Abstract: System and method for enabling arbitrary components to control communications without having or requiring prior knowledge of each other. The system includes a first component that creates controller objects and provides the objects to other components. The controller objects include instructions which when executed by the other components enable the components to generate user interfaces for controlling the first component. Further, the controller objects are encrypted and are used to authenticate the senders or receivers of the objects.

Abstract: One embodiment of the present invention provides a system that facilitates access to encrypted data on a computing device based on a security-posture of the computing device. During operation, the system assesses the security-posture of the computing device upon which the encrypted data is stored. If the assessed security-posture meets specified criteria, the system provides the computing device with a key which enables the computing device to access the encrypted data.

Abstract: A method of accessing a data resource identifies the data resource, the data resource accessible through a first device and associated with a resource locator, the first device configured to provide access to the data resource responsive to possession of a whitelisted credential. The method includes receiving a second-device credential from a second device by a personal domain controller, the personal domain controller and the first device within a first trusted relationship and provides, by the personal domain controller, the second-device credential to the first device for whitelisting subject to the first trusted relationship. The method uses, by the second device, the second-device credential to access the data resource responsive to the resource locator.

Abstract: A method of accessing a data resource identifies, by a personal domain controller, the data resource accessible by a first device and determines if there is a pause point for the data resource stored in the personal domain controller.

Abstract: We present technology that allows layman computer users to simply create, provision, and maintain secured infrastructure—an instant PKI. This technology can be used in a wide variety of applications including wired and wireless networks, secure sensor networks (such as medical networks), emergency alert networks, as well as simply and automatically provisioning network devices whether secure or not.

Abstract: Authentication information is generated for a group where members within a group are able to communicate with each other, but a non-members is not able to participate in that communication. The authentication information provides the determination of whether the member belongs to the group.

Abstract: Users can create multiple different desktops for themselves and easily switch between these desktops. These multiple desktops are “walled off” from one another, limiting the ability of processes and other subjects in one desktop from accessing objects, such as data files or other processes, in another desktop. According to one aspect, each time a process is launched it is associated with the desktop that it is launched in. Similarly, objects, such as data files or resources, are associated with the same desktop as the process that created them. The operating system allows a process to access only those objects that are either associated with the same desktop as the process or associated with no desktop.

Abstract: One embodiment of the present invention provides a system for establishing temporary and permanent credentials for secure remote data access. The system includes a temporary smart card configured to provide a temporary credential for a first device, thereby providing the first device with temporary secure access to a remote data source when the temporary smart card is used with the first device. Additionally, the system includes an enrollment smart card configured to provide a permanent credential for a second device, thereby providing the second device with permanent secure access to the remote data source without presence of the enrollment smart card or the temporary smart card.

Abstract: Authentication information is generated for a group where members within a group are able to communicate with each other, but a non-members is not able to participate in that communication. The authentication information provides the determination of whether the member belongs to the group.

Abstract: A method for establishing a secondary communication channel between at least two computing devices over a network medium through use of a primary channel connects a first computing device with a first telephonic unit and a second computing device with a second telephonic unit. If the two telephonic units are in communication with each other over a primary channel, and communication channels are established between the computing devices and their respective telephonic units, then the first computing device transmits its location information to the second computing device over the primary channel. A connection is then established between the second computing device and the first computing device over a secondary communication channel.

Abstract: One embodiment of the present invention provides a system that uses a portable security token (PST) to facilitate cross-certification between a first certification authority (CA) and a second CA, wherein the first CA and associated subscriber devices constitute a first public-key infrastructure (PKI) domain, and wherein the second CA and associated subscriber devices constitute a second PKI domain. During operation, the system uses the PST to transfer certification information between the first CA and the second CA, wherein the PST communicates with the first CA and the second CA through a location-limited communication channel. Next, the system uses the certification information to issue a cross-certificate to the first CA. Note that the cross-certificate is signed by the second CA.

Abstract: Pre-authentication information of devices is used to securely authenticate arbitrary peer-to-peer ad-hoc interactions. In one embodiment, public key cryptography is used in the main wireless link with location-limited channels being initially used to pre-authenticate devices. Use of public keys in the pre-authentication data allows for the broadening of types of media suitable for use as location-limited channels to include, for example, audio and infrared. Also, it allows a range of key exchange protocols which can be authenticated in this manner to include most public-key-based protocols. As a result, a large range of devices, protocols can be used in various applications. Further, an eavesdropper is forced to mount an active attack on the location-limited channel itself in order to access an ad-hoc exchange. However, this results in the discovery of the eavesdropper.

Abstract: Systems and methods for establishing an authenticated and encrypted network connection in a boot protocol, and specifying the boot image to be loaded by a client, are disclosed. A hardware token or other portable medium, such as a USB drive or device, CD, mini-CD, or floppy diskette, is used to store authentication and/or identification information for a server. A client uses the information on the token to authenticate the network server upon initial connection to the network and request a boot image. Furthermore, the client and server may use the authentication information from the token to establish secure communications and mutually authenticate each other.

Abstract: When content publishers announce the availability of new content to one or more recipients, a content server automatically authorizes only those recipients of the announcement to have access to the new content. The authentication of clients is managed in an automated and user-friendly fashion. This may include instantaneous issuance of certificates, as well as quick revocation of certificates should they have been issued to the wrong individual. Quick revocation is facilitated by the fact that identities are associated with public keys in an online database where the association can quickly be undone, rather than in the certificates themselves as is traditionally the case.

Abstract: One embodiment of the present invention provides a system that uses a portable security token (PST) to facilitate cross-certification between a first certification authority (CA) and a second CA, wherein the first CA and associated subscriber devices constitute a first public-key infrastructure (PKI) domain, and wherein the second CA and associated subscriber devices constitute a second PKI domain. During operation, the system uses the PST to transfer certification information between the first CA and the second CA, wherein the PST communicates with the first CA and the second CA through a location-limited communication channel. Next, the system uses the certification information to issue a cross-certificate to the first CA. Note that the cross-certificate is signed by the second CA.

Abstract: One embodiment of the present invention provides a system that uses a portable security token to facilitate public key certification for a target device in a network. During system operation, the portable security token is located in close physical proximity to the target device to allow the portable security token to communicate with the target device through a location-limited communication channel. During this communication, the portable security token receives an authenticator for the target device, and forms a ticket by digitally signing the authenticator with a key previously agreed upon by the portable security token and a certification authority (CA). Next, the portable security token sends the ticket to the target device, whereby the target device can subsequently present the ticket to the CA to prove that the target device is authorized to receive a credential from the CA.

Abstract: We present technology that allows layman computer users to simply create, provision, and maintain secured infrastructure—an instant PKI. This technology can be used to quickly establish a secure credential infrastructure that can be used to secure ad-hoc and/or dynamic command and control operations such are needed for Incident Command Systems or other emergency response systems that require simplicity and rapid deployment among disparate responder teams.

Abstract: We present technology that allows layman computer users to simply create, provision, and maintain secured infrastructure—an instant PKI. This technology can be used in a wide variety of applications including enabling secure communications to components of a vehicle, and enabling secure communications between the vehicle and associated infrastructure.

Abstract: A location-limited channel is implemented using physical exchanges of physical tokens. The physical tokens are implemented using writeable or re-writeable storage media. Location-limited channels, when used to implement pre-authentication protocols, provide demonstrative identification and authenticity. A group originator loads pre-authentication information and a network location from a communication device onto the location-limited physical token channel. The location-limited physical token channel is passed to another participant, who copies the originator's pre-authentication information and location onto that participant's communication device. That participant then adds that participant's own pre-authentication information and network location onto the location-limited physical token channel. This is repeated until the last participant passes the location-limited physical token channel back to the group originator.

Abstract: System and method for enabling arbitrary components to control communications without having or requiring prior knowledge of each other. The system includes a first component that creates controller objects and provides the objects to other components. The controller objects include instructions which when executed by the other components enable the components to generate user interfaces for controlling the first component. Further, the controller objects are encrypted and are used to authenticate the senders or receivers of the objects.