	US 12,452,038 B2
	Secure computing environments with key management for private communication over data networks
Michael Edmond Kaplan, Brooklyn, NY (US); and Bernard Wong, Waterloo (CA)
Assigned to Enclave Markets Inc., San Francisco, CA (US)
Filed by Enclave Markets Inc., San Francisco, CA (US)
Filed on Oct. 23, 2023, as Appl. No. 18/492,372.
Application 18/492,372 is a continuation of application No. 18/154,554, filed on Jan. 13, 2023, granted, now 11,831,760.
Prior Publication US 2024/0243905 A1, Jul. 18, 2024
Int. Cl. H04L 9/08 (2006.01); H04L 9/32 (2006.01)

CPC H04L 9/0825 (2013.01) [H04L 9/0866 (2013.01); H04L 9/3263 (2013.01)]

20 Claims

1. A system for providing secure data transfer with a trusted execution environment that executes secure-software, the system comprising:

a host server comprising one or more processors, computer memory, and a secure module configured to (i) provide the trusted execution environment within which processing is secure from observation and manipulation by other operations outside of the secure module, and (ii) load secure-software for processing in the trusted execution environment, the secure-software comprising instructions that, when executed in the trusted execution environment, cause the secure module to perform operations comprising:

generating a private key and a corresponding public key;

maintaining the private key in the trusted execution environment;

sending the public key and ownership metadata that pertains to the host server to a certifying server that is configured to (i) receive the public key, (ii) verify ownership of the host server by examining ownership records that correspond to the ownership metadata, (iii) in response to verifying ownership of the host server, generate a certificate for the host server using the public key, and (iv) serve the certificate to the host server;

in response to receiving an attestation request for a client device, processing the attestation request by (i) providing, to the client device, the certificate that has been served by the certifying server, and (ii) generating an attestation response using the private key, wherein the attestation response comprises an actual-fingerprint of the secure-software, and wherein the attestation response is used to perform a verification of whether the trusted execution environment is executing the secure-software by verifying whether the actual-fingerprint of the secure-software matches an expected-fingerprint of the secure-software, and to provide a result of the verification for the client device;

after the certificate has been provided to the client device and the result of the verification have been provided for the client device, receiving, from the client device, a request for an encrypted connection with the trusted execution environment; and

after receiving the request for the encrypted connection from the client device, (i) initiating the encrypted connection with the client device, and (ii) communicating with the client device over the encrypted connection.