Abstract: A system and method is disclosed for placing an electronic apparatus into a protected state in response to environmental data. The method discloses: receiving a set of environmental data applicable to an electronic apparatus; generating an environmental status applicable to the electronic apparatus based-on the environmental data; and placing the electronic apparatus into a protected state based-on the environmental status. The system discloses an environment characterization module which receives a set of environmental data applicable to an electronic apparatus, and generates an environmental status applicable to the electronic apparatus based-on the environmental data; and an apparatus protection module which places the electronic apparatus into a protected state based-on the environmental status.

Abstract: A method and system for supply of data, including generating a first digital certificate referred (empowerment certificate) signed with a first signing entity's electronic signature. The empowerment certificate includes attributes of the described entity, information identifying the first signing entity, indication of data relating to the described entity, indication of a source of the data, and identification of a relying entity to which the data can be supplied. The relying entity forwards the empowerment certificate to a source supplying the data indicated in the empowerment certificate. The data may be supplied to the relying entity by a second digital certificate (custom certificate), signed with a second signing entity's electronic signature. Custom certificates may appear in custom certificate revocation lists. A system and method for transfer of ownership of electronic property from a first entity to a second entity, and a method and system for electronic voting are also provided.

Abstract: Systems and methods of securely updating BIOS are disclosed. One such system comprises a reprogrammable memory, a first and a second register, and comparison logic. The reprogrammable memory comprises a first portion and a protect input. The protect input is configured to disallow writes to at least the first portion when the memory protect input is at a first level, and to allow writes to at least the first portion when the protect input is at a second level; The comparison logic is configured to drive a comparison output to a third level responsive to the first and second registers having equal values, and to drive the comparison output to a fourth level responsive to the first and second registers having different values. The comparison output is electrically coupled to the memory protect input.

Abstract: Systems and methods are disclosed for authenticating electronic messages. A data structure is generated by a computer server which allows for the authentication of the contents and computer server identity of a received electronic message and provides a trusted stamp to authenticate when the message was sent. Data which can authenticate the message, the computer server identity, and the time the message was sent is included into a data structure which is called an Electronic PostMark (EPM).

Abstract: A mobile node and its home system generate synchronized time-based codes at periodic time intervals. Each time-based code is valid for a predetermined time period. To facilitate anonymous operation when roaming, the mobile node identifies itself with a coded identifier instead of a public identifier. The coded identifier used at a given time includes the time-based code that is valid for that given time. To authenticate the mobile node, a serving system receives authentication information from the mobile node and forwards the authentication information to a home system. The authentication information includes the current time-based code and a timestamp. The home system identifies the mobile node from the current time-based code and the timestamp. The home system then uses the authentication information to authenticate the mobile node.

Abstract: Embodiments are directed to the providing a cloud keying and signing service and to securing software package distribution on the cloud. In an embodiment, a computer system instantiates a signing service configured to sign software packages. The computer system receives a signing request from a computer user requesting that a selected software package be signed. The signing request includes a computed hash of the selected software package. The computer system generates a private and public key pair on behalf of the computer user and stores the private key of the generated key pair in a secure data store.

Abstract: Enhancing locality in a security co-processor module of a computing system may be achieved by including one or more additional attributes such as geographic location, trusted time, a hardware vendor string, and one or more environmental factors into an access control space for machine mode measurement of a computing system.

Abstract: A method and system for creating and authenticating a document are disclosed. According to the method, a user of a document creation system is registered to ensure the creation of an authentic document. A document is then created having a user discernable portion and an encoded portion. The encoded portion includes identification data identifying the registered user of the document creation system; as well as contents data corresponding to at least part of the user discernable portion of the document, and authentication data. A central record of the document is created, the record comprising data which corresponds at least partially to the data in the encoded portion of the document. To authenticate the document subsequently, an image of the encoded portion of the document is acquired, for example using fax machine or a camera of a mobile telephone and transmitted to an authentication center.

Abstract: Various embodiments of a system and method for a single request-single response protocol with mutual replay attack protection are described. Embodiments include a system that receives multiple single request messages, each of which include a respective nonce, timestamp, and digital signature. The system may create a record of previously received nonces that, at any given time, may include multiple message nonces received within a valid period of time prior to that given time. To validate a given single request message, the system verifies the digital signature of the message, determines that the timestamp of the message indicates a time within the valid period of time prior to the current time, and determines that the nonce of the message is not present within the record of previously received nonces. The system sends a single response message that includes the same nonce as the validated message.

Abstract: An archival storage cluster of preferably symmetric nodes includes a data privacy scheme that implements key management through secret sharing. In one embodiment, the protection scheme is implemented at install time. At install, an encryption key is generated, split, and the constituent pieces written to respective archive nodes. The key is not written to a drive to ensure that it cannot be stolen or otherwise compromised. Due to the secret sharing scheme, any t of the n nodes must be present before the cluster can mount the drives. Thus, to un-share the secret, a process runs before the cluster comes up. It contacts as many nodes as possible to attempt to reach a sufficient t value. Once it does, the process un-shares the secret and mounts the drives locally. Given bidirectional communication, this mount occurs more or less at the same time on all t nodes. Once the drives are mounted, the cluster can continue to boot as normal.

Abstract: A system verifies an identity of a content sender by receiving content purporting to originate from a content sender, and performing a validation of the content to determine a purported identity of the content sender. The system prepares and transfers verification data to an address associated with the purported identity of the content sender. In response to transferring the verification data, the system receives a verification response to the verification data, and performs a validation of the verification response to verify the purported identity of the content sender.

Abstract: Various embodiments of a system and method for long-term digital signature verification utilizing light weight digital signatures are described. Embodiments may include a verifying entity system that receives digitally signed data including a portion of data, signing time, and digital signature. The verifying entity system may receive a digital certificate that includes information for verifying the digital signature and an expiration time for the certificate. The verifying entity system may receive CRL that persists revocation information corresponding to ones of the revoked digital certificates that have already expired. The verifying entity system may utilize the CRL to determine that the digital signature is valid subsequent to its expiration time. The verifying entity system may evaluate the CRL to determine that the digital certificate was not revoked at the signing time. The verifying entity system may determine the digital signature is a valid digital signature and generate a corresponding result.

Abstract: A signing method, apparatus, and system, which relate to the information security field. The present invention overcomes the problem of signature counterfeit in prior art. The client host generates a transaction message and determines the key information of the message after receiving transaction information entered by a user, forms a data packet for signing, and transmits the data packet to the USB key, which will then extract the key information and output it for confirmation by the user, and if a confirmation is received, the USB key signs the data packet and transmits a signature to the client host; after receiving the signature and the transaction message from the client host, the server extracts the key information from the transaction message to form a data packet for signing and verifies the signature against the data packet. The embodiments of the present invention are mainly applicable to the field of information security.

Abstract: A system and method for performing a security check may include using at least one processor to periodically check a status of a flag, generate and store a baseline representation of modules stored on the device where the flag is determined to be set to a first state, and, where the flag is determined to be set to a second state, generate an active representation of modules stored on the first device, compare the active representation of modules to the baseline representation of modules, and, responsive to a determination in the comparing step of a difference between the baseline and active representations of modules, output an alert. The flag status may depend on an association of the device with one of a plurality of authorization policies, each mapped to one of the two states. Results of the comparison may be appended to an activity log of the device.

Abstract: A presence attribute information server and manager application, and corresponding method is provided for managing access to presence attribute information. In addition to the presence attribute information entries, access authorization entries associated with at least some of the presence attribute information entries are provided which define conditions in which access to the presence attribute information is authorized. Generally, the defined conditions can include temporal and/or spatial requirements associated with either the user requesting the presence attribute information or the person/item associated with the presence attribute information, for purposes of establishing authorization to access the presence attribute information.

Abstract: In a portable electronic device, a method of authenticating a document associated with a geographical location is disclosed. A document is provided in the form of digital data, and a hash value is generated from the digital data of said document. Raw GPS data are received from at least one GPS satellite, and then digitally signed by a first private key of the portable electronic device. From the raw GPS data, exact GPS coordinates are calculated. A request for an authentic location stamp is sent to a certification unit, the request containing at least the hash value of the document, the raw GPS data and the exact GPS coordinates, wherein said request is digitally signed by a private key of the portable electronic device. In response to said location stamp request, a nonce value from the certification unit is received, said nonce value being digitally signed by a private key of the certification unit.

Abstract: An information processing apparatus according to the present application includes a first application allowed to access the IC chip, including an IC chip in which predetermined data is recorded, an IC chip reading unit that reads the data recorded in the IC chip, and a signature data generation unit that generates signature data by performing encryption processing on the recorded data read by the IC chip reading unit and a second application not allowed to access the IC chip, including a server access unit that requests acquisition of content from an information providing server by receiving the signature data and the recorded data from the first application and transmitting the signature data and the recorded data to the information providing server that provides predetermined content.

Abstract: A system is comprised of a user and a group, wherein the group is comprised of a group leader and a group of M members where M is equal to or greater than one. The group leader generates a group public key and a group leader “master” private key. The group leader creates a personalized watermarked or decryption key, also referred to as an individual private key, for each group member. The individual private key uniquely identifies each group member. The group leader distributes the individual private keys to each of the group members. Each group member receives from a user a message encrypted using the group public key. Each of the group members uses its individual private key to decrypt the encrypted message sent by the user to the group.

Abstract: In some embodiments, techniques for computer security comprise displaying an electronic document, detecting a request to traverse a link, such as a hyperlink or a form submission, wherein the link is associated with an element of the document, evaluating an attribute, wherein the attribute is associated with the element of the document, and determining whether to perform the action based on the evaluation. Applications of these techniques include mitigating the effect of an attempt to modify web pages for fraudulent purposes, such as by a “phishing” attack incorporating malicious scripting.

Abstract: An authentication method of an electronic device is disclosed. A plurality of key inputs is received from a user via activation of input keys. At least one key input from the key inputs is validated based on a predefined criterion to obtain a password. The password is compared to a registered password to obtain an authenticated password.

Abstract: This invention is time stamping subsystem of an electronic apparatus. A time stamp generator generates a multibit time stamp value including a predetermined number of least significant bits overlapping a predetermined number of most significant bits. Each client receives the least significant bits. Each client associates captured data with a corresponding set of the least significant bits in a message. A central scheduling unit associates most significant bits of the time stamp value with the least significant bits of the message. This associating compares overlap bits of the most significant bits and least significant bits. The most significant bits are decremented until the overlap bits are equal.

Abstract: A method and apparatus for creating and/or using trustworthy timestamps and certifiable clocks using logs linked by cryptographic hashes. In one embodiment, the method comprises maintaining a first, chained-hash log; associating a first clock with the chained-hash log, and entangling the first log; with a second by adding a time-stamped synchronization entry to the chained-hash log, where the synchronization entry has a second time indication associated with the second log and a hash of one or more entries in the first log.

Abstract: At each of a plurality of transit readers of a transit system, for each of a plurality of riders, where each rider seeks to conduct an access transaction with the transit system for access into the transit facility by using a payment device issued by an issuer in a payment system, data is read from the payment device. The data includes an encryption code that uniquely corresponds to the payment device and was created by the issuer using one or more encryption keys and a predetermined algorithm. A check will be performed, remotely and/or locally, of one or more lists of other encryption codes to determine if the encryption code is on the list. On the basis of whether the encryption code is on the list, the rider is permitted access to the facility of the transit system. The payment device need not be changed for the rider's fare. Decryption of the encryption code read from the payment device is not required to complete the access transaction.

Abstract: A method for secure communication and printing, comprising: user entering user and destination information to host; authentication server producing, saving encryption key for the job, user, and destination information into database, and sending to host; host encrypting the job using encryption key and sending job to destination; user entering user and destination information to device; authentication server retrieving encryption key from database, and sending to device; and device decrypting the job using encryption key and releasing job. Authentication at both host and MFP sides disables unauthorized, malicious attack to a user's mailbox, and results in jobs to a mailbox having different dynamic encryption keys, and no password or mailbox PIN trafficking on network. Furthermore, host and MFP can be at different domains. Methods also include secrecy encrypting encryption key; hashing key generator using SHA1, MD5, etc.

Abstract: The current invention describes a method for long term archiving of qualifiedly signed data in accordance with the current invention, which comprises the steps of hashing the data, encrypting the data through a cryptography algorithm, hashing the encrypted data, signing the hashed data with an advanced time stamp, generating a hash tree over the whole data file or the subgroups thereof and signing the hash tree(s) with a qualified time stamp. Furthermore, a computer system for conducting the method is disclosed.

Abstract: A method and system which provides communication between a first portable device and a second portable device. The first portable device stores a first sequence number and a first key, and the second portable device stores a second sequence number and a second key. Verification is performed using the first and second keys. The first sequence number is compared to the second sequence number. If the second sequence number is newer than the first sequence number, the first sequence number is set to have a value of the second sequence number if the verification succeeds. If the first sequence number is newer than the second sequence number, the second sequence number is set to have a value of the first sequence number if verification succeeds.

Abstract: A system and method for dynamically and automatically updating the appropriate fields on the message application screen of an electronic message to show which of the appropriate service book, security encoding or security properties are acceptable or allowed for the message being composed. This updating occurs automatically based on the contents of the fields that are modified during composition of the message, such as, for example, modifications to classification of the message, recipients, keywords, or the like. Thus, the properties in place for a given message is reflected in a dynamic options list provided to the user based on the contents of various fields of the electronic message and the system policies resident on the system. The dynamic updating may provide an updated list of options to the user, or may optionally automatically apply minimum level settings based on security policy and contents of the message.

Abstract: Various embodiments of a system and method for a single request—single response protocol with mutual replay attack protection are described. Embodiments may include a system that receives multiple single request messages, each of which may include a respective nonce, timestamp, and digital signature. The system may create a record of previously received nonces that, at any given time, may include multiple message nonces received within a valid period of time prior to that given time. To validate a given single request message the system may verify the digital signature of the that message, determine that the timestamp of that message indicates a time within the valid period of time prior to the current time, and determine the nonce of the that message is not present within the record of previously received nonces. The system may send a single response message that includes the same nonce as the validated message.

Abstract: A mobile communication device operates in a wireless communication network with use of a communication service provided by a service provider (e.g. a wireless carrier for voice telephony, or data service provider for data synchronization). An application server receives, via the wireless network, a message from the mobile device. The message has a field for inclusion of a token having a digital signature corresponding to the service provider. The application server performs token validation of the message, which includes a verification step for verifying the digital signature of the token with a public key corresponding to the service provider. The application server then grants or denies access to an application service depending on the outcome of the token validation. In one embodiment, the application service is an e-commerce transaction service, wherein a proof-of-work (POW) test (e.g. a Captcha test) otherwise utilized for the service is bypassed or excluded.

Abstract: There is described a method for transmitting synchronization messages, for example PTP messages of the IEEE 1588 standard, the PTP message being inserted into a data packet in line with the Internet Protocol, the data packet having an IP header, and the data packet having a UDP header. In this case, for the encrypted transmission on the PTP message, the data packet is addressed to a UDP port that is reserved for encrypted PTP messages, the data packet is provided with an additional S-PTP header that is provided for encryption, the PTP message is extended with a pseudo random number, and the PTP message is encrypted together with the pseudo random number.

Abstract: Methods and systems for robust watermark insertion and extraction for digital set-top boxes are disclosed and may include descrambling, detecting watermarking messages in a received video signal utilizing a watermark message parser, and immediately watermarking the descrambled video signal utilizing an embedded CPU. The embedded CPU may utilize code that may be signed by an authorized key, encrypted externally to the chip, decrypted, and stored in memory in a region off-limits to other processors. The video signal may be watermarked in a decompressed domain. The enabling of the watermarking may be verified utilizing a watchdog timer. The descriptors corresponding to the watermarking may be stored in memory that may be inaccessible by the main CPU. The watermark may comprise unique identifier data specific to the chip and a time stamp, and may be encrypted utilizing an on-chip combinatorial function.

Abstract: The present application is directed towards systems and methods for generating and maintaining cookie consistency for security protection across a plurality of cores in a multi-core system. A packet processing engine executing on one core designated as a primary packet processing engine generates and maintains a global random seed. The global random seed may be used as an initial seed for creation of cookie signatures by each of a plurality of packet processing engines executing on a plurality of cores of the multi-core system using a deterministic pseudo-random number generation function such that each core creates an identical set of cookie signatures.

Abstract: Determination is executed as to whether an electronic document has been edited after addition of a second signature added after addition of a first signature. When it is determined that editing is made after the addition of the second signature, a verification result of the electronic document is output without determining whether editing is made after the addition of the first signature. If it is determined that editing is not made after the addition of the second signature, determination is executed as to whether editing is made after the addition of the first signature and the verification result of the electronic document is output based on an obtained determination result.

Abstract: Techniques are disclosed for sharing information in a wide variety of contexts. An information sharing system is described that allows both an explicit capture process and an implicit capture process to add information items to a staging area. Further, the information sharing system supports both implicit and explicit consumption of information items that are stored in said staging area. A rules engine is provided to allow users to create and register rules that customize the behavior of the capture processes, the consuming processes, and propagation processes that propagate information from the staging areas to designated destinations. Techniques are also described for achieving exactly-once handling of sequence of items, where the items are maintained in volatile memory. Techniques are also provided for recording DDL operations, and for asynchronously performing operations based on the previously-performed DDL operations.

Abstract: A first user (110) requests a service provider (130) to create (200,400) a record of a transaction. The service provider (130) creates (230,430) a digital receipt (300,700,900), which includes a description (310,710,720,910,1020) of the transaction understandable by humans, tamper-proof evidence (320) of the transaction, and a verification prompt (330,740,940,1030). A second user (120) who desires to verify the transaction displays (265,465) the digital receipt (300,700,900) and activates (270,470) the verification prompt (330,740,940,1030). Upon activation, the tamper-proof evidence (320) is verified without requiring further human interaction to identify the tamper-proof evidence.

Abstract: A document management system includes a document. One or more of a plurality of map-files of the document correspond(s) with a step of a multi-step workflow associated with the document. A random nonce is generated for each of the steps of the multi-step workflow except for an initial step of the multi-step workflow. Each of the random nonces i) is incorporated as a map-file entry into a respective one of the plurality of map-files corresponding with a step of the multi-step workflow that directly precedes the step of the multi-step workflow for which the random nonce is generated and ii) is used to perform a nonce-based initiating operation a respective one of the plurality of map-files corresponding with the step of the multi-step workflow for which the random nonce is generated.

Abstract: The present invention provides a system and a method for generating digital signatures. The system comprises a first formula which generates the signature as selected series from at least two, but preferably more digitized biometric features of a user. The signature comprises a different selected series per unit of time of for instance 10 seconds. The invention comprises a second formula which assigns a numerical value to a data file. The second formula can also use the numerical value to define another time interval, on the basis of which another signature can be generated. The invention further provides a number of examples for application of the generated signature during the sending of data files.

Abstract: A random number generating device includes: a random number generator configured to have a plurality of random number generating elements that generate a random number in response to supply of a spin-injection current; and a temperature controller.

Abstract: A method and system facilitating the development and distribution of software is provided. The system includes a database provided on a computing device, the computing device configured to enable users to provide an update to an element of the database, wherein the element is associated with an object. The system further includes time stamp tracking software configured to enable revisions to elements of the database by establishing time stamps for each stored element changed at a specified time and an assembler configured to enable a user to assemble elements for execution based on time stamping.

Abstract: A system is provided to monitor a user's interaction with a computer. The system may comprise a random reference data generator to generate a random reference string, an image generator to create an image including the random reference string, a modification module to iteratively modify the image until a distortion criterion is satisfied, and a communications module to communicate the image to a client computer for display to a user. The random reference string comprises a plurality of alphanumeric characters.

Abstract: The conventional data transmitting/receiving system has problems: that a correct measurement cannot be performed because a measurement result is an addition of a verification processing time and a transmission time; that an authentication processing which is necessary for a transmission time measurement processing needs to be separately required; and that an unnecessary key exchange processing is executed.

Abstract: A computer-implemented method for using reputation data to detect packed malware may include: 1) identifying a file downloaded from a portal, 2) determining that the file has been packed, 3) obtaining community-based reputation data for the file, 4) determining, by analyzing the reputation data, that instances of the file have been encountered infrequently (or have never been encountered) within the community, and then 5) performing a security operation on the file (by, for example, quarantining or deleting the file).

Abstract: A method of securing transmission of streaming media by encrypting each packet in the stream with a packet key using a fast encryption algorithm. The packet key is a hash of the packet tag value and a closed key which is unique for each stream. The closed key is itself encrypted by the sender and passed to the recipient using a public key encryption system. The encrypted closed key (open key) may conveniently be inserted into the stream header. All of the packets in the stream are encrypted, but only the data pay load of each packet is encrypted. It is computationally infeasible, without knowing the recipient's private key to calculate the closed key based upon knowledge of publicly accessible information such as the recipient's public key, the open key, the encrypted stream data or the packet tag values.

Abstract: To create signature data which certifies the time when information existed and add it to the information more efficiently than before. A time certification system for certifying the time when information existed, comprising: an identity certification data acquisition section for acquiring identity certification data generated based on the information to certify the identity of the information; a time certification data generation section for observing a target object changing with time elapse from the outside and generating time certification data based on observation data obtained as a result of the observation, in response to an instruction received from a user; a signature data generation section for generating signature data indicating that the information existed at the time when the target object was observed, based on combination of the identity certification data and the time certification data; and an information recording section for recording the signature data in association with the information.

Abstract: Long-term signature data is formed at a server side while a private key and the like are held at a client side. The long-term signature data is configured by arranging ES, STS, verification information, ATS (1st), and ATS (2nd) in a predetermined long-term signature format. Among these elements, those for which processing using the private key and original data are necessary are ES and ATS. Due to processing where the original data and the private key is necessary being performed by a client terminal 3 and processing where the long-term signature data is analyzed and generated being performed by a long-term signature server 2, the long-term signature data is generated in the long-term signature server 2 while the original data and the private key are held in an inner portion of the client terminal 3.

Abstract: Embodiments describe a system and/or method for multiple party digital signatures. According to a first aspect a method comprises establishing a first validity range for a first key, establishing a first validity range for at least a second key, and determining if the validity range of the first key overlaps the first validity range of the at least a second key. A certificate is signed with the first validity range of the first key and the first validity range of the at least a second key if the validity ranges overlap. According to another embodiment, signage of the certificate is refused if the first validity range of the first key does not overlap with the first validity range of the at least a second key.

Abstract: An evidence collection system for reliably collecting and preserving web-based evidence. An end-user's computing device browser accesses an evidence collection web site and identifies a web resource to be collected. An evidence collection station communicates with the target web server(s) and collects the body of evidence requested. Multiple representations of the information are collected to support the defensibility of the capture. Digital signature and digital time stamp methodologies are used to enhance the forensic soundness of the captured evidence. Capture results are conveyed to the end-user along with a report that describes the evidence captured in a manner which may be utilized as evidence comprehensible to a lay judge and jury.

Abstract: This invention relates to creating a verifiable timestamp for a data object, such as a digital photograph. The verifiable timestamp includes a first and second timestamp and a data object. The verifiable timestamp enveloped with several different tiers of digital signatures that together authenticate that the data object was created at a time after the first timestamp, but before the second timestamp.

Abstract: Electronic documents corresponding to executed paper documents are certified. A certifying agent receives an electronic document and a corresponding paper document that had been executed pursuant to some transaction. The certifying agent compares the information contained in the paper to that in the electronic mortgage document. If the paper adequately corresponds to the electronic document and is otherwise sufficient, then the certifying agent certifies the electronic document so that other parties can reliably engage in transactions involving the electronic document without having to possess or otherwise inspect the executed paper document. Certification involves application of some form of indicia of certification to the electronic document, such as updating the value of a field corresponding to certification in the electronic document and/or applying a digital or electronic signature corresponding to the certifying agent to the electronic document.

Abstract: An apparatus for managing access to a computing resource, comprises a clock configured to associate a datum arrival time with an authentication datum. The clock is further configured to calculate a datum elapsed time between a first datum arrival time associated with a first authentication datum and a second datum arrival time associated with a second authentication datum. The apparatus also comprises an authentication module configured to receive at least the first authentication datum and the second authentication datum; compare the datum elapsed time with a threshold elapsed time; and selectively provide access to a computing resource based at least in part upon successfully matching the received first authentication datum with a stored first authentication datum, successfully matching the received second authentication datum with a stored second authentication datum, and determining that the datum elapsed time exceeds the datum threshold time.