Abstract: Various embodiments of a system and method for multipronged authentication are described. Embodiments may include a client system that implements a runtime component configured to consume content. The client system may be configured to implement a digital rights management component configured to perform one or more cryptographic operations and also authenticate the runtime component. The client system may receive encrypted content from a remote computer system and receive a given authentication component from a remote computer system; that authentication component may be configured to authenticate the runtime component. The client system may, based on authentication of the runtime component by both the digital rights management component and the given authentication component, decrypt at least a portion of the encrypted content.

Abstract: Embodiments may include generating an initial verifier for a first process, the initial verifier generated based on a trusted image of the first process. Embodiments may include, subsequent to generating an untransformed secret associated with the first process, using a reversible transform to transform the untransformed secret with the initial verifier to generate a transformed secret associated with the first process. Embodiments may also include, subsequent to the first process being launched outside of a secure domain, and dependent upon a second verifier generated from a current state of the first process being the same as the initial verifier: using the reversible transform to reverse transform the transformed secret with the second verifier to generate a de-transformed secret equal to the untransformed secret. Embodiments may include performing a secure communication protected with a cryptographic key generated based on the de-transformed secret.

Abstract: Various embodiments of a system and method for multipronged authentication are described. Embodiments may include a client system that implements a runtime component configured to consume content. The client system may be configured to implement a digital rights management component configured to perform one or more cryptographic operations and also authenticate the runtime component. The client system may receive encrypted content from a remote computer system and receive a given authentication component from a remote computer system; that authentication component may be configured to authenticate the runtime component. The client system may, based on authentication of the runtime component by both the digital rights management component and the given authentication component, decrypt at least a portion of the encrypted content.

Abstract: Various embodiments of a system and method for multipronged authentication are described. Embodiments may include a client system that implements a runtime component configured to consume content. The client system may be configured to implement a digital rights management component configured to perform one or more cryptographic operations and also authenticate the runtime component. The client system may receive encrypted content from a remote computer system and receive a given authentication component from a remote computer system; that authentication component may be configured to authenticate the runtime component. The client system may, based on authentication of the runtime component by both the digital rights management component and the given authentication component, decrypt at least a portion of the encrypted content.

Abstract: Method and apparatus are described wherein, in one example embodiment, a first entity shares a digital file such as a digital image with a second entity, and the first entity and the second entity each use the digital file as a seed to generate identical public/private key pairs using the same key generation procedure, such that both entities hold identical key pairs. The first and second entities may use the key pairs to encrypt, decrypt, or sign and authenticate communications between the entities.

Abstract: A system, for secure form delivery, may include a detector to detect a request to submit an electronic form that includes associated application data; an encryption module to respond to the request to submit the electronic form by automatically accessing an encryption key, determining destination information, and encrypting the associated application data, utilizing the encryption key; and a submit module to submit the electronic form to a destination, utilizing the destination information.

Abstract: Method and apparatus are described wherein, in one example embodiment, a first entity shares a digital file such as a digital image with a second entity, and the first entity and the second entity each use the digital file as a seed to generate identical public/private key pairs using the same key generation procedure, such that both entities hold identical key pairs. The first and second entities may use the key pairs to encrypt, decrypt, or sign and authenticate communications between the entities.

Abstract: A security component may be associated with a network-enabled application. The network-enabled application may request access to restricted content from a relying party (e.g., web site). The security component associated with the network-enabled application may receive authentication policy information from the relying party and send a user's authentication credentials to an assertion provider to authenticate the credentials. The relying party may trust the assertion provider to authenticate user credentials. Upon successful authentication, the assertion provider may return an assertion token to the security component and the security component may sign the assertion token as specified in the authentication policy information. Subsequently, the security token may forward the signed assertion token to the relying party and the relying party may grant access to the restricted content.

Abstract: Embodiments may include generating an initial verifier for a first process, the initial verifier generated based on a trusted image of the first process. Embodiments may include, subsequent to generating an untransformed secret associated with the first process, using a reversible transform to transform the untransformed secret with the initial verifier to generate a transformed secret associated with the first process. Embodiments may also include, subsequent to the first process being launched outside of a secure domain, and dependent upon a second verifier generated from a current state of the first process being the same as the initial verifier: using the reversible transform to reverse transform the transformed secret with the second verifier to generate a de-transformed secret equal to the untransformed secret. Embodiments may include performing a secure communication protected with a cryptographic key generated based on the de-transformed secret.

Abstract: A security component may be associated with a network-enabled application. The network-enabled application may request access to restricted content from a relying party (e.g., web site). The security component associated with the network-enabled application may receive authentication policy information from the relying party and send a user's authentication credentials to an assertion provider to authenticate the credentials. The relying party may trust the assertion provider to authenticate user credentials. Upon successful authentication, the assertion provider may return an assertion token to the security component and the security component may sign the assertion token as specified in the authentication policy information. Subsequently, the security token may forward the signed assertion token to the relying party and the relying party may grant access to the restricted content.

Abstract: Protected content that has been encrypted according to an encryption algorithm is individualized for a consumer according to pseudorandomly-generated individualization data values and individualization indexes. When different instances of individualized protected content are generated from the same protected content for different consumers, the different instances differ in content. To generate the individualized protected content, a packaging component is configured to identify pseudorandom intervals within the protected content using the individualization indexes, and for each given one of the intervals, to combine the protected content included within the given interval with a respective one of the individualization values according to a reversible data transform operation. The data transform operation is less computationally expensive than the given encryption algorithm.

Abstract: A security component may be associated with a network-enabled application. The security component may access a secure store, which may include customization information, which may include one or more graphical user interface customizations defined by a user, and one or more instances of card information. The card information may specify how to authenticate a user's credentials to access a relying party (e.g., web site). The security component may initiate the display of an embedded region of a window drawn by the network-enabled application. At least a part of the appearance of the embedded region of the window may be defined according to the customization information and not by the relying party. The embedded region may provide a user interface for determining user authentication credentials. The customization information and the one or more instances of card information may not be accessible to the relying party.

Abstract: A security component may be associated with a network-enabled application. The security component may initiate the display of an embedded region of a window drawn according to display information received from a relying party. The security component may define at least a portion of the appearance of the embedded region; the relying party may not define this portion. The embedded region may include customization information configured by a user, and “Card” information received from an assertion provider, indicating how to authenticate user credentials in order to gain access to relying party restricted content. The security component may request authentication of user credentials from the assertion provider, which may be trusted by the relying party. The security component may receive an assertion token from the assertion provider indicating the credentials are authentic. The security component may forward the assertion token to the relying party to gain access to the restricted content.

Abstract: Method and apparatus are described wherein, in one example embodiment, a first entity shares a digital file such as a digital image with a second entity, and the first entity and the second entity each use the digital file as a seed to generate identical public/private key pairs using the same key generation procedure, such that both entities hold identical key pairs. The first and second entities may use the key pairs to encrypt, decrypt or sign and authenticate communications between the entities.

Abstract: Methods and apparatus, including computer systems and program products, that relate to a security policy user interface. The methods feature a machine-implemented method that includes presenting labels of multiple security policies, receiving input specifying a selected security policy, and securing a first document according to the selected security policy. In that method, each security policy specifies criteria that governs use of an electronic document and has an associated security mechanism. Moreover, security mechanisms of a number of the multiple security policies distinctly enforce security of a document, and presenting labels of multiple security policies includes presenting at least two labels of two respective security policies such that a detailed description of a respective, associated security mechanism is left out. The security policies can be declarative security policies. At least one of the labels can include an abstract of a corresponding security mechanism.