One embodiment described herein provides a system and method for secure attestation. During operation, a Trusted Platform Module (TPM) of a trusted platform receives a request for an attestation key from an application module configured to run an application on the trusted platform. The request comprises a first nonce generated by the application module. The TPM computes an attestation public/private key pair based on the first nonce and a second nonce, which is generated by the TPM, computes TPM identity information based on a unique identifier of the TPM and attestation key, and transmits a public key of the attestation public/private key pair and the TPM identity information to the application module, thereby enabling the application module to verify the public key of the attestation public/private key pair based on the TPM identity information.

The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a pre-determined type of blockchain or other security protocol code is stored in a trusted execution environment (TEE) of the processor. TEE attestation is used to verify that the blockchain or other security protocol code stored in the TEE is the pre-determined type of blockchain or other security protocol code. A blockchain or other transaction is received and processed. Based on the processing of the transaction, an official state of the transaction on a consortium network is directly updated for the network. The updated official state of the processed transaction is broadcasted to the consortium network.

The disclosed technology is generally directed to blockchain and other authentication technology. In one example of the technology, a pre-determined type of blockchain or other authentication protocol code and a pre-determined type of consensus code are stored in a trusted execution environment (TEE) of a processor. In some examples, TEE attestation is used to verify that the blockchain or other authentication protocol code stored in the TEE is the pre-determined type of blockchain or other authentication protocol code, and to verify that the consensus code stored in the TEE is the pre-determined type of consensus code. A request to alter the pre-determined type of blockchain or other authentication protocol code may be received. A determination may be made as to whether to change the pre-determined type of blockchain or other authentication protocol code based on the pre-determined consensus code.

The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a first node is endorsed. During endorsement of a first node, a pre-determined type of blockchain or other security protocol code to be authorized and a pre-determined membership list are stored in a trusted execution environment (TEE) of the first node. A determination is made as to whether the membership lists and pre-determined blockchain or other security protocol code to be authorized from the proposed members match. If so, TEE attestation is used to verify that nodes associated with prospective members of the consortium store the pre-determined type of blockchain or other security protocol code to be authorized. Upon TEE attestation being successful, a consortium network is bootstrapped such that the prospective members become members of the consortium network.

An information transmission method and a mobile device, where the method includes after receiving, in a first execution environment, plaintext information of a user, a first mobile device performs encryption processing in an advanced execution environment, and sends ciphertext information to a second mobile device. After receiving the ciphertext information, the second mobile device performs decryption in an advanced execution environment, and then presents the plaintext information to a user. The plaintext information is destroyed under a predetermined condition instead of being permanently stored, and a security and trust level of an advanced execution environment is higher than a security and trust level of the first execution environment. In this way, security of communications information can be improved.

Various embodiments are generally directed to pairing computing devices for collaborative interaction via a network through a centralized secure device pairing service. An apparatus comprises a controller processor circuit, and a controller storage communicatively coupled to the controller processor circuit to store an initial private key and to store instructions that when executed by the controller processor circuit cause the controller processor circuit to create a first signature using the initial private key, transmit the first signature to an issuing server via a network, receive a group public key and an associated member private key from the issuing server, create a second signature using the member private key, transmit the second signature to a member device via the network; receive a third signature from the member device; and authenticate the third signature using the group public key. Other embodiments are described and claimed herein.

Methods, systems, and devices are described herein for delivering protected data to a nested trusted execution environment (TrEE), including a trustlet running on top of secure kernel, associated with a potentially untrusted requestor. In one aspect, a targeting protocol head, or other intermediary between a requestor and a key management system or other store of protected data, may receive a request for protected data from a potentially untrusted requestor, and an attestation statement of the secure kernel. The targeting protocol head may encrypt a transfer encryption key with a second encryption key derived from the attestation statement. The targeting protocol head may retrieve the protected data, and encrypt the protected data with the transfer encryption key and an authentication tag, which binds the requestor with the trustlet ID. The targeting protocol head may provide the encrypted transfer encryption key, the encrypted protected data, and encrypted authentication tag to the requestor.

An apparatus and method for pairing a base and a detachable device. A query module queries a detachable device in response to the detachable device connecting to a base. The detachable device provides a display for the base if the detachable device and base are connected. A determination module determines if the detachable device is paired with the base. A credential module obtains a pairing credential for a pairing in response to the determination module determining that the detachable device is unpaired with the base.

A portable security device for a computing system includes a housing, an interface at least partially disposed within the housing, a trusted platform module within the housing that is coupled to the interface, and a controller within the housing that is coupled to the trusted platform module and the interface. The interface is configured to engage a plurality of different devices and provide communication between the portable security device and an individual device when engaged with the individual device. In some examples, the trusted platform module can receive power from the individual device via the interface when the portable security device is engaged with the individual device. The controller includes logic to detect when the portable security device is coupled to the individual device via the interface.

An embodiment includes a processor coupled to memory to perform operations comprising: creating a first trusted execution environment (TXE), in protected non-privileged user address space of the memory, which makes a first measurement for at least one of first data and first executable code and which encrypts the first measurement with a persistent first hardware based encryption key while the first measurement is within the first TXE; creating a second TXE, in the non-privileged user address space, which makes a second measurement for at least one of second data and second executable code; creating a third TXE in the non-privileged user address space; creating a first secure communication channel between the first and third TXEs and a second secure communication channel between the second and third TXEs; and communicating the first measurement between the first and third TXEs via the first secure communication channel. Other embodiments are described herein.