Abstract: A technique for compressing certificate information for use in portable credit instruments having limited storage capacity. An end user certificate typically actually comprises a chain of certificates, as SET transactions require not only the end user certificate and its parent certificates. Each certificate in the certificate chain is compared to a template for that certificate, and the differences are stored. Redundant differences within each certificate are deleted, as are differences which may be derived from differences stored for other certificates in the certificate chain. The remaining stored differences are then recorded on an end user credit instrument, such as a smart card. Preferably, the certificate chain is then recreated for verification purposes before the card is issued. PER encoding may also be employed to further compress the certificate information to be recorded on the credit instrument.

Abstract: Methods and apparatus to provide for a unit that is locked against use for communications until the unit is unlocked and that may be activated on a selected network in conjunction with the unit being unlocked. A unit includes a memory for storing an unlock code specific to the unit. The unlock code is used to unlock the unit and is unbreakable without knowledge of a secret code and an algorithm. The unlock code is generated by using the algorithm with the secret code and an identifier unique to the unit. The unit also includes a control for receipt of an input code and a system identification number with the input code and the system identification number having originated from the selected network.

Abstract: Methods and apparatuses for providing cryptographic assurance based on ranges as to whether a particular data item is on a list. According to one computer-implemented method, the items on the list are sorted and ranges are derived from adjacent pairs of data items on the list. Next, cryptographically manipulated data is generated from the plurality of ranges. At least parts of the cryptographically manipulated data is transmitted onto a network for use in cryptographically demonstrating whether any given data item is on the list. According to another computer-implemented method, a request message is received requesting whether a given data item is on a list of data items. In response, a range is selected that is derived from the pair of data items on the list that define the smallest range that includes the given data item. A response message is transmitted that cryptographically demonstrates whether the first data item is on the list using cryptographically manipulated data derived from the range.

Abstract: In an Asynchronous Transfer Mode telecommunications network having a plurality of virtual paths or circuits, an encryption key used for data transmitted between a source and a receiver may be updated, the data being transmitted initially using a first encryption key by a first of the plurality of virtual paths or circuits, by a connection being estabished by a second of the plurality of virtual paths or circuits and sending a second encryption key by that connection from the source to the receiver and subsequently transmitting the data using the second encryption key by the second of the plurality of virtual paths or circuits.

Abstract: A smartcard for use with a receiver of encrypted broadcast signals comprises a microprocessor for enabling or controlling decryption of said signals. A memory is coupled to the microprocessor. The microprocessor is adapted to enable or control the individual decryption of a plurality of such signals from respective broadcast suppliers of such signals by means of respective dynamically created zones in the memory, the dynamically created zones each being arranged to store decryption data associated with a respective one of said broadcast suppliers.

Abstract: A method for generating an identical electronic one-time pad at a first location and a second location, the method comprising the steps of: (a) providing a first electronic device at the first location and a second electronic device at the second location, each of the first and the second electronic devices having: (i) a non-volatile memory; (ii) a processor; (iii) at least one table of true random numbers being stored on the non-volatile memory, the table being identical for the first and the second electronic devices; and (iv) at least one software program for obtaining a true random number from the table, the software program being stored on the non-volatile memory and the at least one software program being operated by the processor; (b) providing a communication channel for communication between the first electronic device and the second electronic device; (c) selecting a selected true random number from the table at the first and the second electronic devices according to a selection procedure, the sele

Abstract: A device for verifying the identity of an individual based on a typing characteristic token. The device having said device embedded in a keyboard, said keyboard in communication with an a processing system to be secured, said device comprising: an input means for monitoring the time interval in which keys on the keyboard are depressed; a processing means in electrical communication with the input means for generating a first typing characteristic token based on the monitored time intervals; a memory means in data communication with the processing means for storing the first typing characteristic token, and wherein the processing system is adapted to compare the first typing characteristic token with a second typing characteristics token generated for a current user; and wherein the processing system denies access to the current user if the second typing characteristic does not match the stored first typing characteristic token.

Abstract: A method and apparatus for public key certificate updates is accomplished when a user of a secured communications system provides, from time to time, a public key certificate update subscription update to a server. The public key certificate update subscription information identifies at least one subscriber subject (i.e., another end-user) that the user desires to obtain real time public key updates when they occur. In response to the subscription information, the server monitors public key certificates of the at least one subscriber subject. When a change occurs to the public key certificate of the at least one subscriber, the server provides an indication of the change to the requesting user. As such, while the user is on-line with the secured communications system, the server can provide the user with real-time updates of subscriber subjects' encryption public key certificates and/or signature public key certificates.

Abstract: Apparatus and methods for remotely rekeying a cryptographic device are disclosed. A method according to the invention includes associating a preliminary certificate with the device, generating a device certificate associated with the device, determining whether a certificate stored in the device is the preliminary certificate associated with the device, and if the certificate stored in the device is the preliminary certificate associated with the device, then securely loading the device certificate into the device. Apparatus for remotely rekeying a cryptographic device includes a computer readable medium having stored thereon computer executable instructions for performing a method according to the invention.

Abstract: A system enables encoding of a removable mark into digital data, and decoding of the mark from the digital data. The system comprises an encoder and a decoder. The encoder includes a target area locator for locating in the digital data a flat area having a flatness value n, and includes a marker for using the flatness value n to encode a mark into the flat area. The decoder attempts to extract a mark that includes a plateau and a core from digital data. The decoder includes a mark area locator for using a flatness value n to search digital data for a possible plateau, an unmarker coupled to the flat area locator for decoding a possible core upon locating a possible plateau and for using the flatness value n to replace the possible core with possible original data, and an authenticator coupled to the unmarker for examining the possible core for accuracy.

Abstract: A decentralized file system based on a network of remotely encrypted storage devices is disclosed. The file system includes a network to which a network client, a secure remotely encrypted storage device, a key manager, and a lock manager are attached. The system organizes data as files and directories. Files or directories are composed of one or more streams, which logically partition the data associated with the files or directories. The device serves as a repository of the system's data. The key manager controls data access keys while the lock manager handles consistency of the files. A network user may have read or write access to a file. Access is controlled using keys and access lists maintained by the key manager.

Abstract: An object of the invention is to provide an encryption system and method for inhibiting the decryption of encrypted data unless a decryption condition is satisfied. Thus, according to the present invention, in order to provide the encryption system for inhibiting the decryption of encrypted data unless a decryption condition is satisfied, decryption enabled time is designated as a decryption condition, and an encryption system incorporating time-dependent decryption is constituted by a time-key certificate and a time-key certificate manager. A time-key certificate is employed when a third party proves that a public encryption key added to the certificate satisfies the decryption condition. The time-key certificate manager issues a time-key certificate and then manages a decryption key.

Abstract: Security parameters (SPAR) are provided by the mobile radiotelephone network (PLMN) for subscribers of another network (CN) via an interface (DSS1+) connecting the two networks, without carrying out subscriber entries in at least one subscriber database of the mobile radiotelephone network for these subscribers in the mobile radiotelephone network. The subscribers of the other network thereby identify themselves with a subscriber identity module (SIM) of their subscriber station (UPTS, DM), and are installed in a subscriber database (DB) of the other network. The security parameters for the subscribers installed in the private network are requested via the interface, are provided by an authentification center (AC) of the mobile radiotelephone network and are transmitted to the private network via the interface.

Abstract: Systems and methods for controlling the transmission of data in a computer network; specifically, systems and methods related to preventing the transmission of compromised data. In one embodiment, a web server is configured to transmit requested data to a remote client through a computer network, such as the Internet. The web server includes a conventional computing system, including a processor and random access memory, and a non-volatile storage medium for storing the requested data. A software-defined process is executed by the computing system, whereby the software-defined process and the computing system cooperate to receive a request from a remote client for the requested data; determine whether the requested data has been compromised; and prevent the transmission of the requested data to the remote client if the data is compromised.

Abstract: The lightweight directory access protocol (LDAP) is extended to include client- and server-based controls for securing sensitive data in the directory service. The set of controls include a client control implemented on a client machine, and/or a server control implemented on a server machine. It is not required that both controls be implemented together, and a client machine may implement the client control irrespective of whether a server involved in the directory operation is running the server control.

Abstract: In order to unambiguously allocate a data carrier to an object, key information is written into the data carrier. Before writing-in the key information, secret identification information and open identification information is written into the data carrier. Copies of the secret and open information are stored in a central station. In the central station, for a particular data carrier, the open and secret information is associated with each other. In addition thereto, in the central station, object information for the particular object, and key information for the object are associated with each other. From the data carrier, the open identification information is sent to the central station to access the associated stored open and secret identification information so as to retrieve the stored secret identification information. In addition thereto, object information is sent to the central station to access the associated stored object and key information so as to retrieve the stored key information.

Abstract: Methods and apparatus to provide for a unit that is locked against use for communications until the unit is unlocked and that may be activated on a selected network in conjunction with the unit being unlocked. A unit includes a memory for storing an unlock code specific to the unit. The unlock code is used to unlock the unit and is unbreakable without knowledge of a secret code and an algorithm. The unlock code is generated by using the algorithm with the secret code and an identifier unique to the unit. The unit also includes a control for receipt of an input code and a system identification number with the input code and the system identification number having originated from the selected network.

Abstract: A full duplex DES cipher processor (DCP) supports to execute sixteen rounds of data encryption standard (DES) operation in four encryption modes and four decryption modes, namely: Electronic Code Book (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, and Output Feedback (OFB) mode for both encryption and decryption. A DCP is composed of an I/O unit, an IV/key storage unit, a control unit, and an algorithm unit. The algorithm unit is used to encrypt/decrypt the incoming text message. The algorithm unit having a crypto engine allows encryption and decryption performed alternately, by sharing the same crypto engine. Since for crypto applications in communication services like T1, E1, V.35, the algorithm unit operation time is much shorter than the data I/O time; in other word, the algorithm unit is in the idle state mostly.

Abstract: A device for authenticating subscribers to one or more exchanges of a digital communication network having at least one subscriber-side network terminator, to which at least one data terminal may be connected. It is a distinction of the invention that provision is made at every subscriber for at least one first authentication module capable of receiving a first identification carrier, and provision is made in the exchange for at least one second authentication module capable of receiving a second identification carrier, or that, alternatively, connected between the network terminators assigned to the exchange and the exchange is an additional device, in which is arranged a second authentication module capable of receiving a second identification carrier, the authentication modules being capable of encoding and/or decoding a piece of information with an individual, subscriber-specific key and of exchanging information with each other for unilateral and/or bilateral authentication.

Abstract: A method of signing digital streams so that a receiver of the stream can authenticate and consume the stream at the same rate which the stream is being sent to the receiver. More specifically, this invention involves computing and verifying a single digital signature on at least a portion of the stream. The properties of this single signature will propagate to the rest of the stream through ancillary information embedded in the rest of the stream.