A method for registering and provisioning an electronic device is provided. The method includes a step of inserting a first keypair into a secure element of the electronic device. The first keypair includes a public key and a private key. The method further includes a step of requesting, from a server configured to register and provision connected devices, a provisioning of credentials of the electronic device. The method further includes a step of verifying, by the server, the electronic device credentials. The method further includes a step of registering, by the server, the electronic device. The method further includes a step of transmitting, from the server to the electronic device, a device certificate. The method further includes steps of installing the transmitted device certificate within the secure element of the electronic device, and provisioning the electronic device according to the installed device certificate.

An HSM cluster includes a set of hardware security modules that maintain a set of cryptographic keys that are synchronized across the HSM cluster. Individual applications running on client computer systems access the HSM cluster using HSM cluster clients running on the client computer systems. The HSMs are accessed via a set of HSM cluster servers that monitor the synchronization of the cryptographic keys. Synchronization of the HSMs is maintained by the HSM cluster clients. The HSM cluster clients replicate key-addition and key-deletion operations across the HSM cluster. When a new key is created by a particular HSM, a prefix associated with the particular HSM is added to the identifier associated with the new key to avoid key-namespace collisions. If the set of cryptographic keys becomes unsynchronized across the HSM cluster, applications may continue read-only cryptographic operations while the HSM cluster is resynchronized by the HSM cluster clients.

This disclosure is directed to cryptographic protection for trusted operating systems. In general, a device may comprise for example, at least processing circuitry and memory circuitry. The device may be virtualized in that the processing circuitry may load virtual machines (VMs) and a virtual machine manager (VMM) into the memory circuitry during operation. At least one of the VMs may operate as a trusted execution environment (TEE) including a trusted operating system (TOS). The processing circuitry may comprise encryption circuitry to cryptographically protect the TOS. For example, the VMM may determine a first memory range in which the TOS will be loaded and store data regarding the first memory range in a register within the encryption circuitry. The register configures the encryption circuitry to cryptographically protect the TOS.

An information processing apparatus capable of connecting to an external apparatus via a network includes a first setting unit configured to enable a first function of transmitting an issuance request for a digital certificate to the external apparatus at a previously designated date and time or with a previously designated cycle and acquiring a digital certificate from the external apparatus in response to the issuance request, and a second setting unit configured to enable a second function of transmitting an issuance request for a digital certificate to the external apparatus in response to an instruction issued by a user for an issuance request for a digital certificate and acquiring a digital certificate from the external apparatus in response to the issuance request, wherein, in a case where the first function is currently enabled by the first setting unit, the second setting unit does not enable the second function.

Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

One aspect of the present invention discloses a client device for content security. The device includes: an application execution unit configured to control content in response to a content control command requested in a user level; a DRM agent configured to communicate with a DRM server and the application execution unit in the user level, to detect the content control command, to receive an encryption/decryption key and security policy for content from the DRM server, to provide the received encryption/decryption key and security policy to a client kernel module, and to transmit an encryption/decryption request; and the client kernel module configured to receive the encryption/decryption key and the security policy, to store the encryption/decryption key and security policy in a secure box of a kernel level, and to perform encryption or decryption on the content based on the encryption/decryption key and security policy in response to the encryption/decryption request.

Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

In accordance with embodiments of the present disclosure, a management controller configured to provide management-domain management of an information handling system may include a processor and a key management utility embodied in non-transitory computer-readable media. The key management utility may be configured to issue one or more commands to a cryptoprocessor for storing and sealing a key encryption key on the cryptoprocessor, wherein the key encryption key is for decrypting a media encryption key for encrypting and decrypting data stored to a storage resource of a host domain of the information handling system. The key management utility may also be configured to issue one or more commands to the cryptoprocessor for unsealing and retrieving the key encryption key from the cryptoprocessor.

An authentication system facilitates a transfer of enrollment in authentication services between client devices. The authentication system enrolls a client device in authentication services to enable the client device to be used for authenticating requests to access one or more services. As part of enrolling the client device, the authentication system receives authentication enrollment information for the client device that is associated with one or more authentication credentials securely stored on the client device (e.g., a multi-factor authentication (MFA) certificate). The authentication system facilitates one or more processes for transferring the enrollment from an enrolled client device to a non-enrolled client device that limit the number and complexity of actions performed by the user. In particular, the authentication system facilitates transfer of enrollment based on receiving enrollment transfer requests authorized by the enrolled client device using one or more authentication credentials associated with the enrollment of the enrolled client device.

Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.