Abstract: The technology disclosed herein enables a method to receive an indication of a change to an operating mode of a device from a first operating mode to a second operating mode, and identify a cryptographic item stored at a memory of the device, wherein the cryptographic item corresponds to an identification of the device signed with a digital signature, and wherein the digital signature is based on a private key that is inaccessible to the device. On response to receiving the indication of the change to the operating mode of the device, the method can modify the cryptographic item stored at the memory, and operate the device in the second operating mode based on the modified cryptographic item. The indication of the change to the operating mode of the device can correspond to a detection of a change in a function of the device.

Abstract: An application may perform operations within a first secure enclave of a processing device. The application may provide secure monitoring data, such as secure heartbeat information. The monitoring data and an application identity may be verified at a second secure enclave of the processing device using local attestation operations. A remote attestation signature may be generated at the second secure enclave based on the monitoring data, the application identity, and a node private key. A monitoring message signature may be generated at the first secure enclave based on an application private key and a message payload that includes the monitoring data, the application identity, and the remote attestation signature. A monitoring message that includes the payload and monitoring message signature may be sent from the first secure enclave to a monitoring system, which may verify the message to detect unauthorized changes to the monitoring data or the application identity.

Abstract: An encrypted file system key associated with a first secure enclave may be received. A request from a second secure enclave to access a file system associated with the encrypted file system key may be received. In response to receiving the request, the encrypted file system key may be decrypted with a cryptographic key associated with an enclave manager to obtain a file system key. The file system key may be encrypted based on another cryptographic key associated with the second secure enclave to generate a re-encrypted file system key. Furthermore, the re-encrypted file system key may be provided to the second secure enclave.

Abstract: A request to provide an application at a secure enclave of a server may be received. A hash value of the application may be generated. Application data that is to be used with the application at the secure enclave of the server may be identified. Another hash value of the application data that is to be used with the application at the secure enclave of the server may be generated. The hash value of the application and the other hash value of the application data may be signed where the signed hash value and other hash are being used to execute the application with the application data at the secure enclave of the server.

Abstract: An application may perform operations within a first secure enclave of a processing device. The application may provide secure monitoring data, such as secure heartbeat information. The monitoring data and an application identity may be verified at a second secure enclave of the processing device using local attestation operations. A remote attestation signature may be generated at the second secure enclave based on the monitoring data, the application identity, and a node private key. A monitoring message signature may be generated at the first secure enclave based on an application private key and a message payload that includes the monitoring data, the application identity, and the remote attestation signature. A monitoring message that includes the payload and monitoring message signature may be sent from the first secure enclave to a monitoring system, which may verify the message to detect unauthorized changes to the monitoring data or the application identity.

Abstract: A network service may be identified. One or more attributes of the network service may be determined. An attribute manifest for the network service may be generated based on the determined one or more attributes of the network service. Furthermore, the attribute manifest may be transmitted based on the determined one or more attributes to the network service.

Abstract: A request to provide an application at a secure enclave of a server may be received. A hash value of the application may be generated. Application data that is to be used with the application at the secure enclave of the server may be identified. Another hash value of the application data that is to be used with the application at the secure enclave of the server may be generated. The hash value of the application and the other hash value of the application data may be signed where the signed hash value and other hash are being used to execute the application with the application data at the secure enclave of the server.

Abstract: A request to issue a digital certificate may be received. A hash value corresponding to an application that has provided the request for the digital certificate may be identified. A determination may be made as to whether the hash value corresponding to the application matches with a known hash value. In response to determining that the hash value corresponding to the application matches with the known hash value the digital certificate may be issued to the application.

Abstract: The technology disclosed herein enables a method to receive an indication of a change to an operating mode of a device from a first operating mode to a second operating mode, and identify a cryptographic item stored at a memory of the device, wherein the cryptographic item corresponds to an identification of the device signed with a digital signature, and wherein the digital signature is based on a private key that is inaccessible to the device. On response to receiving the indication of the change to the operating mode of the device, the method can modify the cryptographic item stored at the memory, and operate the device in the second operating mode based on the modified cryptographic item. The indication of the change to the operating mode of the device can correspond to a detection of a change in a function of the device.

Abstract: An encrypted file system key associated with a first secure enclave may be received. A request from a second secure enclave to access a file system associated with the encrypted file system key may be received. In response to receiving the request, the encrypted file system key may be decrypted with a cryptographic key associated with an enclave manager to obtain a file system key. The file system key may be encrypted based on another cryptographic key associated with the second secure enclave to generate a re-encrypted file system key. Furthermore, the re-encrypted file system key may be provided to the second secure enclave.

Abstract: Authentication information at a first portion of encrypted data may be identified. A cryptographic key may be derived based on a combination of an identification of the first portion of the received encrypted data and a master key. Additional authentication information may be generated based on a combination of the derived cryptographic key and another portion of the received encrypted data. The encrypted data may be verified by comparing the authentication information at the first portion of the received encrypted data with the generated additional authentication information. In response to verifying the received encrypted data, a second cryptographic key may be derived based on a combination of an identification of the another portion of the encrypted data and the master key. The other portion of the received encrypted data may be decrypted by using the second cryptographic key.

Abstract: A payment reader and a POS terminal may communicate over a wireless connection. The methods and systems include receiving, from POS terminal, a request for establishing a network connection with the payment card reader. The server determines whether the payment card reader is associated with the POS terminal or a payment application thereon. If the payment card reader is not associated with the POS terminal or the payment application thereon, the server determines the probability of the request being fraudulent.

Abstract: An indication of a change to an operating mode of a device may be received. A cryptographic item stored at a memory of the device may be identified. In response to receiving the indication of the change to the operating mode of the device, the cryptographic item stored at the memory may be modified. The device may operate in the changed operating mode based on the modified cryptographic item.

Abstract: An input data may be received. Memory pages may be identified where each of the memory pages includes one or more cache lines. A first index table that includes cache lines may be generated from the memory pages based on the input data. Subsequently, an output data may be provided based on a particular cache line from the cache lines of the first index table.

Abstract: A payment reader and a POS terminal may communicate over a wireless connection. An original state of the payment reader can be used to determine a behavioral model, wherein the behavioral model defines an expected behavior of the payment entity. The system and method include detecting a change in the original state of the payment entity, wherein the change in the original state is triggered by another payment entity not authorized by the merchant; comparing the change of the original state with a threshold deviation defined by the behavioral model; and if the change of state is not within the threshold deviation, performing one or more actions to revert the payment entity to the original state.

Abstract: A network service may be identified. One or more attributes of the network service may be determined. An attribute manifest for the network service may be generated based on the determined one or more attributes of the network service. Furthermore, the attribute manifest may be transmitted based on the determined one or more attributes to the network service.

Abstract: A first connection between a first network server and a second network server may be established where the first connection is based on a connection key stored at a secure location of the first network server. A request for one or more cryptographic keys may be transmitted from the first network server to the second network server. The first network server may receive the one or more cryptographic keys from the second network server over the first connection. The one or more cryptographic keys from the second server may be stored at the secure location of the first network server that is storing the connection key used to establish the first connection.

Abstract: An indication of a change to an operating mode of a device may be received. A cryptographic item stored at a memory of the device may be identified. In response to receiving the indication of the change to the operating mode of the device, the cryptographic item stored at the memory may be modified. The device may operate in the changed operating mode based on the modified cryptographic item.

Abstract: A request to issue a digital certificate may be received. A hash value corresponding to an application that has provided the request for the digital certificate may be identified. A determination may be made as to whether the hash value corresponding to the application matches with a known hash value. In response to determining that the hash value corresponding to the application matches with the known hash value the digital certificate may be issued to the application.

Abstract: An input data may be received. Memory pages may be identified where each of the memory pages includes one or more cache lines. A first index table that includes cache lines may be generated from the memory pages based on the input data. Subsequently, an output data may be provided based on a particular cache line from the cache lines of the first index table.