Abstract: A method and apparatus for initializing operation for information security operation for an entity utilizes shared information, such as shared secret information, that may be shared between the entity and other applications or operations within a system to initialize an entity. Prestored shared information that can be used as entity identification data (RV) and authentication data (IAK) that is associated with the entity identification data is encrypted and sent in clear text fashion to an initialization authentication unit, such as a server or other processing unit. The initialization authentication unit requests stored shared data from another processing unit that maintains a database. The other processing system then responds to the request by providing prestored shared data that can be used to, for example, decrypt the encrypted information sent in a clear text fashion to determine whether an entity is a proper user of the information security operation.

Abstract: Methods, systems and devices for providing RFID system security are provided that involve cryptographically encrypting data on a transponder and managing the release of the decryption information, decryption keys, or the data itself to a transceiver having a transaction with the transponder.

Abstract: A method and apparatus utilizes a digital signature verification map containing a plurality of acceptable message header identifiers associated with a public key certificate identifier. In one embodiment, a method includes determining a digital signature verification error based on a received message header, such as transport header identifier associated with a public key certificate identifier, such as the subject field of the certificate. The method includes generating a signature verification map or updating a signature verification map containing a plurality of acceptable message header identifiers associated with the common public key certificate identifier in response to determining the digital signature verification error. Accordingly, a link is provided between a transport header and a digitally signed message. A digital signature verification map is continually updated to accommodate aliases to a common subject associated with the certificate.

Abstract: A method and apparatus facilitates the prevention of interception of incoming data, such as keystroke data in the form of a message to an application, by inserting application generated random insertion data into a message stream. The random insertion data is related to actual data that is being generated for a software application so that it is difficult for an attacker to distinguish between actual message data and inserted message data. The system and method then reads incoming data typically in the form of messages, and filters out the messages that it determines were knowingly inserted. The remaining received messages are determined to be actual data from the data source, such as a keyboard, voice input or other suitable data source. In one embodiment, the system effectively hides actual input data such as actual keystrokes in a stream of randomly generated fake keystrokes.

Abstract: A method and apparatus for facilitating instant messaging utilizes a secure instant message group policy certificate issued by an instant messaging public key infrastructure policy certificate issuing unit. The secure instant messaging group policy certificate is received, such as through a local instant messaging secure public key infrastructure proxy, and contains data defining the group members, references to other groups, security controls and relevant data such as allowed algorithms. The secure instant messaging group policy certificate defines a plurality of different instant messaging groups, each identified by an instant messaging group identifier. Each instant messaging group identifier is associated with a plurality of instant message group number identifiers.

Abstract: An apparatus and method collects, for a community of interest, at least one cross certificate associated with an anchor certificate issuing unit, and obtains at least one certificate issuing unit public key and an associated unique identifier for a cross-certified certificate issuing unit identified by the at least one cross certificate. For example, a certificate issuing unit, client unit, or other suitable unit, searches for one or up to all certification authorities or certificate issuing units that it can trust based on cross certificate chains. This is done, for example, from a given trust anchor. The apparatus selects those obtained certificates that satisfy, for example, some search criteria, such as what policy must be enforced in each certificate, for example, the allowed path length or depth that the apparatus is allowed to evaluate, and creates a signed certificate set, such as a list of all trusted certificate issuing units from the perspective of a given trust anchor.

Abstract: A computer network security system and method utilizes digitally signed and centrally assigned policy data, such as password length rules, that is unilaterally enforced at network nodes by node policy enforcement engines. The policy data may be variable on a per client or network node basis through a centralized authority, such as a certification authority. The computer network security system provides variable security policy rule data for distribution to at least one network node through a central security policy rule data distribution source, such as the certification authority. The central security policy rule data distribution source associates a digital signature to the variable security policy rule data to ensure the integrity of the policies in the system. Each network node uses a policy rule data engine and policy rule table to decode policy rule data and enforce the policy rules as selectively determined through the central authority.

Abstract: A method, apparatus and/or system generates a challenge for user authentication, having a challenge data element from a stored pool of challenge data elements. The challenge is based on rule data and stored usage data associated with at least some of the challenge data elements in the stored pool of challenge data elements. The generated challenge is sent for use in an authentication of a user to a sender. A method, apparatus and/or system also generates sender authentication and corresponding location information, having a data element from a stored pool of challenge data elements. Selection of the data elements is based on rule data and stored usage data associated with at least some of the data elements in the stored pool of data elements.

Abstract: A method and apparatus for securely communicating data employs a third-party to facilitate decryption by the recipient. It is necessary for the recipient to interact with the third-party to decrypt received encrypted data. The third-party is unable to decrypt or read the encrypted data and records whether the recipient requested a decryption key generated by the third-party. The third party logs the request from the second party for the decryption key. The originator may then obtain the delivery status of the data from the third party to facilitate proof of submission, proof of delivery, or any other suitable information.

Abstract: A method and apparatus for protecting communication of information through a graphical user interface displays a graphical user interface that includes a trusted interaction window. In one example, the method includes continuously determining whether information has been overlayed on top of at least a portion of the displayed trusted interaction window and then disabling an operation being requested when an overlay condition has been determined. In one example, the trusted interaction window is maintained to be the top most window when it is called by an application, for example, during an online transaction, or any other suitable action. The trusted interaction window may be generated via a browser, or operating system, or any other suitable application. As such, the trusted interaction window detects when another window is overlayed on top of it, such as a chromeless window, thereby preventing an unscrupulous party from tricking the user or obtaining sensitive information.

Abstract: A method and apparatus provides first or second factor authentication by providing selectability of a plurality of second factor authentication policies associated with a second factor authentication article. The first or second factor authentication article includes authentication information, such as a plurality of data elements in different cells or locations on the authentication article, which can be located by using corresponding location information. The method and apparatus provides second factor authentication based on the first or second factor authentication article by enforcing at least one of the plurality of selected authentication policies.

Abstract: A method and apparatus for public key certificate updates is accomplished when a user of a secured communications system provides, from time to time, a public key certificate update subscription update to a server. The public key certificate update subscription information identifies at least one subscriber subject (i.e., another end-user) that the user desires to obtain real time public key updates when they occur. In response to the subscription information, the server monitors public key certificates of the at least one subscriber subject. When a change occurs to the public key certificate of the at least one subscriber, the server provides an indication of the change to the requesting user. As such, while the user is on-line with the secured communications system, the server can provide the user with real-time updates of subscriber subjects' encryption public key certificates and/or signature public key certificates.

Abstract: Methods and systems are provided which convey access control information from a first server to a second server through an end user device, for example in a system in which these servers and devices are all connected to the Internet. The method starts after the first server receives a message from the end user device. The first server in response to this message from the end user device sends a response message to the end user device containing the access control information to be conveyed to the second server, optionally after performing authentication. The response message also contains an instruction for the end user device to post a second message to the second server containing the information. The information is preferably contained in a content portion of the message. A hidden form may be used in the response message to contain the information. Optionally, the end user may be presented with an option to post the second message or not.

Abstract: A method for providing authentication of a user of a recipient unit when the recipient unit is off-line includes storing one or a plurality of challenge-reply sets associated with an article based on an on-line communication with a sender unit. Each of the challenge-reply sets includes at least a challenge-reply pair for use in off-line authentication of the user for a particular resource available through the recipient unit. When the user is offline, the method includes selecting at least one of the plurality of stored challenge-reply sets for off-line authentication of the user for the particular resource available through the recipient unit.

Abstract: A method and apparatus for initializing operation for information security operation for an entity utilizes shared information, such as shared secret information, that may be shared between the entity and other applications or operations within a system to initialize an entity. Prestored shared information that can be used as entity identification data (RV) and authentication data (IAK) that is associated with the entity identification data is encrypted and sent in clear text fashion to an initialization authentication unit, such as a server or other processing unit. The initialization authentication unit requests stored shared data from another processing unit that maintains a database. The other processing system then responds to the request by providing prestored shared data that can be used to, for example, decrypt the encrypted information sent in a clear text fashion to determine whether an entity is a proper user of the information security operation.

Abstract: An adaptable cryptographic method and system provides updated digital signature key pairs in a public key system by providing, through a multi-client manager unit, selectable expiry data such as digital signature certificate lifetime data, public key expiry data and private key expiry data as selectable on a per client basis. The multi-client manager unit stores selected public key expiry data and private key expiry data for association with a new digital signature key pair and associates the stored selected expiry data with the new digital signature key pair to facilitate a transition from an old digital signature key pair to a new digital signature key pair.

Abstract: An apparatus and method dynamically creates security keys for a subscriber, having at least one preexisting security credential set, and allows the configuration for N key pairs or N keys (where the cryptographic system is a symmetric key system). Such a system provides flexibility in assigning cryptographic algorithms and cryptographic keys to facilitate a change in algorithm without requiring reinitialization of a processing unit or subscriber. The apparatus and method provides a configurable security key manifest, such as a template or table, operative to contain a non-prespecified number of security keys. A security officer or other source may input key configuration data to a graphic user interface template or other suitable mechanism to configure the security key manifest.

Abstract: An apparatus and method provides non-repudiation of transaction information such as mark up language forms, using a non-proxy cryptographic application, such as an applet, that provides information to and from the Web browser. Once a user fills out a mark up language-based form as provided, for example, through a Web browser and selects a “submit” button, the non-proxy cryptographic application sends the completed form to a server or the receiving unit that provided the incomplete form and waits for the server to present confirmation data such as a confirmation request form. In one embodiment, once a confirmation request form is received, the non-proxy cryptographic application temporarily maintains the confirmation request form, namely a representation of the completed form as provided by the server, in temporary (e.g., volatile) memory, such as RAM. The non-proxy cryptographic application then sends a copy of the temporarily maintained confirmation request form to the Web browser for display to a user.

Abstract: A system and method stores inquiry data, such as data representing questions or forms containing questions, to facilitate entry of shared authentication data for initialization. The stored inquiry data is retrieved for presentation, in audible or visual form, based on received entity identification data entered, for example, by a user or otherwise obtained by a processing or entity seeking initialization. As such, the system and method produces an entity that, for example, first asks a user for identifying information. The entity identification information, such as an employee number, or other information, is then provided to the entity. This information is then sent to a processing unit, such as a certification authority or other server. The processing unit determines what questions must be asked of the user to identify the user for initialization purposes. These questions are returned to the terminal for application wherein they are presented to the user.

Abstract: A password entry method and apparatus prompts a user for entry of a password and outputs dynamic password entry interface legitimacy information in response to the prompt for entry of the password. The dynamic password entry interface legitimacy information may be a hard to duplicate animated image, audio sequence, or other suitable legitimacy information that allows a user to visually or audibly determine whether the password entry interface being presented is legitimate. Accordingly, the user will know whether or not to trust the password entry interface, such as a password dialog box displayed on a display device, prior to entering password information.