is configured to decrypt the portion of the message that is encrypted on behalf of the primary processor, analyze the decrypted portion of the message to determine whether the decrypted portion comprises information pertaining to sensitive data, and responsive to determining that the decrypted portion comprises information pertaining to sensitive data, process the information pertaining to the sensitive data and provide the sensitive data to the interface controller via a secure private bus not accessible by the primary processor.