Abstract: A secure database includes a catalog of information about one or more identity providers (IdPs) that are trusted by a service provider (SP) to authenticate users on the SP's behalf. The catalog securely stores one or more IdP configurations. An entry in the database stores information associated with the trusted IdP including artifacts to identify the IdP, artifacts used by the IdP for cryptographic operations, and a specification of one or more website(s) serviced by the trusted identity provider. Upon receipt by the SP of identity information representing a user that has authenticated to an IdP, information in the catalog of information is used to determine whether the IdP is trusted to authenticate the user on the service provider's behalf. The determination verifies that the SP uses the IdP and that a binding between an IdP identifier and at least one IdP cryptographic artifact is valid.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to symmetric key generation and provide a method, system and computer program product for symmetric key generation using an asymmetric private key. In one embodiment, a symmetric key generation data processing system can include a symmetric key generator configured with a programmatic interface including an input parameter for a seed, an input parameter for an asymmetric private key, and an output parameter for a symmetric key. The symmetric key generator can include program code enabled to generate the symmetric key by encrypting the seed with the asymmetric private key.

Abstract: A secure database includes a catalog of information about one or more identity providers (IdPs) that are trusted by a service provider (SP) to authenticate users on the SP's behalf. The catalog securely stores one or more IdP configurations. An entry in the database stores information associated with the trusted IdP including artifacts to identify the IdP, artifacts used by the IdP for cryptographic operations, and a specification of one or more website(s) serviced by the trusted identity provider. Upon receipt by the SP of identity information representing a user that has authenticated to an IdP, information in the catalog of information is used to determine whether the IdP is trusted to authenticate the user on the service provider's behalf. The determination verifies that the SP uses the IdP and that a binding between an IdP identifier and at least one IdP cryptographic artifact is valid.

Abstract: A method of managing network security can include receiving a user input comprising a user name and a password, determining whether the input user name potentially corresponds to a plurality of user accounts, determining whether the password is valid, and determining whether each of the user accounts is locked. The method can include selecting a security response to the user input based upon whether the input user name potentially corresponds to the plurality of user accounts, whether the password is valid, whether each of the user accounts is locked, and outputting the security response.

Abstract: A method of managing network security can include receiving a user input comprising a user name and a password, determining whether the input user name potentially corresponds to a plurality of user accounts, determining whether the password is valid, and determining whether each of the user accounts is locked. The method can include selecting a security response to the user input based upon whether the input user name potentially corresponds to the plurality of user accounts, whether the password is valid, whether each of the user accounts is locked, and outputting the security response.

Abstract: The present invention is a method, system and apparatus for the encryption of a credential store by using a lockbox mechanism. In a credential store encryption method, a lockbox for a credential store can be retrieved and an encryption key can be selected from among a list of encryption keys in the lockbox. The lockbox can be a local lockbox and the local lockbox can be retrieved from an unencrypted region of the credential store. In any case, subsequent to the retrieval of the lockbox, the credential store can be decrypted with the selected encryption key.

Abstract: A method of managing network security can include receiving a user input comprising a user name and a password, determining whether the input user name potentially corresponds to a plurality of user accounts, determining whether the password is valid, and determining whether each of the user accounts is locked. The method can include selecting a security response to the user input based upon whether the input user name potentially corresponds to the plurality of user accounts, whether the password is valid, whether each of the user accounts is locked, and outputting the security response.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to encrypted message management in an archival environment, and provide a novel and non-obvious method, system and computer program product for message archival assurance. In one embodiment of the invention, a message archival assurance method can be provided that can include receiving an encrypted message designated for receipt by a messaging client; determining whether the encrypted message is decryptable using one of a set of a bulk keys accessible by the messaging system; and, archiving and forwarding the encrypted message to the messaging client only if the encrypted message is decryptable using one of a set of bulk keys accessible by the messaging system and otherwise discarding the encrypted message.

Abstract: A method and apparatus for updating the password status of one or more servers in a client/server environment utilizes multiple passwords associated with a client process, including a current password and one or more non-current passwords. Each password has associated therewith a key and a key identifier. If upon an attempted access, a server process challenges the client process with a non-current key identifier, the client process provides the corresponding key associated with the non-current password. Once access to the server is achieved, the key identifier associated with the current password is supplied to the server process by the client process. In a networked server environment, the updated server process may provide the updated key identifier to other server processes which have knowledge of the client profile.

Abstract: A portable medium containing client process identification information for use with a computer system requiring authentication prior to access thereto includes data identifying the client process and a plurality of data sets, each associated with a password, one of the passwords being designated as current. In one embodiment, the medium contains the passwords while in another embodiment, the medium contains keys at least partially derived from the passwords. The computer system with which the portable medium interfaces determines whether any of the data associated with the passwords matches authentication data previously stored in the computer system and associated with the client process. If a match occurs, the client process is allowed to access the system. If the data upon which access is based is not associated with a current password, the computer system will read the data associated with the current password and update its corresponding authentication data associated with the client process.

Abstract: In a system in which encrypted information can be protected and maintained by multiple users using passwords in concert, a file with secure data contains both an unencrypted header and an encrypted data portion. The data portion contains both the secured data and a list of hashed passwords and is encrypted with a single file key. The unencrypted file header contains two tables. The first table is a list passwords, where each password is cryptographically hashed using a second, different hashing technique than the hashed passwords in the data portion of the file. The second table is a list of cryptographically hashed combinations of cryptographically hashed passwords, where the combinations correspond to authorized user quorums and the passwords are hashed using the same technique as the passwords stored in the data portion of the file. Each hashed combination on the list is also used as a password key to encrypt the file key.