Abstract: Methods and apparatuses for validating the status of digital certificates include a relying party receiving at least one digital certificate and determining if the at least one digital certificate is to be validated against a private certificate status database. The relying party accesses the private certificate status database and cryptographically validates the authenticity of data in the private certificate status database. The relying party also validates the at least one digital certificate based on information in at least one of the private certificate status database and a public certificate status database.

Abstract: An exemplary method and apparatus are provided for establishing a communication between a first communication terminal and a second communication terminal over a network. A server dynamically generates a first single-use key and a second single-use key respectively associated with the first and second communication terminals as a function of time data related to at least one previous communication between the first communication terminal and the second communication terminal, during a request to establish a call from the first communication terminal to the second communication terminal. The server compares the first and second keys that were generated, and authorizes the establishment of the communication if the compared keys are identical.

Abstract: A communication apparatus may include a reception portion, a decision portion, and a transmission portion. The reception portion may receive a first data request transmitted through a first security level communication, and a second data request transmitted through a second security level communication, the second security level being more secure than the first security level. The decision portion may decide whether a specific data request is the first data request or the second data request. The transmission portion may transmit a specific data to an apparatus that is a transmission source of the specific data request if the specific data request is the second data request, and may transmit different data to the apparatus if the specific data request is the first data request. The different data contains display information for causing the apparatus to retransmit the specific data request through the second security level communication.

Abstract: Methods and apparatus to certify digital signatures are disclosed. An example method includes retrieving, from a first database, a first geographical location associated with an identification number associated with a network device and identified in a request to certify a digital signature, comparing the first geographical location associated with the identification number to a second geographical location to verify the second geographical location, determining that the first geographical location matches the second geographical location, and certifying the digital signature to indicate an authenticity of the digital signature based on the verification of the second geographical location and a comparison of (a) biometric information associated with a user associated with the request and (b) stored biometric information.

Abstract: A method for handling digital certificate status requests between a client system and a proxy system is provided. The method includes the steps of receiving at the proxy system digital certificate status request data transmitted from the client system and generating query data for the digital certificate status in response to receiving the digital certificate status request data. The query data is transmitted to a status provider system, and status data from the status provider system in response to the query data is received at the proxy system. Digital certificate status data based on the status data received is generated and transmitting to the client system.

Abstract: Techniques for injecting encryption keys into a meter as a part of a manufacturing process are discussed. Since various encryption keys injected into meters may be specific to each individual meter, a utility company customer may require a copy of the injected encryption keys associated with each individual meter. The techniques may include providing a copy of keys injected into each meter to a utility company customer. In some instances, the meter manufacturer may not store or persist various encryption keys that are injected into the meters during the manufacturing process.

Abstract: A computing device analyzes digital certificates received from various different sites (e.g., accessed via the Internet or other network) in order to automatically detect fraudulent digital certificates. The computing device maintains a record of the digital certificates it receives from these various different sites. A certificate screening service operating remotely from the computing device also accesses these various different sites and maintains a record of the digital certificates that the service receives from these sites. In response to a request to access a target site the computing device receives a current digital certificate from the target site. The computing device determines whether the current digital certificate is genuine or fraudulent based on one or more of previously received digital certificates for the target site, confirmation certificates received from the certificate screening service, and additional characteristics of the digital certificates and/or the target site.

Abstract: A message including a digital signature is received at a processor. It is determined whether a specific authorized certificate issuer is configured for a message originator within a data protection policy. In response to determining that the specific authorized certificate issuer is configured for the message originator within the data protection policy, it is determined whether a message originator certificate used to generate the digital signature is issued by the configured specific authorized certificate issuer.

Abstract: A distributed operation is performed using at least one first and second computer-based object, wherein control information is used to influence or determine a property, a function of the first and/or second computer-based objects. The control information includes details of a parameter identifier, a value associated with the parameter identifier, a range of validity and a remote access attribute. The control information is provided in a retrievable manner, according to the included range of validity, in a memory organized according to ranges of validity and is associated with the first computer-based object. During a function or service call for performing the distributed operation, which is sent from the first computer-based object to the second, the control information is transmitted to the second computer-based object, provided in a retrievable manner in the memory organized according to the ranges of validity and associated with the second computer-based object.

Abstract: A token used when a first device authenticates itself to a third device may be associated with a token issue timestamp. Upon receipt of an indication that all previously issued tokens are to be revoked, a second device may store a revocation timestamp. Upon receiving, from the second device, a request for establishing conditions for a file transfer, from the first device, and an indication of a token issue timestamp associated with the request, the second device may compare the token issue timestamp to the revocation timestamp. Responsive to determining, based on the comparing, that the token issue timestamp precedes the revocation timestamp, the second device may deny the request.

Abstract: A computer uses the information included within a digital certificate to obtain a current date and time value from a trusted extrinsic trusted source and the computer compares the obtained current date and time value to a validity period included in the digital certificate to determine if the digital certificate is expired. The information included within the digital certificate specifying an extrinsic source for the current date and time value can be included in an extension of the digital certificate, and the information can specify a plurality of extrinsic sources.

Abstract: The disclosure generally describes computer-implemented methods, software, and systems for cloud-based single sign-on (SSO) capabilities. A computer-implemented method includes operations for identifying a first system for single sign-on capabilities, identifying a second system disparate from the first system for providing a single sign-on capability with the first system through a cloud-based SSO configuration manager, automatically accessing metadata associated with the sign-on information of the second system, the set of metadata identifying sign-on-related information for sharing at least one credential/certificate for logging in to the second system, using the metadata to obtain an authorization for a single sign-on between the first and second systems, receiving a request from the first system for authorization at the second system, and, in response to the request, providing the authorization and creating a cloud-based SSO system that includes the first and second systems.

Abstract: The user device includes: a recording unit which stores system parameters as respective parameters given in advance, a disclosure public key, a user public key, a user private key, a member certificate, and an attribute certificate; an input/output unit which receives input of the document from the user and an attribute the user intends to disclose; a cryptograph generating module which generates a cryptograph based on the inputted document, the attribute to be disclosed, and each of the parameters; a signature text generating module which generates a zero-knowledge signature text from the generated cryptograph; and a signature output module which outputs the cryptograph and the zero-knowledge signature text as the signature data. The user public key and the attribute certificate are generated by using a same power.

Abstract: According to an embodiment, provided is a device management apparatus that issues a digital certificate to a device. The device management apparatus includes: a storage unit that stores therein device identification information unique to the device in advance; a device-data obtaining unit that, when receiving a connection request from the device, obtains the device identification information contained in the connection request; and a certificate issuing unit that, when the device identification information that is obtained matches up with the device identification information that is stored, issues the digital certificate to the device.

Abstract: A method is provided for provisioning a device certificate. A device certificate request is transmitted from a communication device to a server in a communication network using an established communications channel between the communication device and the server. The device certificate request comprises at least a user identifier and a device identifier. The server provides to the communication device a device certificate that includes the user identifier and the device identifier and that is signed by a private key of a certificate authority.

Abstract: A method and a system for monitoring a threat are described. The system has a gateway, a web server, and a client device. The gateway detects, identifies, and tracks a threat at a location associated with the gateway. The gateway is coupled to a security device. The web server has a management application configured to communicate with the gateway. The client device communicates with the gateway identified by the web server. The gateway aggregates monitoring data from the security device and from other security devices respectively coupled to other gateways correlated with the gateway. The client device receives the aggregated monitoring data and controls the security device coupled to the respective gateway from a web-based user interface at the client device.

Abstract: Device information for each of multiple devices associated with a user account is maintained by a cloud service. The device information can include credential information allowing the device to be accessed by other ones of the multiple devices, remote access information indicating how the device can be accessed by other ones of the multiple devices on other networks, and property information including settings and/or device drivers for the device. The device information for each of the multiple devices is made available to other ones of the multiple devices, and can be used by the multiple devices to access one another and provide a consistent user experience across the multiple devices.

Abstract: A system and method for exchanging secure information between Secure Removable Media (SRM) devices. An initialization operation is performed between the SRM devices. After a mutual authentication operation is performed between the SRM devices, a secret key is exchanged for secure information exchange. An installation setup operation is then performed to establish an environment for moving rights between the SRM devices, and the rights information can be directly exchanged between the SRM devices by performing a rights installation operation between the SRM devices.

Abstract: An information processing apparatus and method that prior to using a digital certification considers a validity expiration date of the digital certificate as well as a usable deadline of an algorithm or a public key used in the digital certificate.

Abstract: A computer network for data transmission between network nodes, the network nodes being authenticatable to one another by authentication information of a public key infrastructure, with a root certificate authority configured to generate the authentication information for the public key infrastructure. The root certificate authority is arranged separate from the computer network and is not linked to the computer network. A network node of the computer network comprises an authentication information storage, a processor, a network communication device and an initialization device having an initialization communication device and a temporary authentication information storage that can be read out by the processor.

Abstract: An apparatus and a method for using a Secure Removable Media (SRM) in Digital Rights Management (DRM) are provided. The method for using the SRM in Digital Rights Management (DRM) includes determining, at a plurality of content service providers, an SRM usage rule and providing the determination to a trust authority using an eXtensible Markup Language (XML); receiving messages comprising the SRM usage rule from the content service providers and sending the messages to an apparatus together with an electronic signature; and receiving the messages comprising the SRM usage rule and changing an operation of the apparatus according to requirements of at least one content service provider. Thus, various content business models can be realized.

Abstract: A manageability engine or adjunct processor on a computer platform may receive a request for activation and use of features embedded within that platform from a service provider authorized by the manageability engine's manufacturer. The manageability engine may initiate a request for authority through the service provider to a permit server. The permit server may provide, through the service provider, proof of the service provider's authority, together with a certificate identifying the service provider. Then the manageability engine may enable activation of the features on the platform coupled to the manageability engine, but only by the one particular service provider who has been authorized.

Abstract: Methods and systems for third party client authentication of a client. A method includes displaying a user interface on a display of the client, the user interface including an option to select a supported credential type of a third party authentication server, receiving a command selecting the supported credential type, and sending credential information and the selected supported credential type to an authentication server for third party authentication by the third party authentication server. The third party authentication server may support a token-based authentication protocol for implementing single sign on (SSO).

Abstract: Systems and methods for handling electronic messages. An electronic message that is associated with a digital certificate is to be processed. A decision whether to check the validity of the digital certificate is based upon digital certificate checking criterion. An IT administrator may provide to one or more devices configuration data that establishes the digital certificate checking criterion.

Abstract: Obfuscating a message, in one aspect, may include detecting sensitive information in a message to be broadcast into public or quasi-public computer network environment; replacing the sensitive information in the message with a representation that preserves general aspects of the sensitive information and a user interface element, the user interface element for enabling a viewer of the message to request access to details of the sensitive information; and transmitting the replaced message for broadcasting into the public or quasi-public computer network environment. De-obfuscating the message, in one aspect, may include authenticating one or more viewers or receivers of the message and based on the authentication, presenting details associated with the sensitive information.

Abstract: In one implementation, a public key infrastructure utilizes a two stage revocation process for a set of data. One stage authenticates or revokes the set of data based on the status of the digital signature and another stage authenticates or revokes the set of data based on the status of an individual signature by the digital certificate. For example, a digital certificate based is assigned a certificate number. A serial number is assigned for a signature for the set of data as signed by the digital certificate. A data transmission, data packet, or install package includes the set of data, the certificate number and the serial number. Therefore, individual instances of the signature may be revoked according to serial number.

Abstract: The present invention discloses an apparatus, system and method for accessing internet webpage. The system includes a user terminal and a proxy server. The user terminal is configured to initiate an access request to the proxy server, the access request including URL information of a target webpage which carries an identifier of requiring security authentication, and receive and display target webpage information outputted from the proxy server. The proxy server is configured to receive the access request, perform security authentication on the URL information of the target webpage which carries the identifier of requiring security authentication according to pre-stored webpage security database information; if the security authentication is passed, obtain the target webpage information and output the target webpage information to the user terminal. By applying the present invention, network delay overload for accessing the internet webpage can be reduced, and user experience can be improved.

Abstract: Data storage and management systems can be interconnected as clustered systems to distribute data and operational loading. Further, independent clustered storage systems can be associated to form peered clusters. As provided herein, methods and systems for creating and managing intercluster relationships between independent clustered storage systems, allowing the respective independent clustered storage systems to exchange data and distribute management operations between each other while mitigating administrator involvement. Cluster introduction information is provided on a network interface of one or more nodes in a cluster, and intercluster relationships are created between peer clusters. A relationship can be created by initiating contact with a peer using a logical interface, and respective peers retrieving the introduction information provided on the network interface.

Abstract: Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein.

Abstract: A content distribution storage system includes: a first transmission unit configured to transmit a special content including certificate revocation list information indicating a list of at least an invalid electronic certificate to a first node group; a second transmission unit configured to transmit identification information for identifying the special content to a second node group; and a first node device.

Abstract: Methods, devices, and storage media storing instructions to obtain logs from a security device and one or multiple service-providing devices, wherein the logs include information pertaining to traffic flow activity at an application layer associated with a service; store rules that identify behavior ranging from unintentional through intentional for one or multiple communication layers including an application layer; interpret the logs based on the rules; determine whether a violation exists based on the interpreting; and generate a notification that indicates the violation exists in response to a determination that the violation exists.

Abstract: A method that incorporates teachings of the subject disclosure may include, for example, storing, by a universal integrated circuit card including at least one processor, a digital root certificate locking a communication device to a network provider, and disabling an activation of the communication device responsive to receiving an indication of a revocation of the stored digital root certificate from a certificate authority, wherein the indication of the revocation of the stored digital root certificate is associated with a revocation of permission for an identity authority to issue a security activation information to the communication device on behalf of the network provide. Other embodiments are disclosed.

Abstract: Provided is a system and method for managing network access based on a history of a Certificate. The system includes an Authentication System structured and arranged to receive from a User a request for network access, the request including a Certificate and at least one associated Characteristic distinct from the Certificate. A validation system is in communication with the Authentication System and structured and arranged to receive a request for validation of the Certificate, the Validation System evaluating the at least one Characteristic against a History for the Certificate to provide a positive or negative evaluation. The Validation System updates the History for the Certificate to include the request for validation of the Certificate. In response to a positive evaluation validating the Certificate, the Authentication System permits network access to the user. In response to a negative evaluation the Authentication System blocking network access to the user and the Certificate being restricted.

Abstract: A method for single sign-on with established federation includes triggering a single sign-on operation from a first service to a second service, retrieving, by the first service, an associated federation key and pseudo identification for a user agent, generating, by the first service, a token signed with a federation key for the user agent based on the pseudo identification, redirecting, by the first service, the user agent to the second service, wherein the user agent transfers the token to the second service, verifying, by the second service, the token and determining an associated identification in the second service, and returning, by the second service, a resource to the user agent.

Abstract: The present invention provides an encryption method in which the encryption device stores data to be encrypted received via the input/output interface in its own memory, converts the data to be encrypted in the memory into a format required by the output device and transmits the converted data to the output device via the management interface, and the output device outputs the received information. The present invention also provides an encryption device for implementing the above method. The encryption device determines whether confirmation information has been received from a management interface, encrypts the data to be encrypted in the memory if the answer is positive, while performs no encryption or prompting to input correct confirmation information if the answer is negative. With the present invention, the user is allowed to view the contents to be actually encrypted, thereby avoiding such a case as signature counterfeiting or tampering.

Abstract: A configuration is provided wherein usage restrictions of an application are determined in accordance with timestamps. A certificate revocation list (CRL) in which the revocation information of a content owner who is a providing entity of an application program recorded in a disc is recorded is referred to verify whether or not a content owner identifier recorded in an application certificate is included in the CRL, and in the case that the content owner identifier is included in the CRL, comparison between a timestamp stored in a content certificate and a CRL timestamp is executed, and in the case that the content certificate timestamp has date data equal to or later than the CRL timestamp, utilization processing of the application program is prohibited or restricted. According to the present configuration, a configuration is realized wherein an unrevoked application is not subjected to utilization restriction, and only a revoked application is subjected to utilization restriction.

Abstract: A method, system, and computer usable program product for certificate distribution using a secure handshake are provided in the illustrative embodiments. A client sends an indication in a request, the request being a part of a secure data communication with a server. The indication indicates an ability of the client to accept a certificate as a part of a response from the server. The server retrieves a new certificate. The server sends as a result of the indication, a new certificate in the response corresponding to the request. The client receives as a result of the indication, the new certificate in a response that corresponds to the request. The client separates the new certificate from the response and uses the new certificate in the secure data communication with the server. The server uses the new certificate in the secure data communication with the client.

Abstract: A shortcut management device capable of improving user-friendliness of a portal application. The shortcut management device is capable of executing shortcuts which use functions of an electronic apparatus, and manages at least part of the functions used by the shortcuts. A storage unit registers shortcuts. An invalidation detecting unit detects that the license is invalidated. A retrieval unit retrieves a shortcut made inexecutable in association with the license of which the invalidation is detected. An invalidation unit invalidates the retrieved shortcut.

Abstract: Aspects of the present disclosure are directed to methods and systems for applying electronic signatures to an electronically stored document wherein the electronic signatures are associated with a specific revision of that electronically stored document (revision specific electronic signatures).

Abstract: A method of authentication and authorization over a communications system is provided. Disclosed herein are systems and methods for creating a cryptographic evidence, called authentication/authorization evidence, AE, when a successful authentication/authorization between a client and an authentication server is complete. There are a variety of methods for generating AE. For instance, the AE can be data that is exchanged during the authentication signaling or data that results from it. A distinctive point being that AE results from the authentication process and is used as prior state for the following TLS exchange. An example for creation of AE, is as follows: EAP authentications typically result in an Extended Master Session Key (EMSK). The EMSK can be used to create an Evidence Master Key (EMK) that can then be used to create AE for a variety of servers.

Abstract: A communication system includes a plurality of nodes, the communication system being arranged to assign each of the plurality of nodes a certificate by means of which it can authenticate itself to other nodes in the communication system and periodically distribute to the plurality of nodes an update formed by compressing a data set representing the validity of the certificates assigned to the plurality of nodes. The update is such that a node may not be able to unambiguously determine from the update whether or not a particular certificate is valid. The system further provides the plurality of nodes with a source of information about the validity of the plurality of certificates that is different from the update and by means of which a node may resolve an ambiguity in the update regarding a particular certificate's validity.

Abstract: Methods and systems for public-key certificate management comprise storing digital certificates in data structures that allow the manager to provide a verifiable proof about the validity status of a certificate. The certificates are stored in two data structures in a database. One data structure stores items in chronological order and is queried to establish a proof that a later snapshot of the database is an extension of an earlier snapshot of the database. Another data structure is ordered by user identifier and is queried to establish a proof that a given digital certificate is currently valid.

Abstract: An information processing apparatus that communicates using an electronic certificate is provided. When identification information is configured that identifies the information processing apparatus on a network, the configured identification information is stored in a storage unit. A request for issue of an electronic certificate containing the identification information stored in the storage unit is issued to a certificate authority. Once the request for issue is issued, a determination is made as to whether or not the identification information contained in the request for issue matches the identification information stored in the storage unit prior to obtaining the electronic certificate that is issued by the certificate authority in response to the request for issue. If it is determined that a mismatch exists, the user is notified to that effect.

Abstract: Example embodiments provide various techniques for securing communications within a group of entities. In one example method, a request from an entity to join the group is received and a signed, digital certificate associated with the entity is accessed. Here, the signed, digital certificate is signed with a group private key that is associated with a certification authority for the group. The signed, digital certificate is added to a group roster, and this addition is to admit the entity into the group. The group roster with the signed, digital certificate is itself signed with the group private key and distributed to the group, which includes the entity that transmitted the request. Communication to the entity is then encrypted using the signed, digital certificate included in the group roster.

Abstract: Providing revocation status of at least one associated credential includes providing a primary credential that is at least initially independent of the associated credential, binding the at least one associated credential to the primary credential, and deeming the at least one associated credential to be revoked if the primary credential is revoked. Providing revocation status of at least one associated credential may also include deeming the at least one associated credential to be not revoked if the primary credential is not revoked. Binding may be independent of the contents of the credentials and may be independent of whether any of the credentials authenticate any other ones of the credentials. The at least one associated credential may be provided on an integrated circuit card (ICC). The ICC may be part of a mobile phone or a smart card.

Abstract: Technologies are described herein for post attack man-in-the-middle detection. A first computer receives and stores public key certificates when connections are established. The first computer also uploads the stored public key certificates associated with a domain to a second computer each time a connection is established with the domain. The second computer receives the public key certificates from the first computer. The second computer then determines whether any of the public key certificates provided by the first computer are fraudulent certificates by comparing the received certificates to known valid certificates. If the second computer determines that the first computer has received one or more fraudulent certificates, the second computer may cause action to be taken with regard to the fraudulent certificates.

Abstract: Embodiments of the present invention are directed to methods and systems for generating and revoking, as well as validating, certificates used to protect communications within networks while maintaining privacy protection. In the context of a method, certificate generation and revocation with privacy preservation comprises determining a secret value to be used by a certificate authority and an entity; constructing a key tree based on the secret value, wherein the leaves of the key tree represent derived keys for the certificates for the entity; and generating certificates for the entity based in part on the key tree leaves. The method further comprises determining that one or more of the certificates should be revoked; determining a minimum key node set that covers the certificates to be revoked; adding the minimum key node set to a certificate revocation list; and providing the certificate revocation list to one or more entities. Corresponding apparatuses and computer program products are also provided.

Abstract: An apparatus comprising a memory, a processor coupled to the memory, wherein the memory contains instructions that when executed by the processor cause the apparatus to receive an information centric network (ICN) name prefix announcement message comprising a message prefix specific to a publisher, a public key certificate specific to the content publisher, and a signature specific to the content publisher, verify the signature with a name registration service (NRS), and update internal data indicating that the content publisher is a trusted publisher, wherein the internal data comprises the prefix, the public key, and the signature.

Abstract: A certificate grant list is provided. The certificate grant list may be stored in a memory, at the network device. The certificate grant list may store information associated with a client-device certificate, where the client-device certificate permits the client-device access to a secure service.

Abstract: Methods, apparatuses, and computer program products for authorizing use of a test key signed build are provided. Embodiments include transmitting to an update provider system, unique data associated with a target system; receiving from the update provider system, a signed update capsule file; determining, by the target system, that a signature within the signed update capsule file is valid; in response to determining that the signature is valid, determining that the validation data within the signed update capsule file matches the unique data associated with the target system; and in response to determining that the validation data matches the unique data, determining that the target system is authorized to use a test key signed build to update the firmware of the target system.