Abstract: Methods and apparatuses for validating the status of digital certificates include a relying party receiving at least one digital certificate and determining if the at least one digital certificate is to be validated against a private certificate status database. The relying party accesses the private certificate status database and cryptographically validates the authenticity of data in the private certificate status database. The relying party also validates the at least one digital certificate based on information in at least one of the private certificate status database and a public certificate status database.

Abstract: A transaction processing service operates as an intermediary between acquirers of financial transaction requests and issuing institutions that process the financial transaction requests. The intermediary service enables a customer to selectively change the status of an account's associated with a payment instrument by activating or deactivating the account. The intermediary service may manage account status locally using a rules module. Alternatively, the issuing institution may manage account status, while the intermediary service provides an interface for customers. A customer communicates with the intermediary service to direct the service to change the account status. The intermediary service determines the account's issuing institution and provides an indication to the issuing institution of the current status of the account (or of the change in status).

Abstract: An authentication-authorization system for a mobile communication terminal and a method therefor are provided. When a mobile communication terminal is in a connect state, code data randomly generated by a remote encoding terminal is continuously provided to the terminal and data management terminal. When an application service program on the mobile communication terminal or an application service terminal connected to the mobile communication terminal need to execute an authentication-authorization, identification data of the mobile communication terminal and its card and code data can be offered to the data management terminal to carry out a bidirectional dynamic authentication-authorization, to determine whether allow the application service program or the application service terminal to keep providing an application service or not.

Abstract: A server computing system initiates a first sub-system to generate a certificate revocation list (CRL) using resources that are separate from resources of a second sub-system that performs certificate authority (CA) management functions other than generating a CRL. The first sub-system receives a command from the second sub-system to update revocation data in a cache that is coupled to the first sub-system and generates a CRL using the updated revocation data in the cache. The first sub-system provides the CRL to the second sub-system.

Abstract: A web portal for issuing multiple digital certificates to users of an entity (e.g., a law-enforcement agency or corporation) is described herein. The digital certificates enable users to access confidential records—such as telecommunication records—by requesting the records through a web site. A master digital certificate is issued for the entity, and a user associated with the master digital certificate can request slave certificates to be issued to other employees or affiliates of the entity. A certificate provisioning server is configured to only issue slave certificates at the request of the user with the master digital certificate. Once issued, a slave certificate is communicated to an authentication server, which notifies the assignee of the slave certificate of its online location.

Abstract: A protocol for issuing and controlling digital certificates is described in which an identity management system is used to identify a user requesting a digital certificate and is also used to issue the digital certificate itself. Accordingly, an IDM-based PKI system is provided.

Abstract: Various embodiments of the present invention relate to systems, methods, and computer-readable medium providing licensing rights for media content that follows a subscriber so that the subscriber may experience the media content on various content distribution platforms. In particular embodiments, the systems, methods, and computer-readable medium transfer licensing rights for a user for particular media content that is associated with a first device on a first distribution platform so that the rights are associated with a second device on a second distribution platform. As a result, in various embodiments, the user is able to experience the particular media content with the use of the second device on the second distribution platform.

Abstract: Methods and systems for controlling the distribution of digital content are provided. A license holder acquires protected content and an original digital license to the protected content from a content provider system. The license holder in turn delegates all or part of the grants in that original license to other qualified devices or clients. The content remains in its original, protected or encrypted form while it is delivered from the license holder to the client along with a digital sublicense that the client receives from the original license holder, whereupon the content can then be rendered. The original digital license defines or governs the conditions under which such delegation occurs, and includes terms under which such delegation is permitted to continue in order to enforce the intent of the content provider.

Abstract: In accordance with one or more aspects of the separating keys and policy for consuming content, content has a corresponding leaf license, and the leaf license has one or more associated root policy addenda. Each root policy addenda includes policy identifying when it is permissible to decrypt and consume the content, but excludes a content key to decrypt the content. The content can be decrypted and consumed only if the policy identifies that it is permissible to decrypt and consume the content.

Abstract: A method, apparatus and system for employing a secure content protection system is disclosed. In one embodiment, a certificate having a unique device identification associated with a first device is received, and, at a second device, a revocation list having unauthorized device identifications is received. The unique device identification is incrementally compared with the unauthorized device identifications of the revocation list, and media content is transmitted from the second device to the first device, if the unique device identification is not matched with the unauthorized device identifications of the revocation list.

Abstract: A method of checking revocation of a device and software, and transmitting data to a secure device and secure software whose keys have not been leaked is provided. The method includes receiving authentication information of a device requesting transmission of data, and authentication information of software accessing the data in the device; checking revocation of the device and the software, based on the received authentication information; and transmitting the data to the software of the device, when the device and the software are not revoked as a result of the checking. By doing so, during transmission of data, such as content or a license, it is possible to check security of a device and software being executed in the device, so that the data can be more safely transmitted.

Abstract: In response to a validation request that includes second information identifying the certificate authority, key information of the certificate authority at issuance of the public key certificate, and information identifying the public key certificate, if the second information identifying the certificate authority included in the validation request corresponds to the first information identifying the certificate authority included in the authority certificate, and the information identifying the public key certificate included in the validation request does not exist in the revocation information, the validation server creates a validation result indicating that the public key certificate corresponding to the information identifying the public key certificate included in the validation request is valid.

Abstract: Techniques for interoperable cryptographic peer and server identities can include receiving a message, in a connection establishment transaction, from an endpoint, the message including an endpoint discriminator, selecting a certificate based on the endpoint discriminator, determining a cryptographic scheme based on the selected certificate, and establishing the requested connection with the endpoint using the determined cryptographic scheme. The techniques can also include accessing one or more hashes, each hash being a hash of at least a portion of a certificate, processing the endpoint discriminator for an identity object, and comparing the identity object with the one or more hashes to identify a matching hash. The selected certificate can correspond to the matching hash. These techniques can allow an endpoint to interoperate with other endpoints that use different or similar cryptographic schemes.

Abstract: A system and method for retrieving certificates and/or verifying the revocation status of certificates. In one embodiment, when a user opens a digitally signed message, a certificate that is required to verify the digital signature on the message may be automatically retrieved if it is not stored on the user's computing device (e.g. a mobile device), eliminating the need for users to initiate the task manually. Verification of the digital signature may also be automatically performed by the application after the certificate is retrieved. Verification of the revocation status of a certificate may also be automatically performed if it is determined that the time that has elapsed since the status was last updated exceeds a pre-specified limit.

Abstract: A unique, strong, shared, symmetric network-wide key (or a limited number of group-wide keys) is generated by a central authority and initially provisioned to nodes in a network, which use it for ensuing traffic encryption. Nodes establish trust by sending each other authentication messages encrypted with the shared secret key, and thereupon adding each other to their respective trust lists. Also, an optional rekeying scheme whereby an existing shared secret key can be replaced by a new secret key that is introduced by the central authority and automatically propagated from node to node through the network.

Abstract: A computer-implemented method for using reputation data to detect packed malware may include: 1) identifying a file downloaded from a portal, 2) determining that the file has been packed, 3) obtaining community-based reputation data for the file, 4) determining, by analyzing the reputation data, that instances of the file have been encountered infrequently (or have never been encountered) within the community, and then 5) performing a security operation on the file (by, for example, quarantining or deleting the file).

Abstract: Server device for performing a transaction in a system having a first entity, such as a POS, a second entity, such as a user having a mobile phone with a digital camera, and a remote server. The first entity generates a code having a transaction information and sends a first message to a server. The second entity, such as a buyer of a product or a user of a service captures the code and transmits a second message to the server having information on the transaction extracted from the code. The transaction is only authorized, when the server has determined that the first message and the second message match with each other. The transaction can be a payment transfer, a grant of an access to a service or a grant of an access to an internet portal.

Abstract: Methods and systems for handling on an electronic device a secure message to be sent to a recipient. Data is accessed about a security key associate with the recipient. The received data is used to perform a validity cheek related to sending a secure message to the recipient. The validity check may uncover an issue that exists with sending a secure message to the recipient. A reason is determined for the validity check issue and is provided to the mobile device's user.

Abstract: A system, method and program product for checking the revocation status of a biometric reference template. The method includes creating a revocation object for a reference template generated for an individual, where the revocation object contains first plaintext data providing a location for checking revocation status of the reference template and containing ciphertext data identifying the unique reference template identifier and a hash of the reference template. The method further includes providing the revocation object to a relying party requesting revocation status and sending a request to an issuer of the reference template for checking the revocation status of the reference template, without revealing identity of the individual. The method further includes returning results of the revocation status check to the relying party. In an embodiment, a random value is added to the ciphertext data for preserving privacy of the reference template holder.

Abstract: A certificate authority selection unit implements a method for selecting one of a plurality of certificate authorities servicing a plurality of administrative domains in a communication system. The method includes: receiving, from an end-entity via an interface, a certificate service request associated with an identifier; selecting, based on the identifier, one of the plurality of administrative domains in the communication system, wherein the plurality of administrative domains are serviced by a plurality of certificate authorities; retrieving a security profile for the end-entity; and selecting, based on the security profile for the end-entity, one of the plurality of certificate authorities to process the certificate service request.

Abstract: A communication device configured to perform communication with at least one external device via a network using a secret key and an electronic certificate that includes information on a public key corresponding to the secret key, includes a storing system configured to store the secret key and the electronic certificate, a receiving system configured to receive an instruction to delete at least one of the secret key and the electronic certificate stored in the storing system, a revocation instructing system configured to instruct, via the network, a management device that manages a list of revoked electronic certificates to register the electronic certificate stored in the storing system with the list in response to the received instruction, and a deleting system configured to delete the at least one of the secret key and the electronic certificate in response to the received instruction.

Abstract: A manageability engine or adjunct processor on a computer platform may receive a request for activation and use of features embedded within that platform from a service provider authorized by the manageability engine's manufacturer. The manageability engine may initiate a request for authority through the service provider to a permit server. The permit server may provide, through the service provider, proof of the service provider's authority, together with a certificate identifying the service provider. Then the manageability engine may enable activation of the features on the platform coupled to the manageability engine, but only by the one particular service provider who has been authorized.

Abstract: A method, system, and computer usable program product for certificate renewal using a secure handshake are provided in the illustrative embodiments. A determination is made, forming an expiration determination, whether a validity period associated with a certificate ends within a predetermined period from a time of receiving the certificate. If the expiration determination is true, a holder of the certificate is notified about the expiration. The holder may be an application executing in a data processing system or the data processing system itself. A new certificate is requested on behalf of the holder. The requested new certificate is received. The new certificate is sent to the holder of the certificate over a network.

Abstract: Revocation of digital certificates in a public-key infrastructure is disclosed, particularly in the case when a certificate might need to be revoked prior to its expirations. For example, if an employee was terminated or switched roles, his current certificate should no longer be valid. Accordingly, novel methods, components and systems are presented for addressing this problem. A solution set forth herein is based on the construction of grounded dense hash trees. In addition, the grounded dense hash tree approach also provides a time-communication tradeoff compared to the basic chain-based version of NOVOMODO, and this tradeoff yields a direct improvement in computation time in practical situations.

Abstract: Embodiments describe a system and/or method for multiple party digital signatures. According to a first aspect a method comprises establishing a first validity range for a first key, establishing a first validity range for at least a second key, and determining if the validity range of the first key overlaps the first validity range of the at least a second key. A certificate is signed with the first validity range of the first key and the first validity range of the at least a second key if the validity ranges overlap. According to another embodiment, signage of the certificate is refused if the first validity range of the first key does not overlap with the first validity range of the at least a second key.

Abstract: A revocation determination service determines for a client whether a particular digital certificate as issued by a particular certificate authority (CA) has been revoked by such CA. In the service, an engine receives a query from the client, where the query identifies the particular certificate and the CA that issued the particular certificate. At least one provider is resident at the service, where each provider corresponds to a revocation information repository and represents the corresponding repository at the service, and connects to the corresponding repository. Each repository has revocation information from at least one CA. A configuration store includes a configuration information record corresponding to each provider resident at the service. Each configuration information record includes an identification of the provider and of each CA that the repository corresponding to such provider has revocation information for.

Abstract: The present invention enables any authentication for a plurality of authentication methods with an authentication server for storing management data on a user. The present invention uses one of set information for logging in with an IC card and user input information from operation means in the case of logging in to a directory server; requests the directory server from a Kerberos authentication operation part for a service ticket; requests the directory server from an LDAP communication operation part for authentication with the service ticket obtained by the relevant request; and requests the directory server from the authentication processing functioning part for a search for granting use of the relevant MFP to a user with one of card information read by a card reader and a user name of user input information in the case where authentication to the directory server by the relevant request is successful.

Abstract: Systems (and corresponding methodologies) of deploying an enhanced access point (or an integrated router/access point) with embedded secure socket layer (SSL) tunneling capabilities are provided. The innovation enables users to initiate or prompt secure SSL tunnels between a wireless computer or device (and browser session) and the wireless gateway device (WGD). In particular, off-the-shelf web browser applications can be used to effect secure communication between a wireless mobile device and a SWAT-(Secure Wireless Application Tunnel-) equipped access point.

Abstract: Disclosed is a system and a method for maintaining broadcasting chip information regardless of device replacement in a USIM unlock environment where broadcast information can be automatically modified in response to device replacement.

Abstract: A method and system to delegate an authority to access collaborative resources are provided. The system enables a participant to re-delegate the authority to another participant by an authorization certificate. A chain of the authorization certificate is established along with the re-delegation of the authority from one participant to another. The participant requesting access to the collaborative resources is requested to provide the owner with the chain of authorization certificate for verification. Therefore, the re-delegation process may be performed without the need to notify the owner and yet without comprising the security of the collaborative resources. In addition, the system provides for restricting the participant from accessing the collaborative resources. Consequently, though the participant may not have access to the collaborative resources, he is still able to re-delegate the authority to another participant.

Abstract: A digital certificate associating a unique identifier for a computer-based appliance with an authentication key pair for that appliance is obtained from a certificate authority using a different, manufacturing key pair for the appliance. The manufacturing key pair may be generated by the appliance at or about its time of manufacture. The public key portion of the manufacturing key pair along with the unique identifier for the appliance may be provided via secure means to the certificate authority prior to the request for the digital certificate concerning the authentication key pair. Eventually, the digital certificate associated with the authentication key pair may be used by the appliance when joining a network, as part of a one-way or two-way authentication process.

Abstract: A local network traffic processor and an application are resident on a common computer system. The application is configured to trust a server certificate issued by a local network traffic processor, the local network traffic processor operatively being paired with a remote network traffic processor. A proxy server certificate, generated using identification information of a server associated with the remote network traffic processor and signed by the local certification authority, is used to establish a secure session between a local network traffic processor and the application.

Abstract: A password authentication apparatus and a password authentication method for preventing the leakage of password information from user's password input operations includes a memory device for storing a correct answer symbol and selection information for selecting at least one input symbol for each digit of a password; a display for displaying combinations of input symbol candidates based on user operation; a processor for selecting, for each digit of the password, one or more input symbols from the combinations of input symbol candidates displayed by the display based on the selection information corresponding to the digit to determine whether the correct answer symbol corresponding to the digit is included in the selected one or more input symbols; and an authentication board for authenticating that the password is entered correctly when the processor determines that correct answer symbols for all the digits of the password are included.

Abstract: A method for controlling Internet access of a mobile device by using a communication system having a number of access points includes the steps of performing a certificate-based authentication between an authentication access point and a mobile device seeking access to the Internet; transmitting a certificate from the mobile device to the authentication access point; verifying the certificate by the authentication access point; determining whether the authenticating mobile device's certificate has been revoked prior to the expiration of its lifetime; and granting the authenticating mobile device access to the Internet, if the certificate has been verified successfully and not revoked prior to the expiration of its lifetime.

Abstract: A method and a terminal device for making multi-system constraint of a specified permission in a digital rights. A rights object related to content object is obtained by an executing device. The specific permission descriptions of the rights object include system constraint descriptions of a plurality of systems of the same type. The executing device obtains a corresponding system information in the device according to the system constraint descriptions and compares the system information in the device with the system information in the system constraint descriptions, so as to judge whether there is any system permitted in system constraint descriptions. If yes, it determines to permit executing the specific permission for the content object; otherwise, it determines not to permit executing said specific permission for the content object.

Abstract: A method, apparatus, and system for proactive forced renewal of content protection implementations in devices. The method includes, on a first substantially periodic basis, automatically pushing a new content protection implementation to a device that contains an existing content protection implementation; wherein the existing content protection implementation comprises (a) existing software for presenting protected content and (b) an existing key to facilitate presentation of protected content; and wherein the new content protection implementation comprises a new key to supersede the existing key for facilitating presentation of protected content. On a second substantially periodic basis, the method includes automatically pushing revocation data to the device, the revocation data to identify a plurality of revoked keys, each revoked key of the plurality of revoked keys comprising a key that has been superseded by the new key of the new content protection implementation.

Abstract: A method and system for configuring a valid duration period for a digital certificate. The method includes assigning a positive numeric value for each certificate term. The positive numeric value assigned to each certificate term is representative of the valid duration period. The method continues by prompting a user of the client device to request one certificate term. The method may include transmitting the requested certificate term to a server. The certificate term requested is sent via a certificate request. The server is configured to convert the positive numeric value associated with the requested certificate term into a duration counter. The method may also include a certificate server receiving from the server, the certificate request including the duration counter. The certificate server is configured to digitally sign the certificate request.

Abstract: A management device configured to communicate with at least one second management device and at least one terminal device via a network includes an acquiring system configured to acquire first management information managed by the management device, a receiving system configured to receive second management information managed by each of the at least one second management device from each of the at least one second management device, a management information request receiving system configured to receive a management information request for the first management information and the second management information from the at least one terminal device, and a sending system configured to send, to the at least one terminal device, the first management information acquired by the acquiring system and the second management information received by the receiving system in response to the management information request being received by the management information request receiving system.

Abstract: A system and method can include comparing entities associated with public certificates and private keys in a keystore to detect compromised private keys. This increases security of systems implementing public key cryptography over a network. The comparison can be triggered by a trigger event in one embodiment. If a private key belonging to a certificate authority is detected, a notification can be generated. Alternatively or in addition, a revocation request can be generated for public certificates corresponding to the compromised private key.

Abstract: A database management system (1) comprises up to fifty or more workstations (2), each for a user. The environment may, for example, be a hospital and the system manages medical records in a secure manner. Each user has a private key issued by a KGC (5). A database controller (3) updates a secure database (3) with data and associated signatures generated by the user workstations (2). Thus every record of the secure database (3) has a signature to provide full traceability and non-repudiation of data edits/updates. It is important for the system (1) that the signatures are verified on a regular basis, say every hour. Such a task would be extremely processor-intensive if the database (3) is large. However this is performed by a verification processor (4) of the system (1) in a much shorter time than heretofore, t1+n(&Dgr;), where t1 is the time for one verification, n is the number of signatures, and &Dgr; is a time value which is a very small proportion of t1 (less than 1%).

Abstract: The claimed subject matter provides a method for revoking licensed software in a computing environment. An exemplary method includes receiving a machine ID from a computer system. An application program and a license credential for the application program are sent to the computer system. Subsequently, upon theft or other loss of the computer system, a request to revoke the license credential is received. The request identifies the machine ID. When the computer system subsequently initiates a connection, the connection is detected based on the machine ID. An indication that the license credential for the application program is revoked is sent to the computer system. When the application program is later initiated, its operation is disabled because of the revocation of the license credential.

Abstract: Transparent caller name authentication is provided to authorized third parties by creating an Public Key Infrastructure (PKI) certificate chain. An owner of a registered caller name can authorize third parties to use the caller name by issuing a PKI sub-certificate to each authorized third party. An authenticated caller name displays the owner's name to the called party. Outsourcing and mobile employment is thereby facilitated, and called party confusion is reduced.

Abstract: Techniques for protecting memory locations within a stakeholder's engine according to the Multi-Stakeholder Model, and a protocol for remote attestation to a device supporting the Multi-Stakeholder Model that provides extra evidence of the identity of the three actors.

Abstract: A method and apparatus is provided that allows code signed by a master key to grant trust to an arbitrary second key, and also allows code, referred to as an antidote and also signed by the master key to revoke permanently the trust given to the second key.

Abstract: A key distribution system distributes key data for using content to a second encryption device that has been legitimately outsourced processing by a first encryption device. The first encryption device acquires permission information indicating that the first encryption device has permission to use the content, generates certification information by making an irreversible alteration the to permission information, and transmits the permission information and the certification information to the second encryption device. The second encryption device receives the permission information and the certification information, sends them to a key distribution device, and acquires the key data from the key distribution device. The key distribution device receives the permission information and the certification information, judges whether or not the certification information was generated by the by the first encryption device, and if judging in the affirmative, transmits the key data to the second encryption device.

Abstract: Methods and systems for handling on an electronic device a secure message to be sent to a recipient. Data is accessed about a security key associated with the recipient. The received data is used to perform a validity check related to sending a secure message to the recipient. The validity check may uncover an issue that exists with sending a secure message to the recipient. A reason is determined for the validity check issue and is provided to the mobile device's user.

Abstract: A method is provided for controlling multiple access to a network service to prevent fraudulent use of the network service. The method includes identifying an account access counter for an account using identification information received from a user at a first device using a network, wherein the user is requesting access to a service provided at a second device, and further wherein the account access counter is the number of service access sessions active for the account; comparing the account access counter to a maximum account access number, wherein the maximum account access number defines a maximum number of service access sessions allowed for the account; and providing the user at the first device access to the service at the second device if the account access counter is less than the maximum account access number.

Abstract: An information processing apparatus and method that prior to using a digital certification considers a validity expiration date of the digital certificate as well as a usable deadline of an algorithm or a public key used in the digital certificate.

Abstract: An apparatus and system provide a tamper-resistant scheme for portability of DRM-protected digital content. According to embodiments of the invention, a portable crypto unit may be utilized in conjunction with a VT integrity services (VIS) scheme as well as a Virtual Machine Manager (VMM) and a TPM to provide a secure scheme to protect digital content. Additionally, in one embodiment, the digital content may be partitioned into blocks comprising multiple segments to further enhance the security of the scheme.

Abstract: A method includes determining whether a key is traceable to one of a set of keys associated with a trusted source and determining whether the key is identified in a list of compromised keys. If the key is not identified as compromised and is traceable to one of the keys in the set, the key is assigned a trusted status.