公开(公告)号：WO2022256279A1

公开(公告)日：2022-12-08

申请号：PCT/US2022/031498

申请日：2022-05-31

Applicant: THALES DIS CPL USA, INC.

Inventor： ANUMULAPALLY, Ranga ,  MERIN, Ian ,  ROBERTS, Kathryn ,  WARDROP, Gerald ,  DECARMO, Linden ,  CHOUHAN, Raghvendra

IPC: G06F21/60 ,  G06F21/72 ,  H04L9/40 ,  G06Q20/38

Abstract: There is disclosed a payment HSM (200) hosted in a data center (201) and comprising a host interface (20) accessible by a remote end-user entity (110) running a payment application (120) using critical resources protected in the payment HSM, a second interface (10) for main, operational management of the payment HSM by the end-user entity, and an Out-Of-Band, OOB, management interface (30) being distinct and physically isolated from the communication channel of the second interface, and configured to allow secure access to the payment HSM by a third-party entity (130), distinct from the end-user entity. A resident, remotely configurable provisioning state-machine is implemented in the HSM for the management of the provisioning of the payment HSM for service to one or more end-user entities, under the control of the third-party entity over the OOB management interface.

公开(公告)号：WO2020257156A1

公开(公告)日：2020-12-24

申请号：PCT/US2020/037874

申请日：2020-06-16

Applicant: THALES DIS CPL USA, INC.

Inventor： RIOU, Mikael ,  NGUYEN, Thinh

IPC: G06F21/44 ,  G06F21/31 ,  G06F21/60

Abstract: The invention relates to a method (20) for authenticating to a device (12), comprising receiving (214), by the device, from a chip (14), data; retrieving (216), by the device, based on the received data, a predetermined encrypted credential; sending (218), by the device, to the chip, a decryption request for decrypting the encrypted credential including or being accompanied with the encrypted credential to be decrypted; retrieving (220), by the chip, a secret key; decrypting (222), by the chip, the encrypted credential by using the secret key; sending (224), by the chip, to the device, as a decryption request response, the credential; verifying (226), by the device, whether the credential is or is not valid; and authenticating (228), by the device, only if the credential is valid, the chip.

公开(公告)号：WO2022169661A1

公开(公告)日：2022-08-11

申请号：PCT/US2022/014037

申请日：2022-01-27

Applicant: THALES DIS CPL USA, INC.

Inventor： WEBER, Andreas ,  LANGE, David Andreas ,  ZUNKE, Michael

IPC: G06F21/10 ,  G06F21/12 ,  G06F21/14 ,  G06F21/64 ,  G06F21/54

Abstract: There is provided a method of protecting a first software application to generate a protected software application to be executed on an execution platform having a memory in which code of the protected software application is loaded for execution, the method comprising adding at least one check module to the first software application, wherein the check module, when being executed, checks at least a part of the code of the protected software application loaded in the memory and carries out a predefined tamper response in case the check module detects that the checked code was changed or ensures that the protected software application continues to function correctly in case the check module detects that the checked code was not changed, selecting a first code region of the first software application, said first code region provides a first functionality when being executed, amending the selected first code region of the first software application such that an amended first code region is generated to provide the protected software application, wherein the amended first code region, when being executed, still provides the first functionality but carries out an access to at least a part of the code of a protected software application loaded in the memory for providing the first functionality.

公开(公告)号：WO2022159851A1

公开(公告)日：2022-07-28

申请号：PCT/US2022/013584

申请日：2022-01-25

Applicant: THALES DIS CPL USA, INC.

Inventor： ROHLEDER, Roman ,  GARBA, Peter

IPC: G06F21/14

Abstract: The invention relates to a computer-implemented method of obfuscating a software code, comprising adding a conditional branch instruction to the software code which, when executed, causes evaluating an opaque predicate (PT, PF, P?). The method comprises a step of generating the opaque predicate which includes performing a multiplication operation having as operands two mixed Boolean-arithmetic expressions.

公开(公告)号：WO2020236428A1

公开(公告)日：2020-11-26

申请号：PCT/US2020/031613

申请日：2020-05-06

Applicant: THALES DIS CPL USA, INC.

Inventor： HUTCHINSON, Michael ,  ALI, Asad

IPC: G06F21/45

Abstract: The invention method (20) for providing a user authentication credential comprises: - a) registering, in a device, at least one reference character, as a first user authentication credential; - b) submitting (22), by the user, to the device, at least one character, as a second user authentication credential; - c) retrieving (24), by the device, each of the at least one reference character comprised within the first user authentication credential along with a corresponding position within the first user authentication credential; - d) comparing (26), by the device, each of the just submitted character within the second user authentication credential to a corresponding reference character within the first user authentication credential at one and the same position within the second user authentication credential and the first user authentication credential; and - e) providing (210), by the device to the user, just after the character submission, only if the just submitted character does not match the corresponding reference character, at least one information item for prompting the user to correct the just submitted character.

公开(公告)号：WO2020159925A1

公开(公告)日：2020-08-06

申请号：PCT/US2020/015318

申请日：2020-01-28

Applicant: THALES DIS CPL USA, INC.

Inventor： RIYUMKIN, Dimitri ,  JOHNSON, Darren

IPC: H04L29/06 ,  G06F21/44 ,  G06F21/57 ,  G06F21/74 ,  H04L9/08 ,  H04L9/16

Abstract: The invention is a method for handling data in a secure container comprising first and second private keys uniquely allocated to the secure container. The secure container is configured to use the first private key to handle said data in a first operating mode and to use the second private key to handle said data in a second operating mode. The secure container is configured to prevent the update of the first private key after its clearing. The method comprises the step of automatically clearing the first private key in response to a request for enabling a software module in the second operating mode and a step of automatically using the first operating mode by the secure container if the first private key has not been cleared and of automatically using the second operating mode by the secure container if the first private key has been cleared.

公开(公告)号：WO2023028094A1

公开(公告)日：2023-03-02

申请号：PCT/US2022/041288

申请日：2022-08-24

Applicant: THALES DIS CPL USA, INC.

Inventor： DAS, Tirthankar ,  KOO, Kyoungbong ,  MIYATA, Leonard ,  PAN, Feng ,  SANTOS, José R. ,  SPATAR, Mihai ,  SUDARSAN, Sridharan ,  WONG, Carlos

IPC: H04L67/02 ,  H04L67/1001 ,  H04L9/40

Abstract: The present invention provides a system for providing dual endpoint access control of remote cloud-stored resources, comprising: - at least one end-user entity running at least one application, the at least one application being adapted to perform at least one operation to at least one cloud-stored resource; - a local host interface configured to control access to the remote cloud-stored resources over a communication network by the at least one end-user entity running the at least one application, wherein the local host interface comprises a first access policy relating a set of authorized operations with at least one access permission to one or more of the of cloud-stored resources, and wherein the local host interface is configured to send an individualized access request over the communication network to at least one remote server storing the cloud-stored resources if an authorized user requests to perform at least one authorized operation to at least one authorized cloud-stored resource satisfying the access permission set on the first access policy; - the at least one remote server storing the cloud-stored resources; and - a cloud interface associated with the at least one remote server, the cloud interface comprising a second access policy consisting of: o at least one role policy that permits or denies performing at least one operation to at least one cloud-stored resources, and o an authenticable user account configured to assume at least one of the roles, wherein the user account is authenticable through the received individualized access request sent by the local host interface.

公开(公告)号：WO2021035000A1

公开(公告)日：2021-02-25

申请号：PCT/US2020/047099

申请日：2020-08-20

Applicant: THALES DIS CPL USA, INC.

Inventor： FAMECHON, Benoît ,  SIDDIQUI, Najam ,  MUZAMIL, Muein

IPC: H04L29/06 ,  H04W12/00 ,  H04W12/06 ,  H04W12/08

Abstract: The invention is a method for registering a first device to a registration server, a second device being previously registered by the registration server, said first device generates a first dataset by collecting network signals whose sources are located in the vicinity of said first device, then sends said first dataset to the registering server. Said second device generates a second dataset by collecting network signals whose sources are located in the vicinity of said second device, then sends said second dataset to the registering server. The registering server performs a comparison of a subset of said first dataset with a subset of said second dataset and registers said first device only if the comparison is successful.

公开(公告)号：WO2023028282A1

公开(公告)日：2023-03-02

申请号：PCT/US2022/041616

申请日：2022-08-26

Applicant: THALES DIS CPL USA, INC.

Inventor： GUPTA, Rajesh ,  SCOTT, Peter ,  BROMBERGER, Jeff ,  NANDODE, Rohan

IPC: G06F21/62 ,  G06F21/78

Abstract: The present invention provides a method for controlling access to a disk device (7) connected to an execution platform (1), the method comprising - reserving a first region (9) of the disk device (7) and storing an unique disk label (11) in said first region (9), wherein said first region (9) is not encrypted, - encrypting a second region (10) of the disk device (7), wherein the second region (10) includes user data and file information, said method further comprises providing a cipher agent (12) running on said execution platform (1) and carrying out the following steps in case an opening of the disk device (7) is requested, - reading the unique disk label (11) stored in the first region (9), - retrieving a protection policy for the disk device (7) based on the unique disk label (11) and - handling the further access to the disk device (7) based on the protection policy.

公开(公告)号：WO2022216508A1

公开(公告)日：2022-10-13

申请号：PCT/US2022/022696

申请日：2022-03-31

Applicant: THALES DIS CPL USA, INC.

Inventor： LEMIRE, Stephane

IPC: G06F21/86 ,  G06F21/87 ,  H05K1/02

Abstract: The present invention provides a system for detecting access to a pre-defined area on a Printed Circuit Board, wherein the system comprises: · the Printed Circuit Board comprising, on at least one of its external surfaces, at least one pre-defined area comprising electrical components, · a potting material arranged over at least the pre-defined area, wherein the potting material comprises a first layer of transparent material configured to allow light to pass through, and a second layer of opaque material arranged so that completely blocks light towards the first layer, wherein the first layer is arranged between the Printed Circuit Board and the second layer and extends at least over the pre-defined area, and at least one photo-sensor arranged within the first layer of transparent material and configured to generate a tamper signal upon detection of light in the first layer.