An infrastructure delivery platform provides a proxy service as an enhancement to the TLS/SSL protocol to off-load to an external server the generation of a digital signature, the digital signature being generated using a private key that would otherwise have to be maintained on a terminating server. Using this service, instead of digitally signing (using the private key) “locally,” the terminating server proxies given public portions of ephemeral key exchange material to the external server and receives, in response, a signature validating the terminating server is authorized to continue with the key exchange. In this manner, a private key used to generate the digital signature (or, more generally, to facilitate the key exchange) does not need to be stored in association with the terminating server. Rather, that private key is stored only at the external server, and there is no requirement for the pre-master secret to travel (on the wire).

Computer-implemented methods, devices and computer programs are provided for integrity-preserving document processing. At a first layer, a first hash is generated over at least one first data object of a document and associated given random data. The first hash value is set as a leaf to an existing sparse hash tree (SHT). An updated root of the updated SHT is calculated. At a second layer, a current block is generated including a second hash value over at least the existing root of the existing SHT and at least one digital signature of the existing root of the existing SHT, at least one digital signature of at least the updated root of the updated SHT and the updated root of the updated SHT. A third hash value over current block is generated and, at a third layer, registered with a timestamp service or a blockchain.

A computing device in a trusted computing (TC) system and an attestation method thereof are provided. The computing device includes at least one processor configured to operate as instructed by program code, the program code including: transmission code configured to cause the at least one processor to transmit, to a master controller, a first identification (ID) for a first device selected among a plurality of devices included in the TC system, a second ID for a second device selected among the plurality of devices, and a nonce; and attestation code configured to cause the at least one processor to perform attestation for the first device and the second device based on an aggregated signature, wherein the aggregated signature is based on generation of a first signature, by the first device, by using the nonce, and generation of a second signature, by the second device, by using the first signature.

A variety of applications can include apparatus and/or methods of controlling a secure boot mode for a memory system. In an embodiment, a system includes a memory component and a processing device, where the processing device is configured to control a boot process for the system to operate the memory component and perform a cryptographic verification with a host to conduct an authentication of the host. The processing device can interact with the host, in response to the authentication, to receive a setting to control the boot process in a secure boot mode. The processing can interact with another processing device of the system to store the setting and to receive a secure boot signal from the other processing device, where the secure boot signal is a signal to assert or de-assert the secure boot mode depending on a value of the setting. Additional apparatus, systems, and methods are disclosed.

A system and method for signing data is presented. In one embodiment, the method comprises: generating a data signing key; transforming the data signing key into a first subkey and a second subkey; encrypting the first subkey according to a secret key of an ODSS; generating a signature verification public key; providing the signature verification public key, the encrypted first subkey, and the second subkey for storage in a client device; accepting a request to sign the data, the request having a representation of the data and the encrypted first subkey; generating a partially computed signature of the data according to the representation of the data and the encrypted first subkey; and providing the partially computed signature of the data to the client device.

Methods and systems are provided for supporting efficient and secure “Machine-to-Machine” (M2M) communications using a module, a server, and an application. A module can communicate with the server by accessing the Internet, and the module can include a sensor and/or an actuator. The module, server, and application can utilize public key infrastructure (PKI) such as public keys and private keys. The module can internally derive pairs of private/public keys using cryptographic algorithms and a first set of parameters. A server can authenticate the submission of derived public keys and an associated module identity. The server can use a first server private key and a second set of parameters to (i) send module data to the application and (ii) receive module instructions from the application. The server can use a second server private key and the first set of parameters to communicate with the module.

In one embodiment, a file comprising a disk image and a key blob is prepared. The file is attached to a virtual machine configuration. A virtual machine based on the virtual machine configuration is launched. A kernel is paired to the key blob by a kernel driver paired to the key blob reading secret comprising identity information into the kernel of the virtual machine. The identity information is registered with a kernel service. The attached file is ejected from the virtual machine configuration. The identity information is accessed by an application running on the virtual machine, wherein the identity information is used by the application when the kernel service requires identity information. Related hardware and systems are also described.

Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. In some embodiments, the secure circuit is configured to generate a public key and a private key for an application, and receive, from the application via an API, a request to perform a cryptographic operation using the private key. The secure circuit is further configured to perform the cryptographic operation in response to the request.

An information handling system may include a host information handling system that is configured to execute a host operating system (OS), a management controller configured to provide out-of-band management of the information handling system, and a cryptoprocessor. The information handling system may be configured to: generate, at the cryptoprocessor, a cryptographic key pair comprising a public key and a private key, wherein the private key is sealed based on platform measurements of the information handling system; transmit the public key from the cryptoprocessor to the management controller; access, by the host information handling system, the sealed private key; transmit an authorization from the host information handling system to the management controller, wherein the authorization is signed with the private key; and based on a verification of the authorization with the public key, grant access to the management controller from the host OS.

An apparatus for validating an identity of an individual based on biometrics includes a memory and a processor operatively coupled to a distributed database and the memory. The processor is configured to provide biometric data as an input to a predefined hash function to obtain a first biometric hash value. The processor is configured to obtain, using a first pointer to the distributed database, a signed second biometric hash value. The processor is configured to define a certification of the biometric data in response to verifying that a signature of the signed second biometric hash value is associated with the compute device and verifying that the first biometric hash value corresponds with the second biometric hash value. The processor is configured to digitally sign the certification using a private key associated with the processor to produce a signed biometric certification and store the signed biometric certification in the distributed database.