Embodiments of the present invention are directed to an improved system and method of producing, recording and reporting boot integrity measurements of an Internet of Things (IoT) computing device to resource (such as an on-chip software module, an external software module, a printer, a network router, or a server), so the resource can confirm that the IoT computing device can be trusted before access to the resource is granted. Embodiments provide a new and less expensive architecture for reliably collecting and relaying device state information to support trust-sensitive applications. Embodiments leverage crypto-acceleration modules found on many existing microprocessors and microcontroller-based IoT devices, while introducing little additional overhead or additional circuitry. Embodiments provide a Root of Trust module comprising integrated internal control logic that functions as a secure on-chip wrapper for cryptographic primitive modules, which provide secure storage and reporting of the host's platform integrity measurements.

One embodiment described herein provides a system and method for secure attestation. During operation, a Trusted Platform Module (TPM) of a trusted platform receives a request for an attestation key from an application module configured to run an application on the trusted platform. The request comprises a first nonce generated by the application module. The TPM computes an attestation public/private key pair based on the first nonce and a second nonce, which is generated by the TPM, computes TPM identity information based on a unique identifier of the TPM and attestation key, and transmits a public key of the attestation public/private key pair and the TPM identity information to the application module, thereby enabling the application module to verify the public key of the attestation public/private key pair based on the TPM identity information.

Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. In some embodiments, the secure circuit is configured to generate a public key and a private key for an application, and receive, from the application via an API, a request to perform a cryptographic operation using the private key. The secure circuit is further configured to perform the cryptographic operation in response to the request.

A trusted co-processor can provide a hardware-based observation point into the operation of a host machine owned by a resource provider or other such entity. The co-processor can be installed via a peripheral card on a fast bus, such as a PCI bus, on the host machine. The provider can provide the customer with expected information that the customer can verify through a request to an application programming interface (API) of the card, and after the customer verifies the information the customer can take logical ownership of the card and lock out the provider. The card can then function as a trusted but limited environment that is programmable by the customer. The customer can subsequently submit verification requests to the API to ensure that the host has not been unexpectedly modified or is otherwise operating as expected.

Environment type validation can provide a tamper-resistant validation of the computing environment within which the environment type validation is being performed. Such information can then be utilized to perform policy management, which can include omitting verifications in order to facilitate the sharing of policy, such as application licenses, from a host computing environment into a container virtual computing environment. The environment type validation can perform multiple checks, including verification of the encryption infrastructure of the computing environment, verification of code integrity mechanisms of that computing environment, checks for the presence of functionality evidencing a hypervisor, checks for the presence or absence of predetermined system drivers, or other like operating system components or functionality, checks for the activation or deactivation of resource management stacks, and checks for the presence or absence of predetermined values in firmware.

Aspects of the disclosure provide various methods relating to enclaves. For instance, a method of authentication for an enclave entity with a second entity may include receiving, by one or more processors of a host computing device of the enclave entity, a request and an assertion of identity for the second entity, the assertion including identity information for the second identity; using an assertion verifier of the enclave entity to determine whether the assertion is valid; when the assertion is valid, extracting the identity information; authenticating the second entity using an access control list for the enclave entity to determine whether the identity information meets expectations of the access control list; when the identity information meets the expectations of the access control list, completing the request.

An encryption card, an electronic device and an encryption service method are disclosed. The encryption card includes a trusted computing module; a programmable logic device that is connected to the trusted computing module through a conductive circuit, and communicates with the trusted computing module through the conductive circuit; and a communication interface that is connected to the trusted computing module and the programmable logic device, and is configured to provide an interface for connecting to an external device of the encryption card. The present disclosure solves the technical problems that the computing power and the storage capacity of encryption cards are insufficient, and the calculation security of information data cannot be effectively guaranteed in the existing technologies.

A multivariate signature method for resisting key recovery attack, which establishes a new signature verification condition by adding additional value of signature. The verification condition implies verification of internal information x and y, thereby effectively resisting key recovery attack generated by the existence of equivalence key. Specifically, the method includes the three stages of data preprocessing, signature generation and signature verification. The invention is a signature authentication method based on polynomial equations of a plurality of variables in a finite field, which can effectively resist the key recovery attack, provide the basic technical support for the information security and the establishment of the trust system in the quantum computer era, and provide a secure digital signature option in the quantum era. The present invention is especially suitable for use under application condition which has limited storage and processing time, such as smart cards, wireless sensor networks and dynamic RFID tags.

A method of outsourcing an operation with encryption is provided. A method may include encrypting data at trusted execution environment (TEE) to generate a first ciphertext. The method may also include conveying the first ciphertext to a graphics processing unit (GPU). Further, the method may include performing, at the GPU, at least one somewhat homomorphic encryption (SHE) evaluation operation on the first ciphertext to generate a second ciphertext. Moreover, the method may include conveying the second ciphertext to the TEE. In addition, the method may include decrypting, at the TEE, the second ciphertext to generate a function.

Various systems and methods for implementing physical token based security in a networked environment with localized security state management (SSM). Illustrative embodiments include: a cryptoprocessor-based physical security token; a network interface that receives commands directed via a network to the cryptoprocessor from a remote computer; a memory or persistent storage device storing SSM software; and one or more CPUs coupled to the memory or persistent storage device to execute the SSM software. The SSM software causes the one or more CPUs to implement an SSM method that includes: accepting commands, thereby obtaining a received command sequence; applying security rules to the received command sequence to obtain a modified command sequence; directing the modified command sequence to the cryptoprocessor; receiving from the cryptoprocessor responses to commands in the modified command sequence; and providing replies to commands in the received command sequence based on the cryptoprocessor responses and on the security rules.