Embodiments of the invention provide a computer-implemented method of executing multi-factor authentication (MFA). In embodiments of the invention, the computer-implemented method includes analyzing multiple categories of MFA factors, wherein a first category of the multiple categories of MFA factors includes a something-you-have MFA (SYH-MFA) factor. The SYH-MFA factor is analyzed by receiving, using a processor of an authenticating entity, an SYH certificate from a to-be-authenticated (TBA) entity; and determining, using the processor, that the SYH-MFA factor is satisfied by determining that the SYH certificate possessed by the TBA entity is valid.

A device can establish operational credentials for enabling the device to provide an attestation of the device's identity to another party, by performing a method comprising: obtaining bootstrap credentials from a hardware secure element or a trusted execution environment (TEE) of the device; using the bootstrap credentials to establish a secure session with an enrolment server; and via the secure session, establishing the operational credentials with the enrolment server.

According to certain embodiments, a method comprises receiving an encrypted value from a trust anchor. The encrypted value is received by a hardware component, and the encrypted value is associated with a posture assessment in which the trust anchor determines whether the hardware component is authorized to run on a product. The method further comprises obtaining a random value (K) based on decrypting the encrypted value. The decrypting uses a long-term key associated with the hardware component. The method further comprises communicating an encrypted response to the trust anchor. The encrypted response is encrypted using the random value (K). The encrypted response enables the trust anchor to determine whether the hardware component is authorized to run on the product.

Embodiments herein describe disconnecting, by an access node, a first device having a first media access control (MAC) address due to a network violation and receiving, by the access node, information about a second device having a second MAC address different from the first MAC address. In one embodiment, the information is generated by a certificate server based on a token generated by the second device. Further, when the access node determines, based on the information, that the second device is the first device, the access node denies a connection request from the second device.

Embodiments described herein relate to credential wrapping for secure transfer of electronic SIMs (eSIMs) between wireless devices. Transfer of an eSIM from a source device to a target device includes re-encryption of sensitive eSIM data, e.g., eSIM encryption keys, financial transaction credentials, transit authority credentials, and the like, using new encryption keys that include ephemeral elements applicable to a single, particular transfer session between the source device and the target device. The sensitive eSIM data encrypted with a symmetric key (K.sub.s) is re-wrapped with a new header that includes a version of K.sub.s encrypted with a new key encryption key (KEK) and information to derive KEK by the target device. The re-encrypted sensitive SIM data is formatted with additional eSIM data into a new bound profile package (BPP) to transfer the eSIM from the source device to the target device.

A hardware security module (HSM) client processes a request to store data in a set of HSMs. The HSM client determines a property of the data indicative of a sensitivity classification of the data. As a result of determining the data lacks a classification as sensitive, the HSM client transmits the data to a data store outside the set of HSMs and updates a database used by the HSM client to associate an identifier of the data with a reference to a location in the data store.

An integrated-circuit device comprises a physical-unclonable-function (PUF) unit, a secure module, and an interconnect system communicatively coupled to the PUF unit and to the secure module. The device transfers a PUF key from the PUF unit to the secure module, over the interconnect system. In order to do this, the secure module generates a random value. The secure module then sends the random value to the PUF unit. The PUF unit then performs a bitwise XOR operation between the received random value and the PUF key, to generate a masked value. The PUF unit then transfers the masked value over the interconnect system to the secure module. The secure module then unmasks the PUF key by performing a bitwise XOR operation between the received masked value and the random value.

Today an individual attending an event must undertake a second registration and purchasing sequence in order to attend a subsequent occurrence of the event. However, by the time they remember to re-register their interest may have waned or the event is sold out. In other instances, they forget even though the event does not sell out. Accordingly, it would be beneficial to provide registrants of an event with a means to re-register for the next occurrence of the event in a manner that was quick, simple, independent of execution of the registration/purchase steps with a service provider, and independent of completion of service provider support for the next event. Further, it would be beneficial to leverage the credential provided to the registrant for the current event in progress or just completed in the re-registration of the registrant for the next event. It would be further beneficial for said method to leverage the technology and devices of portable electronic devices associated with the registrant.

Techniques are disclosed relating to securely communicating traffic. In some embodiments, an apparatus includes a secure circuit storing keys usable to encrypt data communications between devices over a network. The secure circuit is configured to store information that defines a set of usage criteria for the keys. The set of usage criteria specifies that a first key is dedicated to encrypting data being communicated from a first device to a second device. The secure circuit is configured to receive a request to encrypt a portion of a message with the first key, the request indicating that the message is being sent from the first device to the second device, and to encrypt the portion of the message with the first key in response to determining that the set of usage criteria permits encryption with the first key for a message being sent from the first device to the second device.

A method for secure key exchange. The method comprises receiving a request to certify a key from a communication partner at an interface between an access and tamper resistant circuit block and exposed circuitry. Within the access and tamper resistant circuit block, a first random private key is generated. A corresponding public key of the first random private key is derived, and a cryptographic digest of the public key and attributes associated with the first random private key is generated. The generated cryptographic digest is signed using a second random private key that has been designated for signing by one or more associated attributes. The public key and the signature are then sent to the communication partner via the interface.