A device includes a processor having a trusted security zone and trusted memory communicatively coupled to the trusted security zone to form a trusted execution environment (TEE) in which trusted applications operate. The trusted memory has a common repository. The device includes memory storing instructions that cause the processor to effectuate operations. The operations include receiving, from a first trusted application of the trusted applications, a first application data and storing the first application data in the common repository. The operations include determining that a second trusted application of the trusted applications has permission to access the first application data based on a policy module of the TEE and allowing the second trusted application to access the first application data.

A method, apparatus, and computer-readable medium providing instructions to cause a computing device to establish a portion of a memory of the computing device as a trusted execution environment and execute a trusted third party application within the trusted execution environment. The trusted third party application is to receive a signed public key and an identifier for a verifier from a user client attestation application executing on a client platform. The signed public key is signed with an identifiable platform attestation private key for the client platform. The trusted third party application is further to verify the signed public key, determine a policy of the verifier, encode the policy into a trusted third party anonymous certificate for the signed public key, issue the trusted third party anonymous certificate without including identification information of the client platform, and send the trusted third party anonymous certificate to the user client attestation application.

The invention relates to a method for generating an authentication key in a security module which stores a first root key (K_root_A) shared with a first network entity, the method including the following steps: sending a transfer request to a second network entity, receiving a first secret (S_b1) from the second network entity, generating a secret generation key (Kb1) from the first root key and from the first secret, receiving from the second network entity a second secret (S_b2) and an authentication message of the second secret calculated by means of the secret generation key transmitted to the second network entity by the first network entity, verifying the authentication message by means of the secret generation key, generating a second root key (K_root_B) if the verification is positive, said second root key being generated from the second secret (S_b2) and from the secret generation key (Kb1), and used to generate an authentication key to access a network of the second network entity.

The present invention relates to a system for protecting sensitive data including at least one enclosing layer, at least one tamper-detecting sensor, zeroization support logic, at least one memory module, and at least one Internal IPM Decoupler configured to provide a link between the anti-tamper system and at least one electronic component that is enclosed by at least one enclosing layer.

A method comprises generating, based on a data element, M data element shares, wherein M is an integer greater than 1; providing each of M encryption keys to a first data processing unit; the first data processing unit encrypting each of the M data element shares with an encryption key, respectively, and thus generating M encrypted data element shares, wherein each of the encryption keys corresponds to a decryption key, respectively.

The invention relates to distributed ledger technologies such as consensus-based blockchains. A blockchain transaction may include digital resources that are encumbered by a locking script that encodes a set of conditions that must be fulfilled before the encumbered resources may be used (e.g., transferring ownership/control of encumbered resources). A worker (e.g., a computer system) performs one or more computations to generate a proof, which is encoded as part of an unlocking script. A verification algorithm may utilize the proof, a verification key, and additional data such as a cryptographic material associated with the worker (e.g., a digital signature) to verify that digital assets of the transaction should be transferred. As a result of the validation of this transaction, any third party is able to check the contract was executed corrected rather than re-executing the contract, thus saving computational power.

One aspect of the present invention discloses a device for content security. The device includes: an application execution unit configured to generate and control content in response to a content control command requested by a user; and a DRM agent configured to communicate with the application execution unit, to detect the content control command generated by the application execution unit, and to perform control on the content, and the DRM agent comprises a tracing module configured to insert security information into the content in order to prevent and trace content leakage.

An information handling system includes a memory and a processor. The memory stores an owner public key associated with an owner of the information handling system. The processor receives a cryptographically signed message including a chain of certificates that includes first and second certificates. The processor determines whether the first certificate within the chain of certificates delegates authority to a first user based on the owner public key. In response to the first certificate delegating authority to the first user, the processor determines whether the second certificate delegates authority from the first user to a second user. Based on the first and second certificates, the processor verifies the cryptographically signed message as an authoritative message. In response to the cryptographically signed message being verified as the authoritative message, the processor executes a request associated with the cryptographically signed message.

A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.

Methods and systems for implementing DevID enrollment for hardware redundant Trust Platform Modules (TPMs), are described. A system can include hardware redundancy for management modules, and for TPMs that correspond to each management module. Accordingly, a product can have a dual-TPM configuration, where both modules are associated with the same product. Further, a process that particularly considers the presence of dual-TPMs for creating, issuing, and enrolling DevID certificates is described. The process issues and maintains DevID certificates for each TPM by synchronizing dual sessions that correspond to each TPM. Also, the process accounts for duplicate identification data, for example allowing the certificate authority (CA) to sign certificates for dual-TPMs linked to the same chassis number. The process can include performing validation checks, rendezvous points, and locks to ensure that DevID certificates are successfully issued for each of the dual-TPMs, respectively.