Abstract: An identity provider (“IdP”) system maintains a framework of authentication methods and security targets that enables flexible authentication policy authoring and analysis of authentication performed by users of an organization. The IdP system generates authentication method profiles that include authentication factors and attributes, which may be further classified as required or optional. The IdP system also generates security target profiles that indicate security requirements needed to satisfy the corresponding security targets. The IdP system uses the generated profiles to determine relationships between authentication methods and security targets (e.g., a list of authentication methods that satisfy a given security target). Using these relationships, the IdP system may enable users to author policies and analyze how users' authentication behaviors comply with security targets.

Abstract: An identity provider (“IdP”) system maintains a framework of authentication methods and security targets that enables flexible authentication policy authoring and analysis of authentication performed by users of an organization. The IdP system generates authentication method profiles that include authentication factors and attributes, which may be further classified as required or optional. The IdP system also generates security target profiles that indicate security requirements needed to satisfy the corresponding security targets. The IdP system uses the generated profiles to determine relationships between authentication methods and security targets (e.g., a list of authentication methods that satisfy a given security target). Using these relationships, the IdP system may enable users to author policies and analyze how users' authentication behaviors comply with security targets.

Abstract: A system and method for generating an encryption key using physical characteristics of a biometric sample is described. In one embodiment, the biometric feature(s) from a sample are analyzed to generate a feature vector. After discretizing the feature(s), the resultant feature vector is translated into a bit vector. The bit vector is the secure biometric key that results from the biometric(s). The secure biometric key is used to generate at least one cryptographic key. A similar process is used to access the cryptographic key secured by the secure biometric key. If the access biometric key matches the secure biometric key, the cryptographic key is revealed and access is allowed. In another embodiment, if the access biometric key does not match the secure biometric key a camouflaging process is used to provide an unauthorized user a bogus secure biometric key indistinguishable from the correct secure biometric key.

Abstract: A system and method for generating an encryption key using physical characteristics of a biometric sample is described. In one embodiment, the biometric feature(s) from a sample are analyzed to generate a feature vector. After discretizing the feature(s), the resultant feature vector is translated into a bit vector. The bit vector is the secure biometric key that results from the biometric(s). The secure biometric key is used to generate at least one cryptographic key. A similar process is used to access the cryptographic key secured by the secure biometric key. If the access biometric key matches the secure biometric key, the cryptographic key is revealed and access is allowed. In another embodiment, if the access biometric key does not match the secure biometric key a camouflaging process is used to provide an unauthorized user a bogus secure biometric key indistinguishable from the correct secure biometric key.

Abstract: A trusted co-server, and a method of using a trusted co-server, for a service provider. The co-server executes a program such that: for multiple parties P0–Pn (where Po is said co-server), each party Pi may (optionally) provide input Ii, and then said co-server carries out N functions: Fi (io . . . In) describes what the co-server returns to party Pi. The preferred embodiment of the invention raises the trust level of the computation and data storage at the server. For instance, this invention may be witness to authenticity of certain data coming back to the client. This data can include assertions from the trusted co-server about the server content and configuration. The invention, also, can provide privacy of data going back to the server, by keeping it encrypted between the client and the co-server, and then re-encrypting it before inserting it into the server.