A method includes receiving, by a first microprocessor, a request of modification of a content of a first memory of the first microprocessor, the first memory being accessible only by the first microprocessor. The method includes accessing, by the first microprocessor, first data associated with the request and a signature generated from the first data with an asymmetric cipher algorithm. The first data and the signature are available in a second memory of a second microprocessor, and the first data is representative of a modification to be applied to the content of the first memory. The modification is representative of a modification of a set of services exposed by the first microprocessor. The method includes verifying, by the first microprocessor, authenticity of the first data based on the signature; and modifying the content of the first memory according to the first data, the modifying being conditioned by the verifying.

A method for registering and provisioning an electronic device is provided. The method includes a step of inserting a first keypair into a secure element of the electronic device. The first keypair includes a public key and a private key. The method further includes a step of requesting, from a server configured to register and provision connected devices, a provisioning of credentials of the electronic device. The method further includes a step of verifying, by the server, the electronic device credentials. The method further includes a step of registering, by the server, the electronic device. The method further includes a step of transmitting, from the server to the electronic device, a device certificate. The method further includes steps of installing the transmitted device certificate within the secure element of the electronic device, and provisioning the electronic device according to the installed device certificate.

The technology disclosed herein enables resource sharing for trusted execution environments. An example method can include: establishing a first trusted execution environment (TEE) in a first computing device; establishing, by the first TEE, a set of shell TEEs, where each shell TEE is configured in view of one or more configuration parameters associated with the set of shell TEEs; receiving, by the first TEE, a request from a tenant computing device to establish a second TEE; determining, by the first TEE, whether the configuration parameters associated with the set of shell TEEs satisfy one or more request parameters for the second TEE; and responsive to determining that the configuration parameters associated with the set of shell TEEs satisfy the one or more request parameters for the second TEE, establishing, by the first TEE, the second TEE to satisfy the request, wherein the second TEE is selected from the set of shell TEEs, and causing, by the first TEE, the second TEE to communicate with tenant computing device.

There is provided mechanisms for attesting a first TEE residing on a first node. A method is performed by a second TEE also residing on the first node. The method comprises obtaining a request from the first TEE to be attested. The method comprises, in response thereto, obtaining a shared key from a third TEE residing on a second node. The method comprises performing local attestation of the first TEE, whereby the first TEE is provided with the shared key from the second TEE.

The invention relates to distributed ledger technologies such as consensus-based blockchains. Computer-implemented methods for reducing arithmetic circuits derived from smart contracts are described. The invention is implemented using a blockchain network, which may be, for example, a Bitcoin blockchain. A set of conditions encoded in a first programming language is obtained. The set of conditions is converted into a programmatic set of conditions encoded in a second programming language. The programmatic set of conditions is precompiled into precompiled program code. The precompiled program code is transformed into an arithmetic circuit. The arithmetic circuit is reduced to form a reduced arithmetic circuit, and the reduced arithmetic circuit is stored.

An authentication system facilitates a transfer of enrollment in authentication services between client devices. The authentication system enrolls a client device in authentication services to enable the client device to be used for authenticating requests to access one or more services. As part of enrolling the client device, the authentication system receives authentication enrollment information for the client device that is associated with one or more authentication credentials securely stored on the client device (e.g., a multi-factor authentication (MFA) certificate). The authentication system facilitates one or more processes for transferring the enrollment from an enrolled client device to a non-enrolled client device that limit the number and complexity of actions performed by the user. In particular, the authentication system facilitates transfer of enrollment based on receiving enrollment transfer requests authorized by the enrolled client device using one or more authentication credentials associated with the enrollment of the enrolled client device.

The present disclosure relates to centralized volume encryption key management for edge devices with trusted platform modules (TPM)s. In some examples, a TPM measures platform configuration register (PCR) values during a gateway boot process of a gateway device, including a PCR value for an extractor PCR. The extractor PCR refers to a PCR for an extractor application of the gateway device. The extractor application unseals a volume encryption key using the PCR value for the extractor PCR and a sealing authorization policy. The extractor application itself is verified as a result of measuring and using the PCR value for the extractor PCR.

There is provided a secured computer system, comprising a processing and memory unit (PMU) operatively connected to an input peripheral and an output peripheral. The PMU comprises a system memory comprising a protected memory and a shared memory, and a processor operatively coupled to the system memory, the processor including a set of instructions for enabling secure data storage and execution via the protected memory. The PMU further comprises an operating system and a group of modules executable by the operating system, each module in the group of modules having a designated secure region to be executed within the protected memory, the group of modules is configured to create authentication and share the input data securely via the shared memory accessible thereto using a composite key, the composite key generated within the group using data sharing mechanism between the designated secure regions enabled by the set of instructions.

A multifunction device includes: a non-volatile memory storing encrypted information, which is information that is encrypted; a TPM for decrypting the encrypted information; and a main board communicating with the non-volatile memory and the TPM. The non-volatile memory and the TPM are attachable to and removable from the main board, as a single body. More specifically, the multifunction device includes: a first sub board which has the non-volatile memory attached thereto and is attachable to and removable from the main board; and a chip board which has the TPM attached thereto and is attachable and removable from the first sub board.

A hardware secure element is described. The hardware secure element includes a microprocessor and a memory, such as a non-volatile memory. The memory stores a plurality of software routines executable by the microprocessor. Each software routine starts at a respective memory start address. The hardware secure element also includes a receiver circuit and a hardware message handler module. The receiver circuit is configured to receive command data that includes a command. The hardware message handler module is configured to determine a software routine to be executed by the microprocessor as a function of the command, and also configured to provide address data to the microprocessor that indicates the software routine to be executed.