A trusted co-processor can provide a hardware-based observation point into the operation of a host machine owned by a resource provider or other such entity. The co-processor can be installed via a peripheral card on a fast bus, such as a PCI bus, on the host machine. The provider can provide the customer with expected information that the customer can verify through a request to an application programming interface (API) of the card, and after the customer verifies the information the customer can take logical ownership of the card and lock out the provider. The card can then function as a trusted but limited environment that is programmable by the customer. The customer can subsequently submit verification requests to the API to ensure that the host has not been unexpectedly modified or is otherwise operating as expected.

Various technologies described herein pertain to a computing device that includes secure hardware (e.g., a TPM, a secure processor of a processing platform, protected memory that includes a software-based TPM, etc.). The secure hardware includes a shared secret, which is shared by the secure hardware and a server computing system. The shared secret is provisioned by the server computing system or a provisioning computing system of a party affiliated with the server computing system. The secure hardware further includes a cryptographic engine that can execute a cryptographic algorithm using the shared secret or a key generated from the shared secret. The cryptographic engine can execute the cryptographic algorithm to perform encryption, decryption, authentication, and/or attestation.

A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.

Before a composition is ingested into a runtime environment at a runtime device, the composition may be verified at an authoring trusted execution environment (TEE) operating on an authoring device. A user can operate an untrusted computing platform (e.g., a personal computer, laptop computer, tablet computer, etc.) to write code, generate data, or create some other composition. Since this composition is created on an untrusted device, the authoring TEE may output the composition on a trusted peripheral device to a user for review and approval. Responsive to receiving approval at the trusted peripheral device, the authoring TEE can sign the composition with a local key and forward the composition for execution by the runtime device. The signature can be utilized by the runtime device to prove that it was reviewed and verified by an authorized user operating the authoring device.

The disclosure describes a security system, including a security element and a clock randomization processing unit. The clock randomization processing unit is configured to: receive a clock signal, randomly change arrangement of high-level steps or low-level steps in the clock signal, and provide a changed clock signal to the security element. The security system in an embodiment of the present invention first performs randomization processing on the clock signal before inputting the clock signal to the security element, and then inputs a randomized clock signal to the security element. The randomized clock signal causes a module inside the security element to work irregularly. Therefore, it is much more difficult to perform analysis in a side-channel attack, and a security capability of the security element is improved.

A method, apparatus, and computer-readable medium providing instructions to cause a computing device to establish a portion of a memory of the computing device as a trusted execution environment and execute a trusted third party application within the trusted execution environment. The trusted third party application is to receive a signed public key and an identifier for a verifier from a user client attestation application executing on a client platform. The signed public key is signed with an identifiable platform attestation private key for the client platform. The trusted third party application is further to verify the signed public key, determine a policy of the verifier, encode the policy into a trusted third party anonymous certificate for the signed public key, issue the trusted third party anonymous certificate without including identification information of the client platform, and send the trusted third party anonymous certificate to the user client attestation application.

Today an individual attending an event must undertake a second registration and purchasing sequence in order to attend a subsequent occurrence of the event. However, by the time they remember to re-register their interest may have waned or the event is sold out. In other instances, they forget even though the event does not sell out. Accordingly, it would be beneficial to provide registrants of an event with a means to re-register for the next occurrence of the event in a manner that was quick, simple, independent of execution of the registration/purchase steps with a service provider, and independent of completion of service provider support for the next event. Further, it would be beneficial to leverage the credential provided to the registrant for the current event in progress or just completed in the re-registration of the registrant for the next event. It would be further beneficial for said method to leverage the technology and devices of portable electronic devices associated with the registrant.

A method of trust provisioning a device, including: receiving, by a hardware security module (HSM), a list of instructions configured to produce trust provisioning information; performing, by the HSM, a constraint check on the list of instructions including performing a symbolic execution of the list of instructions; receiving confidential inputs; executing, by the HSM, the list of instructions on the confidential inputs when the list of instructions passes the constraint check; outputting, by the HSM, trust provisioning information.

Various embodiments include methods for providing data to be protected in a secure execution environment. An example includes: executing an enclave code in the environment; generating a key pair using the code with a public key and a private key; sending the public key to an insecure execution environment outside the secure execution environment; sending the public key and sending first encrypted data to an obfuscated program code, wherein the obfuscated program code is part of the insecure execution environment; verifying the public key by means of the obfuscated program code and, depending on results of the verification, converting the first encrypted data into second encrypted data, wherein the second encrypted data are encrypted with the public key; sending the second encrypted data to the enclave in the secure execution environment; and decrypting the second encrypted data into the data to be protected.

Aspects of the disclosure provide various methods relating to enclaves. For instance, a method of authentication for an enclave entity with a second entity may include receiving, by one or more processors of a host computing device of the enclave entity, a request and an assertion of identity for the second entity, the assertion including identity information for the second identity; using an assertion verifier of the enclave entity to determine whether the assertion is valid; when the assertion is valid, extracting the identity information; authenticating the second entity using an access control list for the enclave entity to determine whether the identity information meets expectations of the access control list; when the identity information meets the expectations of the access control list, completing the request.