Private delivery drones and methods are disclosed. An example drone includes a first communication interface to receive a first input from a sender representing a delivery area for a payload, a second communication interface to receive a second input from a recipient representing a visual marker of the recipient, the visual marker unknown to the sender, a drone controller to, when the drone reaches the delivery area, visually identify a location in the delivery area to deliver the payload based on the visual marker, and a carrier to deliver the payload to the location.

Systems and methods are disclosed to generate a persistent identifier for a device using a trusted platform module (TPM) of the device, so that the identifier is persistent during the lifetime of the TPM. In embodiments, during an initialization of the TPM, the system obtains an entropy value from the TPM used to generate the device's persistent identifier. The identifier is written to a non-volatile storage of the TPM so that it cannot be erased during the lifetime of the TPM. In embodiments, a persistent keys pair is generated based on the identifier, and also permanently written to the non-volatile storage. In embodiments, the persistent identifier may be measured and verified via TPM quotes. In embodiments, the persistent private key may be used to sign a nonce to prove the identity of the device.

According to various embodiments, a control device is described including an application core including a processor, a memory and a direct memory access controller and a security module coupled to the application core via a computer bus. The direct memory access controller is configured to read data from the memory, generate a hash value for the data and provide the hash value to the security module via the computer bus. The security module is configured to process the hash value.

Disclosed herein are methods, systems, and apparatus, for securely executing smart contract operations in a trusted execution environment (TEE). One of the methods includes establishing, by a key management (KM) TEE of a KM node, a trust relationship with a plurality of KM TEEs in a plurality of KM nodes based on performing mutual attestations with the plurality of KM TEEs; initiating a consensus process with the plurality of KM TEEs for reaching consensus on providing one or more encryption keys to a service TEE of the KM node; in response to reaching the consensus with the plurality of KM TEEs, initiating a local attestation process with a service TEE in the KM node; determining that the local attestation process is successful; and in response to determining that the local attestation process is successful, providing one or more encryption keys to the TEE executing on the computing device.

A method for operating an electronic device is provided. The method includes generating, by an authentication agent, a digital fingerprint of an application, transmitting, by an authentication agent, the generated digital fingerprint to a trusted application on a trusted execution environment (TEE), verifying, by the trusted application, the digital fingerprint, and permitting, by the trusted application, the application to access a secure storage, when the trusted application succeeds in verifying the digital fingerprint.

Trusted client security factor-based authorizations at a server. The techniques allow the server to authorize client requested operations to access a protected resource or service based on trusted client security factors that are obtained at client machines and provided to the server.

A method and apparatus prevents hacker code from infecting an application program by requiring decryption of the application program prior to running the application program on a computer. The method includes steps of: providing a storage device that is a separate unit from components necessary to operate the computer; storing a symmetric private key on the storage device; using the symmetric private key to produce an encrypted application program upon first installation; thereafter decrypting that part of the encrypted application program needed implement a command to run the application program; precluding the computer from running any part of the application program that has not been first encrypted with the symmetric private key; and, decrypting, on the fly, only those follow-on parts of the encrypted application program needed to perform functions called for during operation of the application program.

This specification discloses devices and methods for a security concept that includes an immobile hardware token (e.g., a wall token that is fixed within a wall) which ensures that the more sensitive actions of electronic banking (e.g., money transfers of large sums to foreign bank accounts) can only be done from the account owner's home, but not from a remote place. However, other less sensitive (and lower security risk) actions can still be done from anywhere else. In some embodiments, the hardware token includes sensors to ensure that the token is not moved or tampered with, interfaces to provide distance bounding, and a crypto-processor to provide secure authentication. The distance bounding can be used to determine if the authentication device is in close proximity to the hardware token, which can in turn ensure that the authentication device is within the account owner's home.

Provisioning a requesting device is provided using extended identity attestation for the requesting device. A provisioning request is received at a device provisioning system. The provisioning request includes a registration identifier provided by the requesting device. A plurality of extended attestation components is accessed in an enrollment datastore of the device provisioning system. Each extended attestation component identifies an external computing system. One of the extended attestation components in the enrollment datastore is selected based on the received registration identifier. Execution of the device attestation is initiated at the external computing system identified by the selected extended attestation component to yield an attestation result. Satisfaction of a validity condition by the attestation result is detected. The requesting device is provisioned from the device provisioning system, responsive to detection that the attestation result satisfies the validity condition.

One aspect of the present invention discloses a watermark insertion method. The method includes: segmenting target text into pieces of page content; obtaining a watermark variable comprising a line alternation value indicative of a watermark mode changed for each line of the segmented page content and a watermark mode setting value; and applying a flip-flop component insertion algorithm for inserting a watermark into each of the pieces of segmented page content based on the obtained watermark variable.