A method for operating an electronic device is provided. The method includes generating, by an authentication agent, a digital fingerprint of an application, transmitting, by an authentication agent, the generated digital fingerprint to a trusted application on a trusted execution environment (TEE), verifying, by the trusted application, the digital fingerprint, and permitting, by the trusted application, the application to access a secure storage, when the trusted application succeeds in verifying the digital fingerprint.

In one example an apparatus comprises a computer readable memory, a signing facility comprising a plurality of hardware security modules, and a state synchronization manager comprising processing circuitry to select, from the plurality of hardware security modules, a set of hardware security modules to be assigned to a digital signature process, the set of hardware security modules comprising at least a first hardware security module and a second hardware module, and assign a set of unique state synchronization counter sequences to the respective set of hardware security modules, the set of state synchronization counter sequences comprising at least a first state synchronization counter sequence and a second state synchronization counter sequence. Other examples may be described.

A device-local key derivation scheme generates, during a first boot session for an electronic device, a sealing key that is derived at least in part from a device-generated random seed and an internal secret that is unique to the electronic device. After generating the sealing key, access to the internal secret is disabled for a remainder of the first boot session and until a second boot session is initiated. At runtime, the sealing key is used to sign a module manifest that describes the software that is authorized to access the sealing key, and the module manifest containing the sealing key is persisted in non-volatile memory of the electronic device. The module manifest can be used to validate software during a subsequent boot session and to authorize software updates on the electronic device without relying on an external entity or external information to protect on-device secrets.

One aspect of the present invention discloses a watermark insertion method. The method includes: segmenting target text into pieces of page content; obtaining a watermark variable comprising a line alternation value indicative of a watermark mode changed for each line of the segmented page content and a watermark mode setting value; and applying a flip-flop component insertion algorithm for inserting a watermark into each of the pieces of segmented page content based on the obtained watermark variable.

An in-vehicle computer generates a message authentication code about its own log using its own signature key and thereby transmits a log annotated with its message authentication code to a vehicle information collection device. The vehicle information collection device generates the signature key of the in-vehicle computer, verifies the message authentication code, which is included in the log annotated with its message authentication code received from the in-vehicle computer, using generated signature key, and thereby stores the log relating to the successfully verified message authentication code on storage media.

Systems and methods for managing a trusted application in a computer chip module include generating a trusted application package (TAP), the TAP comprising an application and an activation code, wherein the TAP is encrypted with a passcode and wherein the activation code is stored in the memory of the computer; receiving from the computer chip module a public key, wherein the public key is part of a pair of asymmetrical transport keys generated by the computer chip module, and wherein the pair of asymmetrical transport keys further comprises a private key; encrypting the passcode with the public key; transmitting the encrypted passcode to the computer chip module, wherein the computer chip module is configured to decrypt the passcode using the private key; and transmitting the TAP to the computer chip module, wherein the TAP is stored in a dedicated folder on the computer chip module.

In an example, a computing device may include a trusted execution environment (TEE) for executing signed and verified code. The device may receive a trusted binary object in a first form, but the object may need to be converted to a second format, either on-the-fly, or in advance. This may include, for example, a bytecode interpreter, script interpreter, runtime engine, compiler, just-in-time compiler, or other species of binary translator. The binary translator may be run from the TEE, and the output may then be signed by the TEE and treated as a new trusted binary.

Techniques are disclosed for enabling attested end-to-end encryption for transporting sensitive data between devices. In one example, an origination device receives and verifies, in a secure environment, a policy profile that includes an origination key of the origination device and a destination key of a destination device. The origination device generates and seals a data encryption key based on a characteristic of the secure environment. The origination device then encrypts the data encryption key with a public key of the destination device to form an encrypted data encryption key. The origination device then signs the encrypted data encryption key with a private attestation identity key of the origination device. The origination device encrypts the sensitive data with the sealed data encryption key to form encrypted data, and then transmits the signed encrypted data encryption key and the encrypted data to the destination device for subsequent decryption of the encrypted data.

An Identity Based Behavior Measurement Architecture (such as the BMA) and related technologies are described herein. In an exemplary embodiment, the BMA can be derived from an IMA and use an identity model to express a deterministic measurement value for platform behavior.

A method of accessing a trusted platform module in a computing device is disclosed. The method includes storing a platform authorization key in a memory of the computing device that includes the trusted platform module. The platform authorization key includes permitting access to the trusted platform module. The method includes obtaining a digital signature in response to the computing device requesting access to the trusted platform module. The digital signature is generated using at least a command for configuring the trusted platform module. The method includes verifying the digital signature and allowing retrieval of the platform authorization key from the memory of the computing device in order to access the trusted platform module in response to the digital signature is verified, and denying retrieval of the platform authorization key otherwise.