Abstract: The cryptographic scheme subdivides time into periods with an index j=0, 1, 2, etc. A public key indicates elements u and v of a first cyclic group G1 of prime order p and, for each period j, an integer sj between 0 and p?1 and elements g1,j of the group G1 and g2,j, wj and hj of another cyclic group G2 of order p. The private key of a member of the group indicates an integer xi between 0 and p?1 and, for each period j, an element Ai,j of the group G1 such that Ai,n=[Ai,n-1/g1,n-1]1/(xi?sn) for 1?n?j. To sign a message during a period j?0, the member selects two integers ? and ? between 0 and p?1, calculates T1=u?, T2=Ai,j·v?, S1=g2,j? and S2=e(Ai,j, hj)? where e(., .) is a bilinear map of G1×G2 onto GT, and determines according to the message the data that justify the fact that the elements T1, T2, S1 and S2 are correctly formed with knowledge of the private key of the member for the period with index j.

Abstract: A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one embodiment, a certificate synchronization application is programmed to perform certificate searches by querying one or more certificate servers for all certificate authority (CA) certificates and cross-certificates on the certificate servers. In another embodiment, all certificates related to an identified certificate are retrieved from the certificate servers automatically by the certificate synchronization application, where the related certificates comprise at least one of one or more CA certificates and one or more cross-certificates. Embodiments of the invention facilitate at least partial automation of the downloading and establishment of certificate chains, thereby minimizing the need for users to manually search for individual certificates.

Abstract: A transaction processing service operates as an intermediary between acquirers of financial transaction requests and issuing institutions that process the financial transaction requests. The intermediary service utilizes a customer's mobile device as an out-of-band communication channel to notify a customer of a received financial transaction request. To send the notification, the intermediary service retrieves stored customer information, including an address of the customer's mobile device and a list of payment instruments that can be used to pay for the transaction. Before continuing to process the received financial transaction request, the service may first require the customer to confirm the transaction via the mobile device. The intermediary service retrieves financial account information associated with the customer from issuing institutions, and, if the transaction is confirmed, provides the account information to acquirers in order to allow transactions to be processed.

Abstract: Various embodiments provide a mapping layer to translate DRM system requirements from one DRM system, such as a source system, to another DRM system, such as a target system. In at least some embodiments, DRM system requirement translation is performed using a signed data structure that maps DRM system requirements from one DRM system to one or more other DRM systems. By mapping DRM system requirements from one system to another, licenses associated with DRM-protected content and associated content can be safely transferred between systems.

Abstract: Security assertion revocation enables a revocation granularity in a security scheme down to the level of individual assertions. In an example implementation, a security token includes multiple respective assertions that are associated with multiple respective assertion identifiers. More specifically, each individual assertion is associated with at least one individual assertion identifier.

Abstract: A system and method for assigning certificates and reducing the size of the certificate revocation lists in a PKI based architecture for a vehicle wireless communications system that includes separating a country, or other area, into geographic regions and assigning region-specific certificates to the vehicles. Therefore, a vehicle need only process certificates and certificate revocation lists for the particular region that it is traveling in. Vehicles can be assigned multiple certificates corresponding to more than one region in the vehicles vicinity as advance preparation for possible travel or transmission into nearby regions. Further, the expiration time of certificates assigned to vehicles corresponding to a given geographic region can be tailored to be inversely proportional to the distance from a registered home region of the vehicle. A scalable design for a back-end certifying authority with region-based certificates can also be provided.

Abstract: An information processing device includes: a data processing unit that executes a process of reproducing content recorded in a medium, wherein the data processing unit acquires a token from the medium, the token being management data corresponding to content recorded in the medium, compares a server ID recorded in the acquired token with a server ID recorded in a server certificate acquired from a server from which the management data is acquired, and halts reproduction of content when the two server IDs are not identical.

Abstract: An information processing device includes: a data processing unit that executes a process of reproducing content recorded in a medium; and a memory storing a content revocation list in which an identifier (ID) of revoked content is recorded, wherein the data processing unit compares a minimum allowable version of a content revocation list recorded in a token which is management data corresponding to content recorded in the medium with a version of a content revocation list acquired from the memory, and when the version of the content revocation list acquired from the memory is an old version lower than the minimum allowable version of the content revocation list recorded in the token, the data processing unit halts determination on revocation of content based on the content revocation list acquired from the memory and reproduction of content.

Abstract: A method and apparatus for key revocation in an attribute-based encryption scheme is provided herein. Prior to operation, a key management service performs a randomized setup algorithm resulting in the generation of public parameters and the key management service's master secret, MK. During operation, the key management service is provided with verified user attribute information. The key management service creates keys for users based on their list of attributes. The keys can then be used to decode appropriate ciphertext. During the key creation, each attribute is associated with a particular text string. As attributes are revoked, the text string is updated.

Abstract: A method comprises recognizing a need for an additional resource to be made available to a target computer workload. A determination is made whether said target workload is licensed for additional resource. If the determination is positive, the resource is transferred to the target workload. If the determination is negative, a license is transferred from a source workload, and then the resource is transferred to the target workload.

Abstract: The present invention relates to a confidential information processing device, a confidential information processing apparatus, and a confidential information processing method, and particularly to a confidential information processing device which performs multiple cryptographic computation for different target data included in a data stream. With this configuration, the context control unit outputs the stream on which the cryptographic computation is performed to an external device or other stream analysis unit. Thus, by setting the number of cryptographic computation on a correspondence table, the number of computation can be set to any number. Thus, the confidential information processing device according to the present invention can perform any number of cryptographic computations on one stream. Furthermore, without outputting the stream whenever a cryptographic computation is completed, multiple cryptographic computations can be performed with one stream input.

Abstract: A method and system for updating and using a digital certificate, and the method comprises: a first terminal establishing a secure link with an access point and using the secure link to send a certificate updating request to the access point, where the certificate updating request includes a digital certificate to be updated which is currently used by the first terminal; and the access point sending the digital certificate to be updated to a local Authentication Service Unit which issues the certificate to be updated; and the local Authentication Service Unit which issues the digital certificate to be updated verifying the digital certificate to be updated, and after the digital certificate is verified to be valid, a local Authentication Service Unit corresponding to the access point generating a new digital certificate of the first terminal and sending the new digital certificate to the first terminal through the access point.

Abstract: A server may bridge between a wide area network, such as the Internet, and a local area network and may process authentication requests from clients on the wide area network. The server may filter the requests to enable specific types of requests to pass, and may forward the requests to a credential server within the local area network and pass any responses back to the client. The server may be configured with some or all of a set of domain services objects, but such objects may be stored in a read only format. The server may further contain a minimum of or no sensitive data such that, if compromised, an attacker may gain little advantage. The client may request evidence of authentication available to devices within the local area network and may use the evidence of authentication to access services made available to the wide area network.

Abstract: It is an object of the present invention to enhance the security and reduce the data amount of data to be handled in a group signing system, in which when the group public key which includes: a description for four groups: group 1, group 2, group T, and group E of the same order number; a description of bilinear mapping from group 1 and group 2 to group T; each generator of group 1, group 2, group T, and group E; and a signature public key of a signature scheme using group 1, group 2, and group T, is input, the member secret key including an integer not larger than the order number, member evidence which is a value given by multiplying the generator of group E by the member secret key, and an element of group 1 or group 2 which is a value given by multiplying the generator of the group 1 or the group 2 by the member secret key are sent to the member-certificate issuing device, and thereafter upon receipt of a signature for the member secret key, which is verifiable by the signature public key, from the member

Abstract: A fast authentication and access control method of authenticating a network access device to a communications network having an access point communicating with a remote authentication (home AAA) server for the network access device. The method includes the step of receiving an access request having an authentication credential from the network access device at the access point. The authentication credential includes a security certificate having a public key for the network access device and an expiration time. The security certificate is signed with a private key for the remote authentication server. The access point locally validates the authentication credential by accessing the public key of the remote authentication server from a local database, and checking the signature and expiration time of the security certificate.

Abstract: A wireless communication system includes a plurality of terminals connected to at least one wireless network on the basis of authority of security configuration parameters shared by the plurality of terminals. Each of the plurality of terminals revokes security configuration parameters of the terminal itself or security configuration parameters of another terminal in accordance with an agreement with said another terminal.

Abstract: A system and method for controlling the execution of executable files. The executables are identified by either a cryptographic digest or a digital certificate. The crytographic digest is computed from the binary image of the executable. An executable that is attempting to execute is intercepted by a protection module that consults a database of stored rules over a secure channel to determine whether or not the executable can be identified as a permitted executable and whether or not it has permission to execute on a particular computer system under certain specified conditions. If a stored permission is available, it is used to control the execution. Otherwise, the user is consulted for permission.

Abstract: In a method and a device for transferring an e-mail by a public key cryptography between an e-mail transmission device and an e-mail reception device, a trigger message to which user authentication data and a public key are added is received from a transmitting side client, and trust is assigned to the public key within the trigger message to be transmitted to a receiving side client when the user authentication data within the trigger message are authenticated. In response thereto, a response message to which user authentication data and a public key are added is received from the receiving side client, and trust is assigned to the public key within the response message to be transmitted to the transmitting side client when the user authentication data within the response message are authenticated.

Abstract: The present invention relates to a method and a system of securely storing data on a network (100) for access by an authorized domain (101, 102, 103), which authorized domain includes at least two devices that share a confidential domain key (K), and an authorized domain management system for securely storing data on a network for access by an authorized domain. The present invention enables any member device to store protected data on the network such that any other member device can access the data in plaintext without having to communicate with the device that actually stored the data.

Abstract: The system for receiving broadcast digital data (in particular pay television services) comprises a master digital terminal (1), and at least one slave digital terminal (2) connected to the master terminal by a link (3) and able to receive protected digital data. The slave digital terminal can access the protected data only if information necessary for accessing the data and received by the master digital terminal is sent by way of link (3) to the slave digital terminal within a predetermined deadline. This information is in particular access entitlements to television services or keys for descrambling the service.

Abstract: A tag generation method for generating tags used in data packets in a broadcast encryption system is provided. The method includes detecting at least one revoked leaf node; setting a node identification (node ID) assigned to at least one node among nodes assigned node IDs at a layer 0 and to which the at least one revoked leaf node is subordinate, to a node path identification (NPID) of the at least one revoked leaf node at the layer 0; generating a tag list in the layer 0 by combining the NPID of each of the at least one revoked leaf nodes at the layer 0 in order of increment of node IDs of the corresponding at least one revoked leaf nodes; and generating a tag list in a lowest layer by repeatedly performing the setting and generation operation down to the lowest layer.

Abstract: A system structured from a management device, a content key distribution device and a plurality of terminals suppresses the data volume of a terminal revocation list (TRL). The management device generates and transmits a TRL formed from data that expresses terminal IDs of all terminals to be invalidated, by only a value and a position of a common bit string in the IDs, to the content key distribution device. Each terminal holds a terminal ID that includes a manufacturer ID and a serial number, and requests the distribution of a content key by sending the terminal ID to the content key distribution device. The content key distribution device refers to the TRL, judges whether the terminal ID transmitted from the terminal is that of an invalidated terminal, and if negative, encrypts and transmits the content key to the terminal.

Abstract: A system is provided for managing email and eliminating spam wherein an email client (112) is configured to receive digitally signed email (117), identify spam email, and allow a user to report digitally signed spam to a certificate authority (115) issuing the attached digital certificate.

Abstract: A memory device includes: a storage section configured to store public key information of a certificate authority for verifying a certificate and revocation information for revoking illegal devices and to include a secret area for storing data of which the confidentiality is to be guaranteed; and a control section configured to have a function of communicating with an external device and to control access to the secret area of the storage section at least in accordance with the revocation information.

Abstract: A method is provided for obtaining a certificate revocation list (CRL) for a vehicle in a vehicle-to-vehicle communication system. A portable security unit is provided to access secured operations for the vehicle. The portable security unit is linked to a device having access to a communication network. The communication network is in communication with a certificate authority for issuing an updated CRL. The updated CRL is downloaded from the certificate authority to the portable security unit. At a later time, when a user enters the vehicle, a communication link is established between the portable security unit and a vehicle processor unit. Mutual authentication is exchanged between the portable security unit and the vehicle processing unit. The updated CRL stored in the portable security unit is downloaded to a memory of the vehicle communication system in response to a successful mutual authentication.

Abstract: In a group signature system of the present invention, user device 400 registered in the group, when receiving an issuing device public key of a set that includes order N of a cyclic group and its elements a—0, a—1 and a—2, determines such primes e and e? that e? is a prime that is obtained by subtracting a fixed number smaller than the prime e from the prime e, generates a user device secret key of a set including such numbers x and r that the product between a—0 and the result obtained by performing modular exponentiation of a—1 by number x, multiplied by the result obtained by performing modular exponentiation of a—2 by number r is equal to the result obtained by performing element A of the first cyclic group raised to the e-th power, based on order N as a modulus, and a user device public key of a set including prime e, prime e? and element A, transmits prime e? to revocation manager 300, receives B calculated based on prime e? from revocation manager 300 to obtain a message, generates a signature statemen

Abstract: A method for enforcing use of certificate revocation lists in validating certificates, the lists being associated with a series of list generation indices such that each list is assigned one index which advances according to a time of generation of the list, the lists and the indices being cryptographically signed, the method including receiving one of the lists and an associated index as an identifier of the one list, checking the certificates against the list, associating each of the certificates, which have been checked against the list, with the index, receiving an enforcement generation index (EGI) associated with a latest list in use, storing the EGI as a last known EGI, and refusing performance of an action associated with a certificate if the one index of the one certificate is earlier in the series than the last known EGI. Related apparatus and methods are also included.

Abstract: An information processing apparatus includes a verification unit for verifying validity of a certificate that certifies a communication party and a transmission unit for externally transmitting information for identifying the information processing apparatus and a result of verification of the certificate.

Abstract: An Identity Ecosystem Cloud (IEC) provides global, scalable, cloud-based, cryptographic identity services as an identity assurance mechanism for other services, such as data storage, web services, and electronic commerce engines. The IEC complements these other services by providing enhanced identity protection and authentication. An IEC performs identity services using surrogate digital certificates having encryption keys that are never exposed to the public. An individual requesting other services must meet an identity challenge before access to these other services is granted. Service requests to the IEC, and responses from the IEC, are securely encrypted. An IEC integrates smoothly into existing services by layering on top of, or being used in conjunction with, existing security measures. Identity transactions may be logged in a manner that complies with strict medical and financial privacy laws.

Abstract: A method for proving the validity of a digital document digitally signed using a digital key that corresponds to a digital certificate in a chain of digital certificates issued by certification authorities within a hierarchy of certification authorities. At least one secure digital time stamp is applied to at least one record comprising the digital document, the digital signature, certificate chain data, and information relating to the revocation of certificates by certification authorities within the certificate chain. If, at some later time, one or more digital certificates either expire or are revoked, the timestamp serves as evidence of the integrity of the signed digital document.

Abstract: A worm is a malicious process that autonomously spreads itself from one host to another. To infect a host, a worm must somehow copy itself to the host. The method in which a worm transmits a copy of itself produces network traffic patterns that can be generalized as a traffic behavior. As a worm spreads itself across the network, the propagation of the traffic behavior can be witnessed as hosts are infected, one after another. By monitoring the network traffic for propagations of traffic behaviors, a presence of a worm can be detected.

Abstract: A method and system of authenticating a public key certificate for a relying party (RP). A Certificate Authority (CA), who issued the certificate, is a member of a Public Key Infrastructure (PKI) having a Certificate Policy (CP). First quality levels required of the CA by the RP are accessed by a certificate classification service (CCS) and corresponding second quality levels possessed by the CA are ascertained by the CCS. At least one quality characteristic pertaining to the second quality levels relates to at least one element of the CP. The ascertained second quality levels are compared by the CCS with the corresponding accessed first quality levels. A result of the comparing, communicated by the CCS to the RP, is that the certificate is authenticated if the comparing has determined that each first quality level is not less than each corresponding second quality level.

Abstract: A method and an electronic apparatus for rolling over from a first to second trusted certificate in the electronic apparatus. Information containing identification data for identifying the second trusted certificate is acquired in the electronic apparatus. Also, the second trusted certificate, which is preinstalled in the electronic apparatus, is activated based on said identification data.

Abstract: In the setup phase, the certification authority (CA 120) generates validation proof data structures for greater time than the maximum validity period of any digital certificate. Therefore, new certificates can be added to the existing data structures after the setup phase.

Abstract: A module building system, hosted by a server, receives a user script to be run to monitor software on a client using an introspection tool. The server adds safety constraints to the user script and generates a client kernel module using the user script which includes the safety constraints. The server signs the client kernel module and sends the signed client kernel module to the client. The signed client kernel module allows a user to use the introspection tool to load and execute the client module on the client for monitoring the software on the client.

Abstract: Systems and methods for performing explicit delegation with strong authentication are described herein. Systems can include one or more clients, one or more end servers, and one or more gateways intermediate or between the client and the end server. The client may include an explicit strong delegation component that is adapted to strongly authenticate the client to the gateway. The explicit strong delegation component may also explicitly delegate to the gateway a right to authenticate on behalf of the client, and to define a period of time over which the explicit delegation is valid. The system may be viewed as being self-contained, in the sense that the system need not access third-party certificate or key distribution authorities. Finally, the client controls the gateways or end servers to which the gateway may authenticate on the client's behalf.

Abstract: A certificate management system provides automated management of certificate lifecycles and certificate distribution. Rather than depend upon an administrator to manually distribute and manage certificates, the system self-generates certificates, distributes the certificates to appropriate servers or other parties, and transitions from old certificates to new certificates in a well-defined manner that avoids breaking functionality. After generating one or more certificates, the system securely shares certificates in a way that parties that use them can find the new certificates without an administrator manually distributing the certificates. When it is time to update certificates, the system generates new certificates and shares the new certificates in a similar way. During a transition period, the system provides a protocol by which both old and new certificates can be used to perform authenticated access to resources, so that the transition from an old to a new certificate does not break services.

Abstract: A method and system for Certificate management and transfer between messaging clients are disclosed. When communications are established between a first messaging client and a second messaging client, one or more Certificates stored on the first messaging client may be selected and transferred to the second messaging client. Messaging clients may thereby share Certificates. Certificate management functions such as Certificate deletions, Certificate updates and Certificate status checks may also be provided.

Abstract: A gaming system may include a gaming security arbiter, and first and second network gaming devices, each including a processor and a memory operatively coupled to the processor. The arbiter controller may be programmed to receive a request from the first network gaming device for a communication session between the first network gaming device and the second network gaming device, to provide a first encryption key to the first network gaming device and to provide a second encryption key to a second network gaming device. The first controller may transmit the request to the gaming security arbiter, receive the first encryption key, encrypt a message using the first encryption key and transmit the encrypted message to the second network gaming device. The second controller may be programmed to receive the second encryption key, receive the encrypted message and decrypt the encrypted message using the second encryption key.

Abstract: A system and method for authenticating the source and ensuring the integrity of traffic data collected from probe vehicles while maintaining the privacy of the data's source. This is accomplished by dividing the traffic analysis functionality into two distinct responsibilities: data collection, including authentication and verification, and data processing, and assigning each responsibility to a different entity, such the first entity has access to authentication information which identifies the data's source but not to traffic information such as the source's location, and the second entity has access to the traffic information but not to the authentication information which identifies the data's source.

Abstract: A method of authenticating data transmitted in a digital transmission system, in which the method comprises the steps, prior to transmission, of determining at least two encrypted values for at least some of the data, each encrypted value being determined using a key of a respective encryption algorithm, and outputting said at least two encrypted values with said data.

Abstract: A communication apparatus includes an authentication part for authenticating another communication apparatus with a first digital certificate, and a certificate transmission part for transmitting a second digital certificate when the authentication part succeeds in authenticating the other communication apparatus with the first digital certificate.

Abstract: Issuing and disseminating a data about a credential includes having an entity issue authenticated data indicating that the credential has been revoked, causing the authenticated data to be stored in a first card of a first user, utilizing the first card for transferring the authenticated data to a first door, having the first door store information about the authenticated data, and having the first door rely on information about the authenticated data to deny access to the credential. The authenticated data may be authenticated by a digital signature and the first door may verify the digital signature. The digital signature may be a public-key digital signature. The public key for the digital signature may be associated with the credential. The digital signature may be a private-key digital signature. The credential and the first card may both belong to the first user.

Abstract: An Identity System manages certificate related actions for organization members and affiliates. Examples of certificate related actions include certificate enrollment, renewal, and revocation. The Identity System maintains and employs different certificate related workflows for different organization members and affiliates. After receiving a request for a certificate related action, the Identity System retrieves a workflow for responding to the request. The Identity System selects the workflow from a plurality of workflows for responding to the type of certificate related action being requested. Each workflow in the plurality corresponds to a different set of user characteristics. The Identity System selects the workflow that corresponds to the requested certificate related action, as well as the type of user for which the request is made.

Abstract: A certificate revocation list (CRL) distribution system receives a request from a client pertaining to a status of a certificate and determines whether the client is an online certificate status protocol (OCSP) compliant client. The certificate status distribution system sends the certificate status to the client using OCSP in response to a determination that the client is an OCSP compliant client and sends a certificate revocation list to the client in response to a determination that the client is not an OCSP compliant client.

Abstract: A certificate revocation list (CRL) deployment system loads a portion of test data that represents revoked certificates into a cache at periodic intervals and generates a CRL for a corresponding periodic interval using the test data that is loaded in the cache at that corresponding periodic interval. The CRL deployment system determines a CRL size that the server computing system is capable to support using the generated CRLs and notifies a user of the CRL size that the server computing system is capable to support.

Abstract: A method and system for pre-encoding a cached CRL is described.

Abstract: A method of authentication and authorization over a communication system is provided. The method performs a first authentication of a device based on a set of device identity and credentials. The first authentication includes creation of a first set of keying material. The method also includes performing a second authentication of a subscriber based on a set of subscriber identity and credentials. The second authentication includes creation of a second set of keying material. A set of compound key material is created with a key derivation mechanism that uses the first set of keying material and the second set of keying material. A binding token is created by cryptographically signing at least the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material. The signed binding token is exchanged for verification with an authenticating and authorizing party.

Abstract: A method, apparatus, and system for proactive forced renewal of content protection implementations in devices. The method includes, on a first substantially periodic basis, automatically pushing a new content protection implementation to a device that contains an existing content protection implementation; wherein the existing content protection implementation comprises (a) existing software for presenting protected content and (b) an existing key to facilitate presentation of protected content; and wherein the new content protection implementation comprises a new key to supersede the existing key for facilitating presentation of protected content. On a second substantially periodic basis, the method includes automatically pushing revocation data to the device, the revocation data to identify a plurality of revoked keys, each revoked key of the plurality of revoked keys comprising a key that has been superseded by the new key of the new content protection implementation.

Abstract: A method and system for identity management certificate operations is described.