An ecosystem for managing a public key infrastructure (PKI) includes an electronic device having at least one silicon component, an ecosystem manager configured to create at least one PKI keypair, a root certificate, and a bootstrapping certificate, and a device manufacturer configured to integrate into the electronic device the at least one silicon component. The device manufacturer is further configured to integrate into the at least one silicon component a public key of the at least one PKI keypair and the bootstrapping certificate. The ecosystem further includes an ecosystem approved test lab (ATL) configured to test the electronic device having the integrated silicon component, the public key, and the bootstrapping certificate. The ecosystem ATL is further configured to confirm that the bootstrapping certificate complies with predetermined standards of the ecosystem.

Trusted client security factor-based authorizations at a server. The techniques allow the server to authorize client requested operations to access a protected resource or service based on trusted client security factors that are obtained at client machines and provided to the server.

A virtual cryptographic module is used to perform cryptographic operations. The virtual cryptographic module may include a fleet of cryptographic modules and a load balancer that determines when a cryptographic module should be added to or removed from the fleet. The fleet size may be adjusted based on detecting a set of conditions that includes the utilization level of the fleet. One or more cryptographic modules of the fleet may be used to fulfill requests to perform cryptographic operations. A cryptographic module may be a hardware security module (“HSM”).

In one example an apparatus comprises a computer readable memory, a signing facility comprising a plurality of hardware security modules, and a state synchronization manager comprising processing circuitry to select, from the plurality of hardware security modules, a set of hardware security modules to be assigned to a digital signature process, the set of hardware security modules comprising at least a first hardware security module and a second hardware module, and assign a set of unique state synchronization counter sequences to the respective set of hardware security modules, the set of state synchronization counter sequences comprising at least a first state synchronization counter sequence and a second state synchronization counter sequence. Other examples may be described.

The invention relates to distributed ledger technologies such as consensus-based blockchains. A blockchain transaction may include digital resources that are encumbered by a locking script that encodes a set of conditions that must be fulfilled before the encumbered resources may be used (e.g., transferring ownership/control of encumbered resources). A worker (e.g., a computer system) performs one or more computations to generate a proof, which is encoded as part of an unlocking script. A verification algorithm may utilize the proof, a verification key, and additional data such as a cryptographic material associated with the worker (e.g., a digital signature) to verify that digital assets of the transaction should be transferred. As a result of the validation of this transaction, any third party is able to check the contract was executed corrected rather than re-executing the contract, thus saving computational power.

Environment type validation can provide a tamper-resistant validation of the computing environment within which the environment type validation is being performed. Such information can then be utilized to perform policy management, which can include omitting verifications in order to facilitate the sharing of policy, such as application licenses, from a host computing environment into a container virtual computing environment. The environment type validation can perform multiple checks, including verification of the encryption infrastructure of the computing environment, verification of code integrity mechanisms of that computing environment, checks for the presence of functionality evidencing a hypervisor, checks for the presence or absence of predetermined system drivers, or other like operating system components or functionality, checks for the activation or deactivation of resource management stacks, and checks for the presence or absence of predetermined values in firmware.

This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain.

A method comprises generating, based on a data element, M data element shares, wherein M is an integer greater than 1; providing each of M encryption keys to a first data processing unit; the first data processing unit encrypting each of the M data element shares with an encryption key, respectively, and thus generating M encrypted data element shares, wherein each of the encryption keys corresponds to a decryption key, respectively.

A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.

An information handling system includes a memory and a processor. The memory stores an owner public key associated with an owner of the information handling system. The processor receives a cryptographically signed message including a chain of certificates that includes first and second certificates. The processor determines whether the first certificate within the chain of certificates delegates authority to a first user based on the owner public key. In response to the first certificate delegating authority to the first user, the processor determines whether the second certificate delegates authority from the first user to a second user. Based on the first and second certificates, the processor verifies the cryptographically signed message as an authoritative message. In response to the cryptographically signed message being verified as the authoritative message, the processor executes a request associated with the cryptographically signed message.