A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.

In a method and system for responding to an unauthorized action on a mobile communications device, a cryptographic key is destroyed. The destruction of the cryptographic key is followed by initiating a boot sequence at the mobile communications device where the device is booted into a kernel that restricts operation of the mobile communications device to communications with a server.

Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

A virtual secure mode is enabled for a virtual machine operating in a computing environment that is associated with a plurality of different trust levels. First, a virtual secure mode image is loaded into one or more memory pages of a virtual memory space of the virtual machine. Then, the one or more memory pages of the virtual memory space are made inaccessible to one or more trust levels having a relatively lower trust level than a launching trust level that is used by a virtual secure mode loader to load the virtual secure mode image. A target virtual trust level is also enabled on a launching virtual processor for the virtual machine that is higher than the launching trust level.

Obtaining a sealed secret. The method includes decrypting one or more BLOBs at a computing system from among a plurality of different BLOBs. Each of the BLOBs in the plurality of BLOBs contains the secret. Each of the BLOBs in the plurality of BLOBs is sealed to a different condition from among a plurality of conditions. A given condition is a reflection of a system state where the system state is indicative of whether or not the system can be trusted to receive the secret. The method further includes evaluating one or more of the conditions to determine if at least one of the one or more conditions is met. The method further includes, if at least one of the one or more conditions is met, then providing the secret to an external entity.

Technologies for elliptic curve cryptography (ECC) include a computing device having an ECC engine that reads one or more parameters from a data port. The ECC engine performs operations using the parameters, such as an Elliptic Curve Digital Signature Algorithm (ECDSA). The ECDSA may be performed in a protected mode, in which the ECC engine will ignore inputs. The ECC engine may perform the ECDSA in a fixed amount of time in order to protect against timing side-channel attacks. The ECC engine may perform the ECDSA by consuming a uniform amount of power in order to protect against power side-channel attacks. The ECC engine may perform the ECDSA by emitting a uniform amount of electromagnetic radiation in order to protect against EM side-channel attacks. The ECC engine may perform the ECDSA verify with 384-bit output in order to protect against fault injection attacks.

An embodiment includes a processor coupled to memory to perform operations comprising: creating a first trusted execution environment (TXE), in protected non-privileged user address space of the memory, which makes a first measurement for at least one of first data and first executable code and which encrypts the first measurement with a persistent first hardware based encryption key while the first measurement is within the first TXE; creating a second TXE, in the non-privileged user address space, which makes a second measurement for at least one of second data and second executable code; creating a third TXE in the non-privileged user address space; creating a first secure communication channel between the first and third TXEs and a second secure communication channel between the second and third TXEs; and communicating the first measurement between the first and third TXEs via the first secure communication channel. Other embodiments are described herein.

A device is configured with a trusted platform module (TPM) executing in a trusted execution environment (TEE). Software/firmware updates, user data, applications, etc. are pushed to the device as a payload. The payloads contain a sealed container (e.g., the software/firmware update, user data, applications, etc.), one or more policies, and one or more provisioning code segments corresponding to the one or more policies. The policies are checked by the TPM of the device. If the measurement of the one or more provisioning code segments satisfy the one or more policies, then the sealed container is unsealed by the TPM and released to the device.

A hub device of a network receives a data model that includes a secure portion that is encrypted and one or more unsecure portions. The hub device deploys the one or more unsecure portions of the data model to respective edge devices of the network. The hub device decrypts the secure portion of the data model. The edge devices collect data (e.g., from sensors) and process the data using the unsecure portions of the data model. The edge devices send the processed data to the hub device. The hub device performs operations on the received processed data using the decrypted secure portion of the data model in a secure execution environment (e.g., a TPM or other secure module). The secure portion of the data model generates a result, which is then transmitted to an endpoint.

One embodiment described herein provides a system and method for secure attestation. During operation, a Trusted Platform Module (TPM) of a trusted platform receives a request for an attestation key from an application module configured to run an application on the trusted platform. The request comprises a first nonce generated by the application module. The TPM computes an attestation public/private key pair based on the first nonce and a second nonce, which is generated by the TPM, computes TPM identity information based on a unique identifier of the TPM and attestation key, and transmits a public key of the attestation public/private key pair and the TPM identity information to the application module, thereby enabling the application module to verify the public key of the attestation public/private key pair based on the TPM identity information.