Abstract: A method and system for creating random cryptographic keys in hardware is described. One or more bits are generated via one or more random bit circuits. Each random bit circuit includes a sensing device coupled to a first device and a second device to compare the first device against the second device and to generate a random bit from a random state value. The generated bits from the random bit circuits are read, and a cryptographic key may then be computed based on the generated bits.

Abstract: A Direct Anonymous Attestation (DAA) scheme using elliptic curve cryptography (ECC) and bilinear maps. A trusted platform module (TPM) may maintain privacy of a portion of a private membership key from an issuer while joining a group. Moreover, the TPM can outsource most of the computation involved in generating a signature to a host computer.

Abstract: For each memory location in a set of memory locations associated with a thread, setting an indication associated with the memory location to request a signal if data from the memory location is evicted from a cache; and in response to the signal, reloading the set of memory locations into the cache.

Abstract: A method for managing a cache is disclosed. A context switch is identified. It is determined whether an application running after the context switch requires protection. Upon determining that the application requires protection the cache is partitioned. According to an aspect of the present invention, a partitioned section of the cache is completely over written with data associated with the application. Other embodiments are described and claimed.

Abstract: In some embodiments, the integrity of firmware stored in a non-volatile memory is verified prior to initiation of a firmware reset vector. Other embodiments are described and claimed.

Abstract: According to an embodiment of the invention, a method and apparatus for session key exchange are described. An embodiment of a method comprises requesting a service for a platform; certifying the use of the service for one or more acceptable configurations of the platform; and receiving a session key for a session of the service, the service being limited to the one or more acceptable configurations of the platform.

Abstract: For each memory location in a set of memory locations associated with a thread, setting an indication associated with the memory location to request a signal if data from the memory location is evicted from a cache; and in response to the signal, reloading the set of memory locations into the cache.

Abstract: Apparatuses, methods, and systems for reconfiguring a secure system are disclosed. In one embodiment, an apparatus includes a configuration storage location, a lock, and lock override logic. The configuration storage location is to store information to configure the apparatus. The lock is to prevent writes to the configuration storage location. The lock override logic is to allow instructions executed from sub-operating mode code to override the lock.

Abstract: A method for managing a cache is disclosed. A context switch is identified. It is determined whether an application running after the context switch requires protection. Upon determining that the application requires protection the cache is partitioned. According to an aspect of the present invention, a partitioned section of the cache is completely over written with data associated with the application. Other embodiments are described and claimed.

Abstract: Verification of an encrypted blob of data passed to a sealed storage function in a trusted platform module (TPM) of a computing platform by a software component, may be accomplished by receiving the encrypted blob of data and a digital signature for each of a set of platform configuration register (PCR) indicators and PCR value pairs from the software component. The encrypted blob of data may be decrypted using a TPM key to form a decrypted blob of data, the decrypted blob of data including a secret and a verification key. For each received digital signature of the set of PCR identifier and PCR value pairs, it may be determined if each received digital signature verifies using the verification key and rejecting the decrypted blob of data when any signature is not verified.

Abstract: One aspect of an embodiment of the invention provides a method, system, and device to prove to a challenger that a prover device has a signature from a device manufacturer without revealing the signature to the challenger. According to one implementation, a challenger is provided with the result of a one-way function of a secret held by a prover device. An interactive proof is employed, between the prover device and the challenger, to prove to the challenger that the secret used in the one-way function has been signed by a device signature without revealing the secret or the device signature or the prover device's identity to the challenger.

Abstract: A key exchange protocol can be performed between components of a system, such as between a computer program being executed by the processor of a PC (or other computer system) and a peripheral. A peripheral with a user input capability and a very limited display capability, such as a keyboard or a mouse, may be used to confirm a key exchange between the system components in a way that requires the user to enter only small amounts of input data (e.g., keystrokes or mouse clicks). Security between components may be enhanced without having a negative impact on usability of the system. Embodiments of the present invention help to deter “man in the middle” attacks wherein an attacker gains control of a system component situated between certain communicating system components.

Abstract: A method and system for creating random cryptographic keys in hardware is described. One or more bits are generated via one or more random bit circuits. Each random bit circuit includes a sensing device coupled to a first device and a second device to compare the first device against the second device and to generate a random bit from a random state value. The generated bits from the random bit circuits are read, and a cryptographic key may then be computed based on the generated bits.

Abstract: Providing conditional access to a unique device identifier (ID) stored in a device in a processing system may be accomplished by determining if a platform state (such as firmware and/or data) is present in a non-volatile storage of the processing system; when the platform state is not present, loading the device ID into a volatile storage of the processing system, receiving a request from an external entity to obtain the device ID, sending the device ID to the external entity, and rejecting all subsequent requests to obtain the device ID; and when the platform state is present, rejecting all requests to obtain the device ID.

Abstract: A method, apparatus and system for improving security on a virtual machines host is described. A shared file system on the host may include annotations usable by a service module to access files across VMs and to enforce security policies. The service module may additionally enable a unified user interface to improve usability of the host.

Abstract: Encrypting data in as cascaded block cipher system may be accomplished by applying a first encryption algorithm using a secret shared between first and second parties as a key to generate a secret inner key; applying a second encryption algorithm for a predetermined number of rounds using the secret inner key to generate a plurality of blocks of ciphertext data from a plurality of blocks of plaintext data; and repeating the applying the first encryption algorithm and the applying the second encryption algorithm steps.

Abstract: Improving security of a processing system may be accomplished by at least one of executing and accessing a suspect file in a sandbox virtual machine.

Abstract: Delivering a Direct Proof private key to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting-encrypted data structure is stored on a removable storage medium (such as a CD), and distributed to the owner of the client computer system. When the device is initialized on the client computer system, the system checks if a localized encrypted data structure is present in the system. If not, the system obtains the associated encrypted data structure from the removable storage medium.

Abstract: Secure storage and retrieval of a unique value associated with a device to/from a memory of a processing system. In at least one embodiment, the device needs to be able to access the unique value across processing system resets, and the device does not have sufficient non-volatile storage to store the unique value itself. Instead, the unique value is stored in the processing system memory in such a way that the stored unique value does not create a unique identifier for the processing system or the device. A pseudo-randomly or randomly generated initialization vector may be used to vary an encrypted data structure used to store the unique value in the memory.

Abstract: Delivering a Direct Proof private key in a signed group of keys to a device installed in a client computer system in the field may be accomplished in a secure manner without requiring significant non-volatile storage in the device. A unique pseudo-random value is generated and stored along with a group number in the device at manufacturing time. The pseudo-random value is used to generate a symmetric key for encrypting a data structure holding a Direct Proof private key and a private key digest associated with the device. The resulting encrypted data structure is stored in a signed group of keys (e.g., a signed group record) on a removable storage medium (such as a CD or DVD), and distributed to the owner of the client computer system. When the device is initialized on the client computer system, the system checks if a localized encrypted data structure is present in the system.