| CPC H04L 9/3263 (2013.01) [G06F 9/451 (2018.02); H04L 9/3213 (2013.01); H04L 9/3247 (2013.01); H04L 63/0442 (2013.01); H04L 63/166 (2013.01)] | 20 Claims |
|
1. A system comprising:
a secure enclave that comprises an encrypted memory, a program memory storing program code, and a processing system comprising a processor circuit configured to receive the program code from the program memory and, in response to receiving the program code, to:
generate a signed digital certificate that comprises:
a public key from a key pair generated by the secure enclave, and
a secure quote generated in the encrypted memory and comprising an identifier of the secure enclave and a hash value of the public key;
receive an attestation token from a trusted token provider, the attestation token based on the hash value of the public key and signed with a signing certificate;
receive, from a requestor, a request for confidential data; and
place a first application programming interface (API) call to a data storage that persists the confidential data in a first encrypted state, the first API call comprising the signed digital certificate and the attestation token; and
the trusted token provider configured to:
receive an update request from the data storage based on the signing certificate of the attestation token in the API call being unrecognized by the data storage;
update the signing certificate; and
provide the updated signing certificate to the data storage.
|