Example of secure monitoring of modular applications and associated edge devices are described herein. In an example, an accreditation request is initiated to accredit at least one of a modular application and an edge device hosting the modular application. The edge device may a device coupling an IoT device to a cloud server. Based on initiating, accreditation information corresponding to at least one of the modular application and the edge device may be received. The accreditation information are generated by a hardware encryption device associated with the edge device. Further, an accreditation status of the modular application may be monitored during execution of the modular application to ascertain whether the modular application and the edge device have been tampered. In case tampering is detected, a remedial action to address the tampering may be performed.

Example of secure metering of modular applications and associated edge devices are described herein. In an example, a request to secure one or more modular applications associated with one or more edge device may be received. The edge device may be a device authorized to couple an IoT device to a cloud server. A modular application may be a discrete application performing device specific functions or a part of a distributed application, the part being hosted on the IoT device. Further, the request may include a security policy. One or more secure enclaves for executing the modular applications may be generated, based on the security policy. Further, resource utilization in the secure enclaves may be determined based on a predefined unit of consumption using a distributed ledger. Based on the resource utilization, a resource utilization receipt indicative of financial units corresponding to the resource utilization may be generated.

The invention relates to a method for computer systems based on the ARM processor, for example mobile devices, wherein the ARM processor provides fully hardware isolated runtime environments for an operating system (OS) and Trusted Execution Environment (TEE) including an embedded trusted network security perimeter. The isolation is performed by hardware ARM Security Extensions added to ARMv6 processors and greater and controlled by TrustWall software. The invention therefore comprises an embedded network security perimeter running in TEE on one or more processor cores with dedicated memory and storage and used to secure all external network communications of the host device. The invention addresses network communications control and protection for Rich OS Execution Environments and describes minimal necessary and sufficient actions to prevent unauthorized access to or from external networks. The present invention uses hardware platform security capabilities which significantly increase protection of the embedded network security perimeter itself from targeted attacks, in contrast to existing, and representing an improvement of, end-point software firewalls. In addition, embodiments of the invention do not require any modification to the OS system code or network application software.

In one illustrative example, a network cybersecurity procedure may be employed with use of at least one unmanned aerial vehicle (UAV), where the UAV includes an intermediary pairing device for providing a temporary connection between a first network (e.g. a private LAN) and a second network (e.g. the Internet). The network cybersecurity procedure may involve deploying the UAV in proximity to the first network, such that the intermediary pairing device pairs with a first pairing device via a first transceiver and with a second pairing device via a second transceiver. A temporary connection is established between the first network connected via the first pairing device and the second network connected via the second pairing device. Data is communicated between a first device (e.g. IoT device) or server of the first network and a second device or server of the second network over the temporary connection. During this time, the intermediary pairing device executes a cybersecurity service function. Once completed, the UAV may be withdrawn out of proximity of the first network. One or more features of the cybersecurity service function may be updated and the UAV redeployed. Multimodal data fusion techniques with use of a plurality of network and device sensors may be employed for device verification and/or anomaly detection.

A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.

A method and system of enforcing a computer policy uses a central server to manage user profiles, policies and encryption keys. The server securely supplies the keys to client devices only after checking that the policy has been complied with. The checks include both the identity of the user and the machine identity of the client device. The keys are held in a secure environment of the client device, for example in a Trusted Platform Module (TPM), and remain inaccessible at all times to the end user. Theft or loss of a portable client device does not result in any encrypted data being compromised since the keys needed to decrypt that data are not extractable from the secure environment.

Embodiments of the invention provide enhanced security solutions which are enforced through the use of cryptographic techniques. It is suited for, but not limited to, use with blockchain technologies such as the Bitcoin blockchain. Methods and devices for generating an elliptic curve digital signature algorithm signature (r, w) are described. In one embodiment, a method includes: i) forming, by a node, a signing group with other nodes; ii) obtaining, by the node, based on a secure random number: a) a multiplicative inverse of the secure random number; and b) the first signature component, r, wherein the first signature component is determined based on the secure random number and an elliptic curve generator point; iii) determining, by the node, a partial signature based on a private secret share, the multiplicative inverse of the secure random number and the first signature component; iv) receiving, by the node, partial signatures from other nodes of the signing group; and v) generating, by the node, the second signature component, w, based on determined and received partial signatures.

This invention is directed to an encryption communication system for preventing leakage of a common key and improving the confidentiality of communication information. The encryption communication system uses a pair of a first private portion and a first public portion and a pair of a second private portion and a second public portion in a key predistribution system (KPS) The encryption communication system comprises a ciphertext generator that generates a ciphertext by generating, in a first security chip (TPM) of a first communication apparatus, a first common key by the first private portion held in the first security chip using the second public portion transmitted from a second communication apparatus as a communication partner, and encrypting a plaintext using the first common key in the first security chip, and a decryptor that generates a plaintext by generating, in a second security chip of the second communication apparatus, a second common key by the second private portion held in the second security chip using the first public portion transmitted from the first communication apparatus as a communication partner, and decrypting the ciphertext received from the first communication apparatus using the second common key in the second security chip.

One embodiment described herein provides a system and method for secure attestation. During operation, a Trusted Platform Module (TPM) of a trusted platform receives a request for an attestation key from an application module configured to run an application on the trusted platform. The request comprises a first nonce generated by the application module. The TPM computes an attestation public/private key pair based on the first nonce and a second nonce, which is generated by the TPM, computes TPM identity information based on a unique identifier of the TPM and attestation key, and transmits a public key of the attestation public/private key pair and the TPM identity information to the application module, thereby enabling the application module to verify the public key of the attestation public/private key pair based on the TPM identity information.

During booting of a computing device, multiple security boundaries are generated. A security boundary refers to a manner of operation of a computing device or a portion of the computing device, with a program executing in one security boundary being prohibited from accessing data and programs in another security boundary. As part of booting the computing device measurements of (e.g., hash values or other identifications of) various modules loaded and executed as part of booting the computing device are maintained by a boot measurement system of the computing device. Additionally, as part of booting the computing device, public/private key pairs of one of the security boundaries is generated or otherwise obtained. Private keys of the public/private key pairs are provided to the one security boundary, and the public keys of the public/private key pairs are provided to the boot measurement system.