Aspects of the disclosure provide various methods relating to enclaves. For instance, a method of authentication for an enclave entity with a second entity may include receiving, by one or more processors of a host computing device of the enclave entity, a request and an assertion of identity for the second entity, the assertion including identity information for the second identity; using an assertion verifier of the enclave entity to determine whether the assertion is valid; when the assertion is valid, extracting the identity information; authenticating the second entity using an access control list for the enclave entity to determine whether the identity information meets expectations of the access control list; when the identity information meets the expectations of the access control list, completing the request.

A computing device is provided including a motherboard including a control module, a first trusted platform module (TPM), and a second TPM. The control module directs security operations to the first TPM, wherein the control module is operable to detect whether or not the first TPM is damaged, and wherein the control module, in response to detecting that the first TPM is damaged, is operable to direct subsequent security operations to be performed by the second TPM. A computer program product is also provided including non-transitory computer readable storage media embodying program instructions executable by a processor to direct security operations to a first TPM coupled to a motherboard of the computing device, detect whether or not the first TPM is damaged, and, responsive to detecting that the first TPM is damaged, direct subsequent security operations to a second TPM coupled to the motherboard of the computing device.

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for enhancing blockchain network security. Implementations include receiving a request for data from the data source, transmitting the request to a relay system that is external to the blockchain network and that includes a multi-node cluster including a plurality of relay system nodes, receiving a result provided from a relay system node, the result being digitally signed using a private key of the relay system node, verifying that the relay system node is registered, verifying an integrity of the result based on a public key of the relay system node and a digital signature of the result in response to verifying that the relay system node is registered, and transmitting the result to a client in response to verifying the integrity of the result.

Methods, systems, and devices are described herein for delivering protected data to a nested trusted execution environment (TrEE), including a trustlet running on top of secure kernel, associated with a potentially untrusted requestor. In one aspect, a targeting protocol head, or other intermediary between a requestor and a key management system or other store of protected data, may receive a request for protected data from a potentially untrusted requestor, and an attestation statement of the secure kernel. The targeting protocol head may encrypt a transfer encryption key with a second encryption key derived from the attestation statement. The targeting protocol head may retrieve the protected data, and encrypt the protected data with the transfer encryption key and an authentication tag, which binds the requestor with the trustlet ID. The targeting protocol head may provide the encrypted transfer encryption key, the encrypted protected data, and encrypted authentication tag to the requestor.

The present invention relates to a method for authenticating software. The method comprises defining a set of parameters to use for trace mapping the software, wherein the set of parameters represents the software functionality when executed. The method further comprises: a) creating a trusted fingerprint that is created by trace mapping the software using the set of parameters when executed in a trusted environment; b) creating an operating fingerprint that is created by trace mapping the software using the set of parameters when executed in an operating environment; c) comparing the operating fingerprint with the trusted fingerprint, and identifying any difference between the trusted fingerprint and the operating fingerprint; and d) when said operating fingerprint is non-identical with the trusted fingerprint, initiating predefined action(s) in response to the identified differences between the trusted fingerprint and the operating fingerprint.

A method and apparatus prevents hacker code from infecting an application program by requiring decryption of the application program prior to running the application program on a computer. The method includes steps of: providing a storage device that is a separate unit from components necessary to operate the computer; storing a symmetric private key on the storage device; using the symmetric private key to produce an encrypted application program upon first installation; thereafter decrypting that part of the encrypted application program needed implement a command to run the application program; precluding the computer from running any part of the application program that has not been first encrypted with the symmetric private key; and, decrypting, on the fly, only those follow-on parts of the encrypted application program needed to perform functions called for during operation of the application program.

A computer implemented method to execute a software application in a network attached computing environment, the application being defined by a set of required software services to constitute the application, the required services being selected from services indicated in a component registry, the method including recording a block to a blockchain data structure, the new block identifying at least a subset of the set of required services; receiving one or more further blocks from the blockchain data structure, each of the further blocks referencing a service provider for providing one or more of the required services; and selecting one or more service providers identified in the blockchain and defining a specification for an application assembler component to assemble the software application, the specification identifying selected service providers.

A method includes receiving, by a first microprocessor, a request of modification of a content of a first memory of the first microprocessor, the first memory being accessible only by the first microprocessor. The method includes accessing, by the first microprocessor, first data associated with the request and a signature generated from the first data with an asymmetric cipher algorithm. The first data and the signature are available in a second memory of a second microprocessor, and the first data is representative of a modification to be applied to the content of the first memory. The modification is representative of a modification of a set of services exposed by the first microprocessor. The method includes verifying, by the first microprocessor, authenticity of the first data based on the signature; and modifying the content of the first memory according to the first data, the modifying being conditioned by the verifying.

A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.

A hardware secure element is described. The hardware secure element includes a microprocessor and a memory, such as a non-volatile memory. The memory stores a plurality of software routines executable by the microprocessor. Each software routine starts at a respective memory start address. The hardware secure element also includes a receiver circuit and a hardware message handler module. The receiver circuit is configured to receive command data that includes a command. The hardware message handler module is configured to determine a software routine to be executed by the microprocessor as a function of the command, and also configured to provide address data to the microprocessor that indicates the software routine to be executed.