A device is suggested including a cryptographic module, wherein the device is operable in a secure mode and in a non-secure mode, wherein the cryptographic module is configured in the secure mode by storing a secret key and a seed value in the cryptographic module, and wherein the device is operable in the non-secure mode to generate a signature based on input data utilizing the secret key and the seed value. Also, a method for operating such device is provided.

A method and device are provided for secure internet communication between a computing device and a server. The method employs non-extractable data stored within the device for the generation of a pair of master encryption keys, and the secure, non-internet transfer of one of the pair of keys to the server. Thereafter, communications between the device and the server are encrypted with one-time keys, the one-time keys being themselves encrypted with the master keys. At no time are either of the master keys transmitted over the internet, and at no time are the master keys stored together in a single device.

An approach to multi-device collaboration authentication may be provided. The approach may include generating a password in response to a user requesting access to a service or application on a primary device. The approach may include dynamically determining whether secondary devices are located physically near a primary device. The generated password may be segmented into two or more parts, based on the number of secondary devices the physically located near the primary device. A password segment can be sent to the primary device and another segment of the password can be sent to the secondary device determined to be physically near the primary device. The approach can include receiving the password segments in prescribed manner to provide authentication and grant access to the requested application or service.

A server includes a processor core including system memory, and a cryptographic engine storing a key data structure. The data structure is to store multiple keys for multiple secure domains. The core receives a request to program a first secure domain into the cryptographic engine. The request includes first domain information within a first wrapped binary large object (blob). In response a determination that there is no available entry in the data structure, the core selects a second secure domain within the data structure to de-schedule and issues a read key command to read second domain information from a target entry of the data structure. The core encrypts the second domain information to generate a second wrapped blob and stores the second wrapped blob in a determined region of the system memory, which frees up the target entry for use to program the first secure domain.

At least one secure object of a security module is bound to a secure guest. A trusted component determines whether metadata of the secure guest includes a confidential binding attribute for the security module. Based on determining that the metadata includes the confidential binding attribute, the trusted component configures the security module for the secure guest in a select mode. The select mode prevents certain operations from being intercepted by a hypervisor associated with the secure guest. The trusted component intercepts a security module communication and performs a cryptographic operation on one or more secure objects of the security module communication using the confidential binding attribute to provide a cryptographic result. An outcome of the security module communication, which includes the cryptographic result, is provided to a receiver.

Systems, apparatuses, methods, and computer program products are disclosed for post-quantum cryptography (PQC). An example system includes a PQC smartcard. The smartcard may include a PQC cryptographic algorithm selection circuitry configured to select a PQC cryptographic technique from a set of PQC cryptographic techniques for encrypting the data. The smartcard may further include a PQC cryptographic circuitry configured to encrypt data based on a generated set of PQC encryption attributes and the PQC cryptographic technique.

Methods and systems for device authentication based on generating and displaying an optically scannable visual representation of a public portion of a hardware secured encryption key (EK) are described herein. A client certificate is encrypted with the public portion of the EK based on a scan of the displayed visual representation. A connection may be established between a computing device and a server using the encrypted client certificate and a private portion of the EK to authenticate the computing device. In some implementations, a request is received from a second computing device to access a first computing device, and includes data encrypted using a public portion of an EK acquired from a displayed optically scannable visual representation of the public portion of the EK. The second computing device is provided access to the first computing device based on decryption of the encrypted data using a private portion of the EK.

Systems and methods of generating a security key for an integrated circuit device include generating a plurality of key bits with a physically unclonable function (PUF) device. The PUF can include a random number generator that can create random bits. The random bits may be stored in a nonvolatile memory. The number of random bits stored in the nonvolatile memory allows for a plurality of challenge and response interactions to obtain a plurality of security keys from the PUF.

Generally discussed herein are devices, systems, and methods for binding with cryptographic key attestation. A method can include generating, by hardware of a device, a device public key and a device private key, based on the device private key, signing a first attestation resulting in a signed first attestation, the first attestation claiming the device private key originated from the hardware, based on the device public key and the signed first attestation, registering the device with a trusted authority, generating, by the hardware, a first application private key and a first application public key, and based on the device private key, signing a second attestation resulting in a signed second attestation, the second attestation claiming the first application private key originated from the hardware, and based on the first application public key and the signed second attestation, registering a first application of the device to a first server.

The present disclosure relates to capturing snapshots of key management data and storing the snapshots for efficient re-creation of the key management data in the event of an outage at one or more nodes. A snapshot orchestrator can request snapshot instances from each of the series of nodes across one or more regions in a cloud infrastructure service. Each snapshot instance can provide a plurality of modifications to a plurality of client keys maintained by each of the series of nodes. The snapshot orchestrator can obtain the snapshot instances and corresponding metadata and verify the snapshot instances received from the series of nodes. The snapshot orchestrator can store the verified snapshot instance and corresponding metadata at a storage node. This can allow for subsequent retrieval of the snapshot instance and recreating the log record and modifications to the plurality of keys at any of the series of nodes.