Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. In some embodiments, the secure circuit is configured to generate a public key and a private key for an application, and receive, from the application via an API, a request to perform a cryptographic operation using the private key. The secure circuit is further configured to perform the cryptographic operation in response to the request.

A method for secure key exchange. The method comprises receiving a request to certify a key from a communication partner at an interface between an access and tamper resistant circuit block and exposed circuitry. Within the access and tamper resistant circuit block, a first random private key is generated. A corresponding public key of the first random private key is derived, and a cryptographic digest of the public key and attributes associated with the first random private key is generated. The generated cryptographic digest is signed using a second random private key that has been designated for signing by one or more associated attributes. The public key and the signature are then sent to the communication partner via the interface.

An authentication system facilitates a transfer of enrollment in authentication services between client devices. The authentication system enrolls a client device in authentication services to enable the client device to be used for authenticating requests to access one or more services. As part of enrolling the client device, the authentication system receives authentication enrollment information for the client device that is associated with one or more authentication credentials securely stored on the client device (e.g., a multi-factor authentication (MFA) certificate). The authentication system facilitates one or more processes for transferring the enrollment from an enrolled client device to a non-enrolled client device that limit the number and complexity of actions performed by the user. In particular, the authentication system facilitates transfer of enrollment based on receiving enrollment transfer requests authorized by the enrolled client device using one or more authentication credentials associated with the enrollment of the enrolled client device.

A sequence mining platform (SMP) comprises a processor, at least one machine-accessible storage medium responsive to the processor, and a sequence manager in the machine-accessible storage medium. The sequence manager is configured to use processing resources to determine a sequence of nucleobases in a nucleic acid. The storage medium also comprises a blockchain manager to (a) collect transaction data for one or more transactions for a blockchain which requires a proof of work (POW) for each new block; and (b) include at least some of the transaction data in a new block for the blockchain. The storage medium also comprises a sequence mining module (SMM) to use the determined sequence of nucleobases from the sequence manager to create a POW for the new block. In one embodiment, the SMM enables an entity which controls the SMP to receive transaction rewards and sequencing rewards. Other embodiments are described and claimed.

Various systems and methods for testing devices, issuing certificates, and managing certified devices, are discussed herein. A system is configured for using platform certificates to verify compliance and compatibility of a device when onboarding the device into an internet of things (IoT) network. The system may use an approved product list to verify compliance and compatibility for the device. When the device is certified, the system may use an onboarding tool to onboard the device into the IoT network.

Embodiments of the present invention are directed to an improved system and method of producing, recording and reporting boot integrity measurements of an Internet of Things (“IoT”) computing device to resource (such as an on-chip software module, an external software module, a printer, a network router, or a server), so the resource can confirm that the IoT computing device can be trusted before access to the resource is granted. Embodiments provide a new and less expensive architecture for reliably collecting and relaying device state information to support trust-sensitive applications. Embodiments leverage crypto-acceleration modules found on many existing microprocessors and microcontroller-based IoT devices, while introducing little additional overhead or additional circuitry. Embodiments provide a Root of Trust module comprising integrated internal control logic that functions as a secure on-chip wrapper for cryptographic primitive modules, which provide secure storage and reporting of the host's platform integrity measurements.

A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.

Controlling execution of software is provided. In response to receiving an input to execute a software module on a data processing system, a set of measurements are performed on the software module performing a process to prepare the software module for execution on the data processing system. In response to determining that the set of measurements meets a predetermined criterion, an authorization to proceed with the process of preparing the software module for execution on the data processing system is requested from a trusted third party computer. In response to receiving the authorization to proceed with the process of preparing the software module for execution on the data processing system from the trusted third party computer, the software module is executed.

This disclosure is directed to automated processes for attesting to trustworthiness of a host considered for connection to a data center network. The attestation process is performed in two attestation phases. In the first phase, attestation is performed on a smart network interface controller (“SNIC”) connected to an internal bus of the host using a first trusted platform module (“TPM”) of the SNIC. In the second phase, attestation is performed on the host by the SNIC using a second TPM connected to the internal bus of the host in response to a determination that the SNIC is trustworthy. The host is connected to the data center network in response to a determination by the SNIC that the host is trustworthy.

An apparatus can include an interface coupled to processing circuitry and cryptographic circuitry coupled to the interface. The cryptographic circuitry can receive a request from the processing circuitry over the interface to perform a cryptographic operation using a remote hardware security module (HSM) key component. The cryptographic circuitry can further transmit a command to a remote component to retrieve the remote HSM key component. Subsequent to receiving the cryptographic key component, the cryptographic circuitry can construct a trusted execution environment (TEE) instance and store the remote HSM key component in the TEE instance. The cryptographic circuitry can use the remote HSM key component to perform the cryptographic operation and provide a result of the cryptographic operation to the processing circuitry over the interface.