Abstract: A computerized authorization system configured to authorize electronically-made requests to an electronic entity. The computerized authorization system comprises a store configured to store an indication of at least one predetermined electronic authorization device configured to authorize each electronically-made request. The computerized authorization system is further configured such that: in response to receiving an electronically-made request to the electronic entity, an indication of the request is output to the at least one predetermined electronic authorization device configured to authorize the request as indicated in the store; and in response to receiving an indication of authorization from the at least one predetermined electronic authorization device, an indication of authorization of the request is output to the electronic entity.

Abstract: In accordance with embodiments disclosed herein, there are provided systems, apparatuses, and methods for implementing cryptographic enforcement based on mutual attestation for cloud services.

Abstract: The preferred embodiments involve a mechanism to bootstrap Kerberos from EAP in which EAP is used for initial network access authentication and Kerberos is used for provisioning session keys to multiple different protocols. The preferred embodiments make use of an EAP extension method (EAP-EXT) to realize the mechanism.

Abstract: Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein.

Abstract: An apparatus, system, and method are disclosed for securely authorizing changes to a transaction restriction. A security module securely stores encryption keys for a payment instrument. The payment instrument electronically transacts payments and includes a transaction restriction. An authentication module receives an authentication from a user of the payment instrument. The security module validates the authentication with a first encryption key. In addition, the security module authorizes a change to the transaction restriction using a second encryption key if the authentication is valid. The security module resides on a computer that the user designates as authorized to validate the authentication.

Abstract: A system includes a controller and a certificate authority. The controller is configured to control a process. The certificate authority (CA) is configured to issue and to revoke certificates, wherein the controller is configured to use the CA to mutually authenticate a user to enter into a secure mode of operation.

Abstract: Secure access to a wireless network access can be provided in a system where wireless devices access a wireless network through a wireless access point (WAP). For example, a plurality of pre-shared keys (PSKs) may be generated and distributed to the WAP and the wireless device. The wireless device may automatically rotate an active one of the plurality of PSKs, while the WAP receives one or more rotation signals identifying the active one of the plurality of PSKs. The wireless device and the WAP may encrypt information relating to the active one of the PSKs within communications between them, thus securing the communications.

Abstract: Systems and methods for handling user interface field data. A system and method can be configured to receive input which indicates that the mobile device is to enter into a protected mode. Data associated with fields displayed on a user interface are stored in a secure form on the mobile device. After the mobile device leaves the protected mode, the stored user interface filed data is accessed and used to populate one or more user interface fields with the accessed user interface field data for display to a user.

Abstract: Methods and apparatus to certify digital signatures are disclosed. An example method includes receiving a request to certify a digital signature from a user, receiving information about a physical characteristic of the user, comparing the information about the physical characteristic to stored physical characteristic information, and based on the comparison, at least one of certifying the digital signature based on the comparison or requesting certification of the digital signature based on the comparison.

Abstract: Network security administrators are enabled to revoke certificates with their customizable certificate authority reputation policy store which is informed by an independent certificate authority reputation server when a CA is deprecated or has fraudulent certificate generation. The custom policy store overrides trusted root certificate stores accessible to an operating system web networking layer or to a third party browser. Importing revocation lists or updating browsers or operating system is made redundant. The apparatus protects an endpoint from a man-in-the-middle attack when a certificate authority has lost control over certificates used in TLS.

Abstract: A method and system for authenticating the identity of a client device that is calling a remotely located server over a network. A client device inputs information pertaining to a hardware characteristic and a network address thereof into a cryptographic hash function stored on the client device. The hash function computes a unique registration ID hash code and presents it to the system server during a registration process. The system server then generates a digital certificate having a system-side key (i.e., public key). A client-side key (i.e., private key) is provided to the client device. For all future calls to the system server, the client device re-computes its registration ID hash code and then digitally signs it using its client-side key. The system server then uses its system-side key to examine the digitally signed registration ID hash code to authenticate the identity of the client device.

Abstract: Video data files are provided to a user for playback. Once playback begins, the methods and apparatus of the present invention enable a user to interrupt the video playback function and quickly resume playback prior to reloading the selected video file. The techniques of the present invention can store video data in a cache memory and, upon interruption, capture a frame of video data at approximately the time of the interruption. The captured frame and cache data can be used to provide the user with a unique menu option for resumption of the video playback at the moment of interruption.

Abstract: An image forming apparatus includes: an authentication unit that can execute a login process and a logout process; an operation unit that receives an instruction for the logout process from the user; a user attribute storage unit that stores the identification information of a non-logged-out user; a determination unit that determines whether a logged-in user, who is a user for whom the login process is executed by the authentication unit, is the non-logged-out user, based on the identification information stored in the user attribute storage unit; and a forced logout processing unit that, in a case in which the logged-in user is determined to be the non-logged-out user by the determination unit, instructs the authentication unit to execute the logout process when a predefined particular process among the plurality of processes is executed and completed by the processing unit.

Abstract: A method and apparatus is provided that allows code signed by a master key to grant trust to an arbitrary second key, and also allows code, referred to as an antidote and also signed by the master key to revoke permanently the trust given to the second key.

Abstract: Example embodiments provide various techniques for securing communications within a group of entities. In one example method, a request from an entity to join the group is received and a signed, digital certificate associated with the entity is accessed. Here, the signed, digital certificate is signed with a group private key that is associated with a certification authority for the group. The signed, digital certificate is added to a group roster, and this addition is to admit the entity into the group. The group roster with the signed, digital certificate is itself signed with the group private key and distributed to the group, which includes the entity that transmitted the request. Communication to the entity is then encrypted using the signed, digital certificate included in the group roster.

Abstract: Systems and methods for authenticating a media device or other information handling system so as to be able to receive content from one or more media content providers. Authenticating the device includes determining what authentication information the media content providers require for access and then to generating and providing to the media device an authentication token that includes the required information. In some embodiments this may be accomplished by a service center, which removes the need for additional authentication steps to be performed by the media device or the media content providers. In addition, the service center may also determine when changes are made to the authentication information and may then ensure that the authentication token is changed or updated to reflect these changes. This ensures that the media device is at least partially immune to changes to authentication.

Abstract: A method and device is provided for dynamically maintaining and updating public key infrastructure (PKI) certificate path data across remote trusted domains to enable relying parties to efficiently authenticate other nodes in an autonomous ad-hoc network. A certificate path management unit (CPMU) monitors a list of sources for an occurrence of a life cycle event capable of altering an existing PKI certificate path data. Upon determining that the life cycle event has occurred, the CPMU calculates a new PKI certificate path data to account for the occurrence of the life cycle event and provides the new PKI certificate path data to at least one of a relying party in a local domain or a remote CPMU in a remote domain.

Abstract: A digital Rights Management (DRM), and particularly an apparatus and method of authentication between DRM agents for moving Rights Object (RO) is provided, whereby RO and contents can be moved between DRM agents after a simple authentication therebetween using specific authentication information received from a Rights Issuer (R1), in case where the RO is moved in a user domain or among a plurality of DRM agents.

Abstract: Digital certificate public information is extracted using a processor from at least one digital certificate stored within at least one digital certificate storage repository. The extracted digital certificate public information is stored to at least one dynamically-created certificate public information directory. At least a portion of the digital certificate public information stored within the at least one dynamically-created certificate public information directory is provided in response to a digital certificate public information request.

Abstract: Systems and methods are presented for distributed validation of a digitally signed electronic document. A computing device accesses both a representation of the electronic document and a digital signature for the electronic document that includes a digest generated by the digital signature's creator by applying a one-way function to the electronic document. The computing device applies the same one-way function to the accessed representation of the electronic document to generate a new digest, and includes both the digital signature and the new digest in a request sent to a separate validation server. The request does not include the electronic document. The validation server generates validation results that depend on comparing the digest from the digital signature with the new digest, and that do not depend on having the electronic document available to the validation server. The computing device receives the validation results from the separate validation server.

Abstract: Disclosed herein is a method of verifying key validity and a server for performing the method. The method is configured such that a service provision server verifies key validity in an anonymous service for providing local linkability. The service provision server receives a revocation list. A local revocation list is generated using the received revocation list and a secret key. A virtual index of a service user required to verify key validity is calculated. Whether a key of the service user is valid is verified, based on whether the virtual index is included in the local revocation list.

Abstract: A digital software licensing system includes one or more subsystems to issue an order for one or more software licenses to a software vendor, receive from the vendor a wrapped license file, decrypt the wrapped license file using a manufacturer private key and verify authenticity of wrapped license file using a vendor public key. The wrapped license file includes a list of license keys which are signed using a vendor private key and encrypted using the manufacturer public key.

Abstract: One embodiment of the present invention provides a system that facilitates issuing rights in a digital rights management system. The system operates by sending a request to perform an operation on an item of content from a client to a rights-management server, wherein the request includes a usage parameter which specifies constraints involved in performing the operation. Next, the system receives a response from the rights-management server, wherein the response indicates whether or not the client has rights to perform the operation in accordance with the constraints specified by the usage parameter. Note that the response may also include a hint that facilitates generating subsequent requests to perform the operation. Finally, if the client has rights to perform the operation, the system performs the operation on the item of content.

Abstract: The generation of a shared secret key K in the implementation of a key agreement protocol, for example MQV, may be optimized for accelerated computation by selecting the ephemeral public key and the long-term public key of a correspondent to be identical. One correspondent determines whether the pair of public keys of the other correspondent are identical. If it is, a simplified representation of the shared key K is used which reduces the number of scalar multiplication operations for an additive group or exponentiation operations for a multiplicative group. Further optimization may be obtained by performing simultaneous scalar multiplication or simultaneous exponentiation in the computation of K.

Abstract: In response to a validation request that includes second information identifying the certificate authority, key information of the certificate authority at issuance of the public key certificate, and information identifying the public key certificate, if the second information identifying the certificate authority included in the validation request corresponds to the first information identifying the certificate authority included in the authority certificate, and the information identifying the public key certificate included in the validation request does not exist in the revocation information, the validation server creates a validation result indicating that the public key certificate corresponding to the information identifying the public key certificate included in the validation request is valid.

Abstract: Various embodiments of a system and method for long-term digital signature verification utilizing light weight digital signatures are described. Embodiments may include a verifying entity system that receives digitally signed data including a portion of data, signing time, and digital signature. The verifying entity system may receive a digital certificate that includes information for verifying the digital signature and an expiration time for the certificate. The verifying entity system may receive CRL that persists revocation information corresponding to ones of the revoked digital certificates that have already expired. The verifying entity system may utilize the CRL to determine that the digital signature is valid subsequent to its expiration time. The verifying entity system may evaluate the CRL to determine that the digital certificate was not revoked at the signing time. The verifying entity system may determine the digital signature is a valid digital signature and generate a corresponding result.

Abstract: A checklist process system and method for measuring adherence to a process defined in accordance with a standardized model, such as CMMI®—Capability Maturity Model Integration. A system is provided that includes: a database of checklists, wherein each checklist includes a set of requirements defined in accordance with the process; a weight assignment system for assigning a weight to each requirement in each checklist; an evaluation system for evaluating a checklist, wherein the evaluation system awards the weight associated with each requirement if the requirement has been met; and an adherence value generation system that calculates an adherence value for the checklist based on all the weights awarded in the checklist.

Abstract: Disclosed herein is a financial card system. The system includes a communications device on which a non-contact integrated circuit chip is installed; and an authentication terminal having a reader/writer allowing reading/writing information on the communications device and capable of transmission and reception of information with the communications device through the reader/writer. The communications device has a storage block, a common area information transmission block, and an individual area information transmission block. The reader/writer of the authentication terminal has a storage block, a common area information reception block, and an individual area information reception block.

Abstract: One exemplary embodiment involves receiving a request for a document key for accessing a document on a client device. The request comprises a user identity identifying a requester requesting access to the document. The request also comprises information about the document. The exemplary embodiment further involves determining, at the server, whether access to the document by the requester is permitted. And, the exemplary embodiment further involves, if access to the document is permitted computing, at the server, the document key using the user identity and using the information about the document. The document key is document specific and, prior to the computing of the document key, the document key is not stored for access by the server. The exemplary embodiment further involves responding to the request by providing the document key for use in accessing the document on the client device.

Abstract: A method, system, and computer product for use in generating one time passcodes (OTPs) in security environment, the security environment comprising an OTP generator and an OTP validator, the method comprising generating, at the OTP generator, an OTP according to a function, wherein the function includes as an input a device id, validating the OTP at the OTP validator, whereby the validation comprises generating, at the OTP validator, a second OTP according to the function, and determining whether the OTP is valid based on a comparison of the OTP with the second OTP generated at the OTP validator.

Abstract: The present invention is directed towards systems and methods for batching OCSP requests and caching corresponding responses. An intermediary between a plurality of clients and one or more servers receives a first client certificate during a first SSL handshake with a first client and a second client certificate during a second SSL handshake with a second client. The intermediary may identify that the statuses of the client certificates are not in a cache of the intermediary. An OCSP responder of the intermediary may transmit a single request to an OCSP server to determine the statuses. The intermediary may determine, from a single response received from the OCSP server, whether to establish SSL connections with the clients based on the statuses. The intermediary may store the statuses to the cache for determining whether to establish a SSL connection in response to receiving a client certificate from the first client.

Abstract: A system includes a remote authentication dial in user service (RADIUS) server in communication with a network access server. The network access server provides an authentication request to the RADIUS server. The authentication request includes at least a user identifier and a device identifier. The RADIUS server determines an authentication format utilized by the network access server based on the received authentication request. The system may also determine an authorization level to provide with an authentication response.

Abstract: A network traversal module in a branch node enables the establishment of secure communication between networks. The module allows devices on otherwise disconnected networks to communicate collected data to a root node for storage and analysis. The network traversal module supports auto configuration, and includes both a client-side functionality of accessing open ports or services, and server-side functionality of providing open ports or services. Each branch node is responsible for collecting data from client devices on its network or sub-network, and transmitting that data to the higher nodes. Each branch node is also responsible for retransmitting data received from lower nodes to higher nodes. In one embodiment, the network traversal module includes components to allow it to support authentication and revocation of certificates. A root node generates certificates. Each branch node is assigned a certificate, and uses that certificate to access and authenticate itself to other branch nodes.

Abstract: A method and apparatus for performing a multiple Pre-Shared Key (PSK) based authentication in a single procedure is described, where the multiple PSK based authentication generates a combined credential in a terminal by using a plurality of credentials including a user identifier and the PSK, and authenticates the terminal in an authentication server by using the combined credential.

Abstract: The present invention is directed towards systems and methods for determining a status of a client certificate from a plurality of responses for an Online Certificate Status Protocol (OCSP) request. An intermediary device between a plurality of clients and one or more servers identifies a plurality of OCSP responders for determining a status of a client certificate responsive to receiving the client certificate from a client during a Secure Socket Layer (SSL) handshake. Each of the plurality of OCSP responders may transmit a request for the status of the client certificate to a uniform resource locator corresponding to each OCSP responder. The intermediary device may determine a single status for the client certificate from a plurality of statuses of the client certificate received via responses from each uniform resource locator.

Abstract: Data storage and management systems can be interconnected as clustered systems to distribute data and operational loading. Further, independent clustered storage systems can be associated to form peered clusters. As provided herein, methods and systems for creating and managing intercluster relationships between independent clustered storage systems, allowing the respective independent clustered storage systems to exchange data and distribute management operations between each other while mitigating administrator involvement. Cluster introduction information is provided on a network interface of one or more nodes in a cluster, and intercluster relationships are created between peer clusters. A relationship can be created by initiating contact with a peer using a logical interface, and respective peers retrieving the introduction information provided on the network interface.

Abstract: A system, apparatus, and method are directed towards managing entitlement/right revocation and delivery to be performed within a non-addressable media network. Such networks may include for example a client device behind a network address translation (NAT) device, employs non-addressable satellite components, or so forth. A server notifies clients that entitlements, revocations, or the like are available by sending a request for communications with the client. The client initiates a connection to receive the entitlements, or the like, and then disconnects from the server. If the client fails to initiate a connection, the server may continue to send a request for a connection, or even change encryption keys to the content to prevent access by the client. In one embodiment, failure to receive an acknowledgement response from the server of a connection with the client, or from the client, may result in invocation of a revocation failure action.

Abstract: Systems and methods are disclosed for generating and using multiple pre-signed cryptographic responses. In one implementation, the method includes generating multiple cryptographic datasets. Each cryptographic dataset has a different validity period. The method further includes upon a user request, identifying one or more cryptographic datasets that are still valid among the multiple cryptographic datasets. The method further includes identifying a cryptographic dataset having the shortest validity period among the one or more cryptographic datasets that are still valid. The method also includes providing the identified cryptographic dataset to the user.

Abstract: The systems, methods and apparatuses described herein provide a computing environment that manages root certificates. An apparatus according to the present disclosure may comprise a non-volatile storage storing a plurality of root certificates and a supervisor. The supervisor may be configured to receive a message identifying one of the plurality of root certificates stored in the non-volatile storage to be revoked, verify the message being signed by at least two private keys corresponding to two root certificates stored in the non-volatile storage and revoke the root certificate identified in the message.

Abstract: A method and apparatus for providing a secure authentication process is described. In one embodiment, a method for a method for providing a secure authentication process includes monitoring login activity of at least one authentication process associated with a computer resource and analyzing the login activity to identify suspicious login activity associated with user credentials.

Abstract: The present invention relates to a far-end control method with a security mechanism including a host transmitting an identification code through the PSTN (Public switched telephone network) to the I/O control device of the far-end. The I/O control device has a CPU to receive the identification code and judge whether the identification code matches with the predetermined value stored therein; if the identification code matches with the predetermined value, the mobile internet connection between the host and the I/O control device is activated to enable the host to mutually transmit information or signals with a far-end control device from the I/O control device through the mobile internet, and the connection will be disabled after the information or signal transmission is completed.

Abstract: An authentication ticket processing apparatus includes a temporary data storage unit configured to keep user information upon receiving the user information from a user management database for managing user information, the temporary data storage unit allowing access thereto to be performed at higher speed than access to the user management database. The authentication ticket processing apparatus is configured such that, when there is a need to acquire user information in response to a decoding request from a server, a check is made whether user information corresponding to the decoding request is present in the temporary data storage unit, and the corresponding user information is acquired from the temporary data storage unit if the corresponding user information is present in the temporary data storage unit.

Abstract: Techniques for utilizing security criteria to implement document retention for electronic documents are disclosed. The security criteria can also limit when, how and where access to the electronic documents is permitted. The security criteria can pertain to keys (or ciphers) used to secure (e.g., encrypt) electronic files (namely, electronic documents), or to unsecure (e.g., decrypt) electronic files already secured. At least a portion of the security criteria can be used to implement document retention, namely, a document retention policy. After a secured electronic document has been retained for the duration of the document retention policy, the associated security criteria becomes no longer available, thus preventing subsequent access to the secured electronic document. In other words, access restrictions on electronic documents can be used to prevent access to electronic documents which are no longer to be retained.

Abstract: The embodiments provide systems and methods for medical device rights and recall management system. A digital IP rights and recall management device activates a central key server to authenticate software contents and services operated on a microprocessor based medical devices through a coding key that may be embedded in a medical device or in a service provider server or in an end user computer. The recall management server unlocks the software content transmitted from or to a value-added service provider and selectively recall the value-added software component without requiring any physical recall of the medical device. The system maintains a virtual device master record which enables quality control and recall capability for software elements independent of any physical hardware recall.

Abstract: A method and apparatus to prove user assertions. A client request to authenticate a user assertion pertaining to user personal data may be received. The requested authentication may be generated for the client, the authentication proving the user assertion without revealing other information about the user. The requested authentication may be sent to the client.

Abstract: In some applications, it may be more convenient to the user to be able to log in the memory system using one application, and then be able to use different applications to access protected content without having to log in again. In such event, all of the content that the user wishes to access in this manner may be associated with a first account, so that all such content can be accessed via different applications (e.g. music player, email, cellular communication etc.) without having to log in multiple times. Then a different set of authentication information may then be used for logging in to access protected content that is in an account different from the first account, even where the different accounts are for the same user or entity.

Abstract: A system and method are provided for pre-processing encrypted and/or signed messages at a host system before the message is transmitted to a wireless mobile communication device. The message is received at the host system from a message sender. There is a determination as to whether any of the message receivers has a corresponding wireless mobile communication device. For each message receiver that has a corresponding wireless mobile communication device, the message is processed so as to modify the message with respect to one or more encryption and/or authentication aspects. The processed message is transmitted to a wireless mobile communication device that corresponds to the first message receiver. The system and method may include post-processing messages sent from a wireless mobile communications device to a host system. Authentication and/or encryption message processing is performed upon the message. The processed message may then be sent through the host system to one or more receivers.

Abstract: In one embodiment, the present invention includes a method for creating an instance of a virtual trusted platform module (TPM) in a central platform and associating the instance with a managed platform coupled to the central platform. Multiple such vTPM's may be instantiated, each associated with a different managed platform coupled to the central platform. The instances may all be maintained on the central platform, improving security. Other embodiments are described and claimed.

Abstract: The present invention relates to a system and method for granting access to digital content delivered via a computer network wherein a suitable digital certificate provides a means for providing authorization to access the requested digital content.

Abstract: On-demand protection and authorization of playback of media assets includes receiving digital media at a server computer, storing intermediary data in a data store, and receiving a request from a client for the digital media. The method also includes generating a protected copy of the digital media from the digital media and the intermediary data. The method also includes storing a description of the protected copy in a database and sending the protected copy to the client. The method also includes receiving a request from the client to access the digital media and reading the description from the database based on information in the request. The method also includes sending a response to the client, the response indicating whether the client is authorized to access the digital media, and the response including cryptographic data to decrypt the protected digital media if the client is authorized to access the digital media.