Techniques are described for securely managing computing resources in a computing environment comprising a computing service provider and a remote computing network. The remote computing network includes computing and network devices configured to extend computing resources of the computing service provider to remote users of the computing service provider. The network devices include a trusted network device that includes a root of trust. The trusted network device detects that a new device is communicatively coupled to a port on the trusted network device. The trusted network device determines that the new device is not authorized to access computing resources at the remote computing network. The port is isolated at the trusted network device.

A trusted execution environment obtains an attestation request. The attestation request includes at least an attestation key. Based on obtaining the attestation request, one or more integrity measurements are computed, and the computing uses at least the attestation key. The one or more integrity measurements are provided to an entity, and the one or more integrity measurements are to be used to verify that a secure guest has been started using a selected secure guest image and selected secure guest metadata.

Aspects of the present disclosure relate to an apparatus comprising first interface circuitry to communicate with relying party circuitry, the first interface circuitry being configured to receive, from the relying party circuitry, an attestation request in respect of a processing operation requested by attester circuitry to be performed by the relying party circuitry; second interface circuitry to communicate with the attester circuitry, the second interface circuitry being configured to: transmit the attestation request to the attester circuitry; and receive, from the attester circuitry, evidence data associated with the processing operation, and third interface circuitry to communicate with verifier circuitry, the third interface circuitry being configured to: transmit the evidence data to the verifier circuitry; and receive, from the verifier circuitry, attestation result data indicative of a verification of the evidence data, wherein the first interface circuitry is configured to transmit the attestation result data to the relying party circuitry.

An authentication system facilitates a transfer of enrollment in authentication services between client devices. The authentication system enrolls a client device in authentication services to enable the client device to be used for authenticating requests to access one or more services. As part of enrolling the client device, the authentication system receives authentication enrollment information for the client device that is associated with one or more authentication credentials securely stored on the client device (e.g., a multi-factor authentication (MFA) certificate). The authentication system facilitates one or more processes for transferring the enrollment from an enrolled client device to a non-enrolled client device that limit the number and complexity of actions performed by the user. In particular, the authentication system facilitates transfer of enrollment based on receiving enrollment transfer requests authorized by the enrolled client device using one or more authentication credentials associated with the enrollment of the enrolled client device.

A multivariate signature method for resisting key recovery attack, which establishes a new signature verification condition by adding additional value of signature. The verification condition implies verification of internal information x and y, thereby effectively resisting key recovery attack generated by the existence of equivalence key. Specifically, the method includes the three stages of data preprocessing, signature generation and signature verification. The invention is a signature authentication method based on polynomial equations of a plurality of variables in a finite field, which can effectively resist the key recovery attack, provide the basic technical support for the information security and the establishment of the trust system in the quantum computer era, and provide a secure digital signature option in the quantum era. The present invention is especially suitable for use under application condition which has limited storage and processing time, such as smart cards, wireless sensor networks and dynamic RFID tags.

According to some embodiments, an overall chain-of-trust may be established for an industrial control system. Secure hardware may be provided, including a hardware security module coupled to or integrated with a processor of the industrial control system to provide a hardware root-of-trust. Similarly, secure firmware associated with a secure boot mechanism such that the processor executes a trusted operating system, wherein the secure boot mechanism includes one or more of a measured boot, a trusted boot, and a protected boot. Objects may be accessed via secure data storage, and data may be exchanged via secure communications in accordance with information stored in the hardware security model.

A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.

Various systems and methods for configuring a pluggable computing device are described herein. A pluggable computing device may be configured to be compatible with a pluggable host system using a default communication channel to obtain configuration settings and configure a programmable logic device on the pluggable computing device. The pluggable computing device may perform chain of trust processing on the pluggable host system. The pluggable computing device may be disposed on a compute card, which may include a heat sink in a particular configuration.

Disclosed embodiments relate to encoded inline capabilities. In one example, a system includes a trusted execution environment (TEE) to partition an address space within a memory into a plurality of compartments each associated with code to execute a function, the TEE further to assign a message object in a heap to each compartment, receive a request from a first compartment to send a message block to a specified destination compartment, respond to the request by authenticating the request, generating a corresponding encoded capability, conveying the encoded capability to the destination compartment, and scheduling the destination compartment to respond to the request, and subsequently, respond to a check capability request from the destination compartment by checking the encoded capability and, when the check passes, providing a memory address to access the message block, and, otherwise, generating a fault, wherein each compartment is isolated from other compartments.

This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain.