Abstract: A data processing system and method are disclosed for maintaining a secure data block within the system. A block of data is established within the system. The block of data is associated with a particular user and a particular application. A hardware master key pair is established for the system. The hardware master key pair includes a master private key and a master public key. The hardware master key pair is associated with the system for which it was established so that the master private key is known to only that system. The block of data is encrypted utilizing the master public key. The master private key is required to decrypt the encrypted block of data. This data processing system is the only system capable of decrypting the encrypted block of data.

Abstract: A remote mobile unit (MU) including a radio device is provided with an ability to communicate through a LAN by remote association with an access point (AP) that is out of range for communication with the radio device of the remote MU. The remote MU transmits a quest frames that is received and retransmitted by one or more intermediate MUs until a connection is made with the AP. Each of the intermediate MUs adds an identifying address to the request, forming a path that is used in both directions to transmit a response from the AP to the remote MU and to transmit data between the AP and the MU.

Abstract: A computer system and method are disclosed for generating a certificate that can be validated against a trusted hardware subsystem within a computer system. A security subsystem is established within the computer system. A master key pair including a master public key and master private key are established. The master private key is stored in protected storage within the security subsystem such that the master private key is inaccessible outside of the security subsystem. Generation of a self-verifying certificate is requested. A user of the computer system is then prompted to enter an authentication code in response to the request for generation of the certificate. A certificate is generated utilizing the master key pair only in response to a correct entry of the authentication code. The certificate is used only internally within the computer system.

Abstract: A data processing system and method are disclosed for remotely recovering a client computer system's primary password. The primary password be correctly entered prior to the client computer system becoming fully accessible to a user. The client computer system is coupled to a server computer system utilizing a network. Prior to the client computer system completing a boot process, a user is prompted to enter the primary password. An interrogative password method is provided in response to an incorrect entry of the primary password. The primary password is recoverable in response to a successful execution of the interrogative password method. The primary password is recoverable from the server computer system by the client computer system prior to said client computer system completing said boot process utilizing the interrogative password method.

Abstract: A data processing system and method are disclosed for maintaining secure user private keys in a non-secure storage device. A master key pair is established for the system. The master key pair includes a master private key and a master public key. The master key pair is stored in a protected storage device. A unique user key pair is established for each user. The user key pair includes a user private key and a user public key. The user private key is encrypted utilizing the master public key. The encrypted user private key is stored in the non-secure storage device, wherein the encrypted user private key is secure while stored in the non-secure storage device.

Abstract: A method for providing an authentication of a user of a computer system in a network is disclosed. The method comprises capturing biometric data of a user; encrypting and signing the biometric data with a private key and sending the encrypted and signed data to a central server in the network. The method further comprises accepting and verifying credentials associated with the signed and encrypted data from the server utilizing the public key from the server. The method further comprises installing the credentials into the computer if the credentials are verified. In a method and system in accordance with the present invention, a user can walk up to any client within an enterprise and have their locally captured biometric input authenticated at a central server. The user can then have their individual credentials securely imported to the local client for subsequent use during that time period, without needing any additional identification or memory token such as a smartcard.

Abstract: A computing system includes a motherboard including one or more connection subsystems, each of which includes a port connector and a device interface circuit conditioning signals transmitted or received through the port connector. The port connector includes a connection-sensing terminal, which is connected to ground through a cable, and which is allowed to float to a voltage supplied through a pull-up resistor when the cable is disconnected. The motherboard also includes a main voltage plane supplying electrical power to a separate voltage plane for each device interface circuit only when a cable is connected to the port connector which is also connected to the device interface circuit.

Abstract: A data processing system and method are disclosed for providing an access connector which limits access to a network to only authorized client computer systems. The network is controlled by a server computer system. The access connector is provided for physically coupling a client computer system to the network. The access connector is physically coupled to the network. Prior to permitting the client computer system to attempt to establish a client communication link with the network, the client computer system attempts to authenticate itself to the server computer system. In response to the client computer system being unable to authenticate itself to the server computer system, the access connector prohibits the client computer system from establishing a client communication link between the client computer system and the network.

Abstract: A data processing system and method are disclosed for prohibiting an unauthorized user from modifying a priority level associated with a client computer system. The priority level is utilized by a client computer system during transmission of the client's data over a network. One of a plurality of priority levels is associated with the client computer system. The plurality of priority levels includes a higher priority level and a lower priority level. The client computer system associates the priority level with the data transmitted by the client computer system over the network. The data associated with the higher priority level is typically transmitted prior to data associated with the lower priority level. In response to an attempt to modify the associated priority level, the client determines whether the attempt is being made by an approved user. In response to a determination that the attempt is not being made by an approved user, the attempted modification of the priority level is prohibited.

Abstract: A data processing system and method are disclosed for permitting only preregistered client computer hardware to access a service executing on a remote server computer system. A log-in token is established including a unique identifier which identifies a particular client computer hardware. The client computer hardware logs-on to the server computer system. Subsequent to the client computer hardware logging-on to the server computer system, the client computer hardware attempts to access the service. During the attempt, the client computer hardware transmits the log-in token to the server computer system. The server computer system utilizes the unique identifier included within the log-in token to determine if the client computer hardware is registered to access the service. In response to a determination that the client computer hardware is registered to access the service, the server computer system permits the client computer hardware to access the service.

Abstract: A remote mobile unit (MU) including a radio device is provided with an ability to communicate through a LAN by remote association with an access point (AP) that is out of range for communication with the radio device of the remote MU. The remote MU transmits a quest frames that is received and retransmitted by one or more intermediate MUs until a connection is made with the AP. Each of the intermediate MUs adds an identifying address to the request, forming a path that is used in both directions to transmit a response from the AP to the remote MU and to transmit data between the AP and the MU.

Abstract: A computing system includes a motherboard including one or more connection subsystems, each of which includes a port connector and a device interface circuit conditioning signals transmitted or received through the port connector. The port connector includes a connection-sensing terminal, which is connected to ground through a cable, and which is allowed to float to a voltage supplied through a pull-up resistor when the cable is disconnected. The motherboard also includes a main voltage plane supplying electrical power to a separate voltage plane for each device interface circuit only when a cable is connected to the port connector which is also connected to the device interface circuit.

Abstract: A data processing system and method are disclosed for authenticating a client computer system to a secure network prior to permitting the client computer system to attempt to log-on to the network. The secure network is controlled by a server computer system. A unique identifier is established which identifies the client computer system. The unique identifier is encrypted. Prior to permitting the client computer system to attempt to log-on to the secure network, the client computer system transmits the encrypted identifier to the server computer system. Also prior to permitting the client computer system to attempt to log-on to the network, the server computer system utilizes the unique identifier to determine whether to permit the client computer system to attempt to log-on to the network. The client computer system is authenticated prior to permitting the client computer system to attempt to log-on to the network.

Abstract: A client lacking hardware-based cryptography functionality obtains its benefits by allowing an access server (or similar server through which the client consistently transmits data transactions) which has such hardware-based cryptography functionality to act as a virtual client. A connection having packet-level encryption is employed to transmit data transaction requests, and optionally also encryption keys, digital certificates and the like assigned to the client, from the client to the server, and to transmit processed responses from the server to the client. The server performs any required security processing required for data transaction requests and responses, such as encryption/decryption or attachment or validation of digital certificates, on behalf of the client utilizing the hardware-based cryptography functionality, then forwards processed requests to recipients and returns processed responses to the client via the secure connection.

Abstract: A number of client systems receive a common secure transfer key pair from a server during initialization. The secure transfer private key is encrypted in the server with a platform public key sent to the server from the client system. Each client system is then able to encrypt data, using a secure transfer public key, to be recorded on a computer readable medium, and subsequently to decrypt such data using a secure transfer private key. Preferably, each client system includes an embedded security subsystem (ESS) performing cryptographic processes and providing secure key storage. Then, the secure transfer private key is stored as encrypted, and is decrypted using a private key within the ESS. Preferably, the platform private key is also stored encrypted, to be decrypted within the ESS using a hardware private key.

Abstract: A method and system are disclosed for generating and distributing a digital photographic proof. An altered image is generated by altering original image data to produce altered image data. The altered image data is stored in an electronic file. The encrypted instructions are stored in the file with the altered image data. The instructions describe a method for reversing an alteration method utilized to alter the original image to produce the altered image data. A digital photographic proof is produced utilizing the file by displaying the altered image. All users are permitted to view the altered image. Only authorized users are permitted to utilize the encrypted instructions to reproduce the original image from the altered image data. Only authorized users may reproduce the original image. The single electronic file is thus utilized to both produce a digital photographic proof and to reproduce the original image.

Abstract: A digital camera and method are disclosed for verifying that a particular digitized visual image was produced by the digital camera. A visual image is stored in a digital format in the camera. A digital signature is generated for the image utilizing the camera only in response to the storage of the image in the particular camera which captured the image. The digital signature associates the stored image with the camera. The digital signature is stored only in the camera separately from the image in the camera. The digital signature is capable of being utilized only within the camera which generated the signature. It is not accessible outside of the particular camera which generated the signature. The signature is inaccessible to devices other than the camera. Subsequently, a digital visual image may be authenticated as being produced by this digital camera utilizing the digital signature stored in the digital camera.

Abstract: A method and system for enabling an image to be authenticated is disclosed. The method and system comprise providing a digital signature associated with a device, allowing a user to capture the image utilizing the device and associating the digital signature and information related to the user with the captured image wherein the digital signature and the information related to the user are capable of being utilized to authenticate the captured image. Through the use of the method and system in accordance with the present invention, digital images can be captured whereby the digital signature of the capturing device, as well as information related to the photographer (i.e. name, company, etc.), are associated with the captured image. By associating the digital signature of the camera, as well as information related to the photographer, with the captured image, the subsequent authentication of the digital image is more reliable.

Abstract: A computer system and method are disclosed for generating a certificate that can be validated against a trusted hardware subsystem within a computer system. A security subsystem is established within the computer system. A master key pair including a master public key and master private key are established. The master private key is stored in protected storage within the security subsystem such that the master private key is inaccessible outside of the security subsystem. Generation of a self-verifying certificate is requested. A user of the computer system is then prompted to enter an authentication code in response to the request for generation of the certificate. A certificate is generated utilizing the master key pair only in response to a correct entry of the authentication code. The certificate is used only internally within the computer system.