One embodiment provides a client device. The client device includes a Trusted Platform Module (TPM). The TPM includes a secure controller to extend a secure hash digest with at least a portion of a data stream or a hash of the at least a portion of the data stream.

Another embodiment provides a server system. The server system includes verifier logic. The verifier logic is to verify that an attestation identity key (AIK) public key associated with a received Trusted Platform Module (TPM) quote corresponds to an authenticated client device.

One embodiment provides a client device. The client device includes a Trusted Platform Module (TPM). The TPM includes a secure controller to extend a secure hash digest with at least a portion of a data stream or a hash of the at least a portion of the data stream.

Another embodiment provides a server system. The server system includes verifier logic. The verifier logic is to verify that an attestation identity key (AIK) public key associated with a received Trusted Platform Module (TPM) quote corresponds to an authenticated client device.

This application is directed to trusted platform module certification and attestation utilizing an anonymous key system. In general, TPM certification and TPM attestation may be supported in a device utilizing integrated TPM through the use of anonymous key system (AKS) certification. An example device may comprise at least combined AKS and TPM resources that load AKS and TPM firmware (FW) into a runtime environment that may further include at least an operating system (OS) encryption module, an AKS service module and a TPM Certification and Attestation (CA) module. For TPM certification, the CA module may interact with the other modules in the runtime environment to generate a TPM certificate, signed by an AKS certificate, that may be transmitted to a certification platform for validation. For TPM attestation, the CA module may cause TPM credentials to be provided to the attestation platform for validation along with the TPM and/or AKS certificates.

In an embodiment, a security engine of a processor includes an identity provider logic to generate a first key pair of a key pairing associating system user and a service provider that provides a web service and having a second system coupled to the system via a network, to perform a secure communication with the second system to enable the second system to verify that the identity provider logic is executing in a trusted execution environment, and responsive to the verification, to send a first key of the first key pair to the second system. This key may enable the second system to verify an assertion communicated by the identity provider logic that the user has been authenticated to the system according to a multi-factor authentication. Other embodiments are described and claimed.

Techniques are provided to allow remote initialization of a Trusted Platform Module. The results may be trusted and confidential even if the target device has malicious operating system or other software running.

A field replaceable unit authentication system provides for a field replaceable unit device to be positioned in a chassis. A trusted platform module is included in the field replaceable unit device. A network operating system engine may be provided in the field replaceable unit device and coupled to the trusted platform module. The network operating system engine participates in a boot process with a booting subsystem to generate current boot metric data that is provided for storage in the trusted platform module. A platform management controller in the field replaceable unit device retrieves the current boot metric data from the trusted platform module, authenticates the trusted platform module, and compares the current boot metric data to previously stored boot metric data to determine whether to authenticate the network operating system engine. If authenticated, the network operating system engine then authenticates the platform management controller.

In general, embodiments relate to a method for establishing trust between supervisors in a network device, the method including obtaining, by a first supervisor, signed platform configuration register (PCR) values from a second supervisor, wherein the first supervisor and the second supervisor are located in the network device, comparing the signed PCR values with stored PCR values, where the stored PCR values were previously obtained by the first supervisor from the second supervisor, and establishing, based on the comparison, trust with the second supervisor.

In a remote attestation procedure, an attestation report provided by a prover for a verifier includes measurement information of a target TA, where the measurement information is obtained by the prover measuring data of the target TA during running. In this way, the measurement information can indicate a status of the target TA during running. If the target TA is attacked by a malicious program during running, the measurement information may indicate that there is data related to the malicious program. In this case, after verifying the measurement information, the verifier may attest that the target TA is not securely run.

Establish a secure connection from a device to a server by, at the device: sending a shared secret request (SSRq) and an obfuscated secret value of the device to the server, wherein the SSRq is encrypted by a symmetric rolling key known to the device and to a trusted authority but not known to the server and the SSRq incorporates a symmetric key for decrypting the device's obfuscated secret value; receiving a shared secret response (SSRs) and an obfuscated secret value of the server, wherein the device's symmetric rolling key encrypts the SSRs and the SSRs incorporates a symmetric server obfuscation key for decrypting the server's obfuscated secret value; calculating a shared secret by hashing a concatenation of the device's secret value and the server's secret value; generating a symmetric session key based on the shared secret; and establishing the secure connection using the symmetric session key.

Systems and methods for scalably provisioning cryptographic devices in a distributed computing environment are described. In some embodiments, a cryptographic interface controller capable of generating a plurality of hardware-emulated cryptographic devices in response to requests is implemented. In some embodiments, a cryptographic interface controller may present hardware-emulated cryptographic devices to computing entities, such as standalone computer systems or virtual computing systems, as standard cryptographic devices, such as through a Universal Serial Bus interface.