Abstract: A method and apparatus for initializing operation for information security operation for an entity utilizes shared information, such as shared secret information, that may be shared between the entity and other applications or operations within a system to initialize an entity. Prestored shared information that can be used as entity identification data (RV) and authentication data (IAK) that is associated with the entity identification data is encrypted and sent in clear text fashion to an initialization authentication unit, such as a server or other processing unit. The initialization authentication unit requests stored shared data from another processing unit that maintains a database. The other processing system then responds to the request by providing prestored shared data that can be used to, for example, decrypt the encrypted information sent in a clear text fashion to determine whether an entity is a proper user of the information security operation.

Abstract: Methods, systems and devices for providing RFID system security are provided that involve cryptographically encrypting data on a transponder and managing the release of the decryption information, decryption keys, or the data itself to a transceiver having a transaction with the transponder.

Abstract: A method and apparatus utilizes a digital signature verification map containing a plurality of acceptable message header identifiers associated with a public key certificate identifier. In one embodiment, a method includes determining a digital signature verification error based on a received message header, such as transport header identifier associated with a public key certificate identifier, such as the subject field of the certificate. The method includes generating a signature verification map or updating a signature verification map containing a plurality of acceptable message header identifiers associated with the common public key certificate identifier in response to determining the digital signature verification error. Accordingly, a link is provided between a transport header and a digitally signed message. A digital signature verification map is continually updated to accommodate aliases to a common subject associated with the certificate.

Abstract: A method and apparatus facilitates the prevention of interception of incoming data, such as keystroke data in the form of a message to an application, by inserting application generated random insertion data into a message stream. The random insertion data is related to actual data that is being generated for a software application so that it is difficult for an attacker to distinguish between actual message data and inserted message data. The system and method then reads incoming data typically in the form of messages, and filters out the messages that it determines were knowingly inserted. The remaining received messages are determined to be actual data from the data source, such as a keyboard, voice input or other suitable data source. In one embodiment, the system effectively hides actual input data such as actual keystrokes in a stream of randomly generated fake keystrokes.

Abstract: A method and apparatus for facilitating instant messaging utilizes a secure instant message group policy certificate issued by an instant messaging public key infrastructure policy certificate issuing unit. The secure instant messaging group policy certificate is received, such as through a local instant messaging secure public key infrastructure proxy, and contains data defining the group members, references to other groups, security controls and relevant data such as allowed algorithms. The secure instant messaging group policy certificate defines a plurality of different instant messaging groups, each identified by an instant messaging group identifier. Each instant messaging group identifier is associated with a plurality of instant message group number identifiers.

Abstract: An apparatus and method collects, for a community of interest, at least one cross certificate associated with an anchor certificate issuing unit, and obtains at least one certificate issuing unit public key and an associated unique identifier for a cross-certified certificate issuing unit identified by the at least one cross certificate. For example, a certificate issuing unit, client unit, or other suitable unit, searches for one or up to all certification authorities or certificate issuing units that it can trust based on cross certificate chains. This is done, for example, from a given trust anchor. The apparatus selects those obtained certificates that satisfy, for example, some search criteria, such as what policy must be enforced in each certificate, for example, the allowed path length or depth that the apparatus is allowed to evaluate, and creates a signed certificate set, such as a list of all trusted certificate issuing units from the perspective of a given trust anchor.

Abstract: A computer network security system and method utilizes digitally signed and centrally assigned policy data, such as password length rules, that is unilaterally enforced at network nodes by node policy enforcement engines. The policy data may be variable on a per client or network node basis through a centralized authority, such as a certification authority. The computer network security system provides variable security policy rule data for distribution to at least one network node through a central security policy rule data distribution source, such as the certification authority. The central security policy rule data distribution source associates a digital signature to the variable security policy rule data to ensure the integrity of the policies in the system. Each network node uses a policy rule data engine and policy rule table to decode policy rule data and enforce the policy rules as selectively determined through the central authority.

Abstract: A method, apparatus and/or system generates a challenge for user authentication, having a challenge data element from a stored pool of challenge data elements. The challenge is based on rule data and stored usage data associated with at least some of the challenge data elements in the stored pool of challenge data elements. The generated challenge is sent for use in an authentication of a user to a sender. A method, apparatus and/or system also generates sender authentication and corresponding location information, having a data element from a stored pool of challenge data elements. Selection of the data elements is based on rule data and stored usage data associated with at least some of the data elements in the stored pool of data elements.

Abstract: A method and apparatus for securely communicating data employs a third-party to facilitate decryption by the recipient. It is necessary for the recipient to interact with the third-party to decrypt received encrypted data. The third-party is unable to decrypt or read the encrypted data and records whether the recipient requested a decryption key generated by the third-party. The third party logs the request from the second party for the decryption key. The originator may then obtain the delivery status of the data from the third party to facilitate proof of submission, proof of delivery, or any other suitable information.

Abstract: A method and apparatus provides first or second factor authentication by providing selectability of a plurality of second factor authentication policies associated with a second factor authentication article. The first or second factor authentication article includes authentication information, such as a plurality of data elements in different cells or locations on the authentication article, which can be located by using corresponding location information. The method and apparatus provides second factor authentication based on the first or second factor authentication article by enforcing at least one of the plurality of selected authentication policies.

Abstract: A method and apparatus for public key certificate updates is accomplished when a user of a secured communications system provides, from time to time, a public key certificate update subscription update to a server. The public key certificate update subscription information identifies at least one subscriber subject (i.e., another end-user) that the user desires to obtain real time public key updates when they occur. In response to the subscription information, the server monitors public key certificates of the at least one subscriber subject. When a change occurs to the public key certificate of the at least one subscriber, the server provides an indication of the change to the requesting user. As such, while the user is on-line with the secured communications system, the server can provide the user with real-time updates of subscriber subjects' encryption public key certificates and/or signature public key certificates.

Abstract: Methods and systems are provided which convey access control information from a first server to a second server through an end user device, for example in a system in which these servers and devices are all connected to the Internet. The method starts after the first server receives a message from the end user device. The first server in response to this message from the end user device sends a response message to the end user device containing the access control information to be conveyed to the second server, optionally after performing authentication. The response message also contains an instruction for the end user device to post a second message to the second server containing the information. The information is preferably contained in a content portion of the message. A hidden form may be used in the response message to contain the information. Optionally, the end user may be presented with an option to post the second message or not.

Abstract: A method and apparatus for initializing operation for information security operation for an entity utilizes shared information, such as shared secret information, that may be shared between the entity and other applications or operations within a system to initialize an entity. Prestored shared information that can be used as entity identification data (RV) and authentication data (IAK) that is associated with the entity identification data is encrypted and sent in clear text fashion to an initialization authentication unit, such as a server or other processing unit. The initialization authentication unit requests stored shared data from another processing unit that maintains a database. The other processing system then responds to the request by providing prestored shared data that can be used to, for example, decrypt the encrypted information sent in a clear text fashion to determine whether an entity is a proper user of the information security operation.

Abstract: An adaptable cryptographic method and system provides updated digital signature key pairs in a public key system by providing, through a multi-client manager unit, selectable expiry data such as digital signature certificate lifetime data, public key expiry data and private key expiry data as selectable on a per client basis. The multi-client manager unit stores selected public key expiry data and private key expiry data for association with a new digital signature key pair and associates the stored selected expiry data with the new digital signature key pair to facilitate a transition from an old digital signature key pair to a new digital signature key pair.

Abstract: An apparatus and method dynamically creates security keys for a subscriber, having at least one preexisting security credential set, and allows the configuration for N key pairs or N keys (where the cryptographic system is a symmetric key system). Such a system provides flexibility in assigning cryptographic algorithms and cryptographic keys to facilitate a change in algorithm without requiring reinitialization of a processing unit or subscriber. The apparatus and method provides a configurable security key manifest, such as a template or table, operative to contain a non-prespecified number of security keys. A security officer or other source may input key configuration data to a graphic user interface template or other suitable mechanism to configure the security key manifest.

Abstract: An apparatus and method provides non-repudiation of transaction information such as mark up language forms, using a non-proxy cryptographic application, such as an applet, that provides information to and from the Web browser. Once a user fills out a mark up language-based form as provided, for example, through a Web browser and selects a “submit” button, the non-proxy cryptographic application sends the completed form to a server or the receiving unit that provided the incomplete form and waits for the server to present confirmation data such as a confirmation request form. In one embodiment, once a confirmation request form is received, the non-proxy cryptographic application temporarily maintains the confirmation request form, namely a representation of the completed form as provided by the server, in temporary (e.g., volatile) memory, such as RAM. The non-proxy cryptographic application then sends a copy of the temporarily maintained confirmation request form to the Web browser for display to a user.

Abstract: A system and method stores inquiry data, such as data representing questions or forms containing questions, to facilitate entry of shared authentication data for initialization. The stored inquiry data is retrieved for presentation, in audible or visual form, based on received entity identification data entered, for example, by a user or otherwise obtained by a processing or entity seeking initialization. As such, the system and method produces an entity that, for example, first asks a user for identifying information. The entity identification information, such as an employee number, or other information, is then provided to the entity. This information is then sent to a processing unit, such as a certification authority or other server. The processing unit determines what questions must be asked of the user to identify the user for initialization purposes. These questions are returned to the terminal for application wherein they are presented to the user.

Abstract: A password entry method and apparatus prompts a user for entry of a password and outputs dynamic password entry interface legitimacy information in response to the prompt for entry of the password. The dynamic password entry interface legitimacy information may be a hard to duplicate animated image, audio sequence, or other suitable legitimacy information that allows a user to visually or audibly determine whether the password entry interface being presented is legitimate. Accordingly, the user will know whether or not to trust the password entry interface, such as a password dialog box displayed on a display device, prior to entering password information.

Abstract: An apparatus and method for securely providing identification information generates one or more obscured identifiers for a recipient, such as one or more identifiers that are generated based on data unique to a recipient or other information as may be appropriate. In one embodiment, the method and apparatus generates a translucent identification member, such as a plastic card, sheet, film or other suitable member that has a translucent area that includes one or more obscured identifiers. When the translucent identification member is overlayed on a screen displaying a visual filtering pattern, one of one or more obscured identifiers is visually revealed for use during the particular transaction. The revealed identifier is entered into a recipient device and sent to an authenticator to be verified as an appropriate identifier for the transaction.

Abstract: A method for providing electronic message authentication employs an article, such as a card, sticker, or any other suitable article, that includes sender authentication information and location information such as row and column headings. In one example, each recipient of interest is issued an article that embodies unique sender authentication information that is identifiable by corresponding location information such as column and row identifiers. In both an apparatus and method, when the sender of an electronic message wants to send a message to a recipient of interest, the sender sends the electronic message and both location information and corresponding desired sender authentication information located at the coordinate identified by the location coordinate information. If the sent desired sender authentication information matches authentication information found on the article, the sender of the message is trusted.