Technology

What We Do

In high-assurance environments, like critical infrastructure, defense, automotive, the enterprise-identity and cryptographic key management must be tamper-resistant, future-proof, and revocable. The AegisEdge Node is the on-device component of a system that delivers:

• Hardware Root of Trust:identity and key material bound to a secure enclave with unclonable device binding
• PQC-resistant design: identity and operational keys use NIST-standardized post-quantum algorithms
• Revocable keys: certificates and operational keys can be revoked when needed via a central authority

The Node performs local biometric verification, holds private keys in secure unclonable hardware enclave, and participates in a defined PQC key management and identity lifecycle with the AegisEdge Provisioning Service (acting as Certificate Authority). It is the secure, PQC-aware device that owns its identity and runs local biometric and security logic.

The Node at a Glance

The Node is a physical edge appliance or module that:

1. Hosts a Hardware Root of Trust that generates and stores securely and tamper-resistant the device’s long-lived identity key pair and never exports the private part.
2. Stores and uses cryptographic keys for identity and for secure operations (device-to-device or device-to-service), all inside a secure enclave.
3. Performs local multi-modal biometric verification (e.g., fingerprint, face, iris, cardiac rhythm) and AI-based liveness and matching. Biometric templates and verification stay on-device; no raw biometric data are sent to the cloud.
4. Participates in provisioning and updates: it registers with the AegisEdge Provisioning Service, receives a PQC-signed identity certificate and an operational key pair, and accepts only PQC-signed over-the-air updates that are verified before installation.

After provisioning, the Node uses its credentials to authenticate to other Nodes or backend services and to protect those channels.

How It Works

The system has three main elements: the Hardware Root of Trust (on-device), the AegisEdge Node (the device), and the AegisEdge Provisioning Service (backend, acting as Certificate Authority). The Root of Trust generates a device-unique identity key pair and keeps the private key inside the enclave. The Node registers with the Provisioning Service, proves possession of that identity, and receives a PQC-signed identity certificate and an operational key pair.

Once provisioned, the Node can perform local biometric verification, authenticate to peers and services, and receive only PQC-signed over-the-air updates that are verified against the Root of Trust before installation.

Revocation. When a key or device must be decommissioned (e.g., compromised, lost, or just end-of-life), the Provisioning Service revokes the corresponding credentials and maintains a signed revocation list. Revoked certificates and keys are no longer accepted. The system supports revocable keys end-to-end.

Edge Security Stack

The Node is built on an advanced edge security stack: a powerful edge processor with an integrated NPU for real-time AI, a hardware secure enclave for root-of-trust and key storage, and PQC acceleration for quantum-resistant identity and updates. The platform is designed with a path to certification for regulated sectors (e.g., ISO 26262, IEC 61508).

Key Features

• Hardware Root of Trust with unclonable device binding for identity key generation and storage
• PQC-resistant identity and operational keys (NIST-standardized algorithms)
• Revocable keys via the Certificate Authority and a maintained revocation list
• Multi-modal biometrics and AI on-device; biometric data stays inside the device
• Secure key storage in the secure enclave
• PQC-signed over-the-air updates verified against the Root of Trust before installation

Together, the Root of Trust, the Node, and the Provisioning Service form a PQC-resistant, hardware-anchored, revocable identity and key management system for high-assurance deployments at the edge.