Abstract: The present inventions provide an integrated, modular array of administrative and support services for electronic commerce and electronic rights and transaction management. These administrative and support services supply a secure foundation for conducting financial management, rights management, certificate authority, rules clearing, usage clearing, secure directory services, and other transaction related capabilities functioning over a vast electronic network such as the Internet and/or over organization internal Intranets. These administrative and support services can be adapted to the specific needs of electronic commerce value chains. Electronic commerce participants can use these administrative and support services to support their interests, and can shape and reuse these services in response to competitive business realities. A Distributed Commerce Utility having a secure, programmable, distributed architecture provides administrative and support services.

Abstract: The present invention provides systems and methods for electronic commerce including secure transaction management and electronic rights protection. Electronic appliances such as computers employed in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Secure subsystems used with such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: A method and apparatus for generating a CRL with a last_changed extension. When sequential CRLs are generated there is the potential that there will be no changes in the data associated with the CRL. In this case a recipient of the new CRL may needlessly perform processing on the new CRL. A CRL consistent with embodiments of the present invention provides an extension to specify the CRL number of the last_changed CRL. This provides the recipient with information to determine whether the new CRL should be processed or the existing data is up to date.

Abstract: The present invention provides a method, system and device for securing ownership for a two-part device with a physical unit and a virtual unit so that ownership of the two-part device is efficiently initiated, maintained, and transferred. The steps include initiating, by a user, an activation signal from the physical unit to the virtual unit to activate an ownership procedure and employing a double safety mechanism to activate ownership services via the virtual unit for the physical unit.

Abstract: An approach for establishing secure multicast communication among multiple multicast proxy service nodes is disclosed. The multicast proxy service nodes, which can be distributed throughout an enterprise domain, are organized in a logical tree that mimics the logical tree arrangement of domains in a directory server system. The attributes of the multicast proxy service nodes include the group session key and the private keys of the multicast proxy service nodes that are members of the multicast or broadcast groups. The private keys provide unique identification values for the multicast proxy service nodes, thereby facilitating distribution of such keys. Because keys as well as key version information are housed in the directory, multicast security can be achieved over any number of network domains across the entire enterprise. Key information is stored in, and the logical tree is supported by, a directory service. Replication of the directory accomplishes distribution of keys.

Abstract: The present invention discloses a method for quickly and easily authenticating large computer program. The system operates by first sealing the computer program with digital signature in an incremental manner. Specifically, the computer program is divided into a set of pages and a hash value is calculated for each page. The set of hash values is formed into a hash value array and then the hash value array is then sealed with a digital signature. The computer program is then distributed along with the hash value array and the digital signature. To authenticate the computer program, a recipient first verifies the authenticity of the hash value array with the digital signature and a public key. Once the hash value array has been authenticated, the recipient can then verify the authenticity of each page of the computer program by calculating a hash of a page to be loaded and then comparing with an associated hash value in the authenticated hash value array.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: An encryption method that is largely transparent to a user is accomplished by intercepting a change document or open document command, carrying out an encryption or decryption process, and then completing the command on an encrypted or decrypted file. The encryption method can be used in a wide variety of environments, such as an individual computer program, a database or electronic messaging over the Internet. The encryption method can select from a plurality of encryption algorithms.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: A cryptographic key split binder includes key split generators that generate cryptographic key splits from seed data and a key split randomizer for randomizing cryptographic key splits to produce a cryptographic key, and a process for forming cryptographic keys. Key split generators can include a random split generator for generating a random key split based on reference data, a token split generator for generating a token key split based on label data, a console split generator for generating a console key split based on maintenance data or a biometric split generator for generating a biometric key split based on biometric data. Any key split can further be based on static data, which can be updated. Label data can be read from a storage medium, and can include user authorization data. A cryptographic key can be, for example, a stream of symbols, at least one symbol block, or a key matrix.

Abstract: The invention is a method and system in which an authentication chip having secret information stored within it, including secret data stored in multi-level flash memory, is protected from unauthorized modification of values stored in the flash memory. The secret information is stored using an internal command and can only be accessed by one or more further commands. Secret data in the information is stored in intermediate states of the multilevel flash memory between the minimum and maximum voltage level states. A validity check is performed on secret data items before allowing them to be read out by a command accessing them. The validity check involves calculation of a checksum and comparison of the result with a checksum stored using the internal command as part of the secret information.

Abstract: The present invention provides a method and apparatus for the production and labeling of objects in a manner suitable for the prevention and detection of counterfeiting. Thus, the system incorporates a variety of features that make unauthorized reproduction difficult. In addition, the present invention provides an efficient means for the production of labels and verification of authenticity, whereby a recording apparatus which includes a recording medium, having anisotrophic optical domains, along with a means for transferring a portion of the recording medium to a carrier, wherein a bulk portion of the recording medium has macroscopically detectable anisotrophic optical properties and the detecting apparatus thereon.

Abstract: A method of providing cryptographic information and flow control includes first determining a target domain from an IP address. An organization policy is looked up from a credential store, and an algorithm and credentials specified for the target domain are looked up in a domain-credential map. Any further credentials that are provided and that are permitted by the organizational policy are added. A working key is then generated, and information is received in the form of a receive packet. Any packet header is stripped from the receive packet and the remaining data is encrypted. Key splits are retrieved from the credential store, and are combined to form a key-encrypting key. The working key is the encrypted with the key-encrypting key, and a CKM header is encrypted. The encrypted CKM header is concatenated to the beginning of the encrypted data to form transmit data, and the packet header and the transmit data are concatenated to form a transmit packet.

Abstract: Access to information is controlled by maintaining, for a given device or other entity through which information may be accessed, a contact list that includes information identifying one or more other entities which have attempted to communicate with the given entity. The contact list further includes a contact count field specifying, for each of the entities on the contact list, the number of times the corresponding entity has attempted to communicate with the given entity. The contact list is utilized in conjunction with a revocation list stored in a memory associated with the given entity in order to determine which of the other entities are authorized to communicate with the given entity. The contact list is updated after a modification of the revocation list, or if a new entity not already included on the contact list attempts to communicate with the given entity.

Abstract: An N session distributed architecture provides a software solution to the major computational challenges faced with providing secure communication. A registration entity is identified as the session arbitrator through which N devices on a network dynamically participate in establishing, maintaining and destroying cryptographic sessions. Session keys are generated by one or more devices registered with the registration server. Multiparty key agreement and device (or another form of) authentication is used to pass session keys and security policies to all parties involved in the encrypted session. Network discovery techniques are used to discover parties that will participate in the secure communications. All sessions appear to be local to the arbitration server, however individual sessions are maintained by several devices operating as a collective.

Abstract: A cryptographic key split combiner includes a number of key split generators for generating cryptographic key splits from seed data, and a key split randomizer for randomizing the key splits to produce a cryptographic key. The key split generators can include a random split generator for generating random key splits, a token split generator for generating token key splits based on label data, a console split generator for generating console key splits based on maintenance data, a biometric split generator for generating biometric key splits based on biometric data, and a location split generator for generating location key splits based on location data. Label data can be read from storage, and can include user authorization data. A process for forming cryptographic keys includes randomizing or otherwise binding the splits to form the key.

Abstract: A method, system and program for automatic administration and management of a plurality of certificates and/or cryptographic keys, authentication of certificates, and authorization to access certificates or associated data. Each key is associated with a set of attributes so that the set of attributes is specific both to a user or group of users and to a particular use to which the key is intended to be put. Each user can automatically conduct any legitimate operation or process related to any certificate/key and/or group of certificates/keys by virtue of the associated set of attributes.

Abstract: A method for copy protecting a record carrier is disclosed, in which method the copy protected record carriers are provided with a pattern of logical errors which cannot be corrected by the error correcting rules predefined for said record carrier. The pattern of logical errors represents access control information. The logical errors are generated during decoding the bit sequence read from the record carrier. Bit errors may be positioned in the bit sequence so as to counteract de-interleaving which is part of an error decoding process in a reading device and accumulate in error words which are uncorrectable. Also a method for detecting access control information and a retrieval arrangement are disclosed, which retrieval arrangement serves to detect the access control information by selecting at least one error location, but not all error locations on the record carrier, and verifying the presence of an error by reading the selected error location via the reading means.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.