Secure installation of application keys

The invention claimed is: 1. A method of creating an application key for use in a remote device, the method comprising: transmitting a device public key to an application owner, wherein the device public key corresponds to a device private key stored on and specific to the remote device; receiving an encrypted application key for an application associated with the application owner, the encrypted application key encrypted with the device public key; and processing the received encrypted application key with a symmetric device key, wherein the symmetric device key is specific to and stored on the remote device, wherein the app key is created at a key management system. 2. The method according to claim 1 , wherein processing the received encrypted application key further comprises encrypting the encrypted application key with a symmetric device encryption key. 3. The method according to claim 1 , wherein the received encrypted application key further comprises adding or associating an application policy or identifier for the respective application to the encrypted application key. 4. The method according to claim 1 , wherein processing the received encrypted application key further comprises signing the encrypted application key with a symmetric device signature key. 5. The method according to claim 3 , further comprising sending a key seed for generating a transport key for installing a second application key on the remote device wherein the key seed is generated using an application policy or an application identifier for the second application. 6. The method according to claim 1 , further comprising: sending a key seed for generating a transport key for installation of a further application key on the remote device from the application owner, wherein the key seed is generated using an application policy or application identifier for a second application with a key derivation function stored at the key management system and remote device, wherein processing the received encrypted application key further comprises encrypting the encrypted application key with a symmetric device encryption key, adding or associating the application policy or identifier for the second application to the encrypted application key, and signing the encrypted application key with a symmetric device signature key, the symmetric device encryption key being different from the symmetric device signature key. 7. A method of installing an application key in a remote device, the method comprising: receiving a device public key from a key management system, the device public key corresponding to a device private key stored on and specific to the device; transmitting an encrypted application key associated with an application, the encrypted application key being encrypted with the device public key, to the key management system; receiving the encrypted application key from the key management system, wherein the encrypted application key has been processed by the key management system with a symmetric device key and includes an application policy and identifier of the application by the key management system, wherein the symmetric device key is specific to and stored on the remote device; and transmitting the encrypted application key to the remote device. 8. The method according to claim 7 , further comprising receiving from the key management system a key seed, wherein the key seed is generated based on an application policy associated with the application key and application identifier using a key derivation function; generating a transport key using a second key derivation function using the key seed and the application key, wherein the second key derivation function is also available at the remote device; encrypting a second application key with the transport key; and sending the encrypted application key to the remote device for installation. 9. A device for executing an application using one or more application keys, the device comprising: a memory storing a private device key of a device public, private key pair, and a symmetric device key; and a processor configured to: receive an encrypted application key of an application, process the received encrypted application key using the symmetric device key, and decrypt the processed encrypted application key using the private device key. 10. The device according to claim 9 , wherein the processor is further configured to decrypt the encrypted application key with a symmetric device encryption key. 11. The device according to claim 9 , wherein the processor is further configured to decrypt an encrypted application policy and identifier with a symmetric device encryption key for enabling execution of the application on the device based on the decrypted application policy. 12. The device according to claim 9 , wherein the processor is further configured to verify a signature of the encrypted application key with a symmetric device signature key. 13. The device according to claim 9 , wherein the processor is configured to receive a second application key encrypted with a transport key, compute the transport key using a key derivation function applied to the application key and the output of a second key derivation function, wherein the output of the second key derivation function is computed by applying the second key derivation function to an application policy and identifier associated with the application key, and decrypt the second application key with the transport key.