Abstract: An anonymous secure messaging method and system for securely exchanging information between a host computer system and a functionally connected cryptographic module. The invention comprises a Host Security Manager application in processing communications with a security executive program installed inside the cryptographic module. An SSL-like communications pathway is established between the host computer system and the cryptographic module. The initial session keys are generated by the host and securely exchanged using a PKI key pair associated with the cryptographic module. The secure communications pathway allows presentation of critical security parameter (CSP) without clear text disclosure of the CSP and further allows use of the generated session keys as temporary substitutes of the CSP for the session in which the session keys were created.

Abstract: A security framework for a host computer system which allows a host to control access to a compliant security token by ensuring enforcement of established security policies administered by a middleware application. Processing between the host computer system and the security token is performed using one or more modular security application agents. The modular security application agents are counterpart applications to security applications installed in the security token and may be retrieved and installed upon to ensure compatibility between counterpart token and host security applications. The security policies are a composite of host security policies and token security policies which are logically combined by the middleware application at the beginning of a session.

Abstract: A security framework for a host computer system which allows a host to control access to a compliant security token by ensuring enforcement of established security policies administered by a middleware application. Processing between the host computer system and the security token is performed using one or more modular security application agents. The modular security application agents are counterpart applications to security applications installed in the security token and may be retrieved and installed upon to ensure compatibility between counterpart token and host security applications. The security policies are a composite of host security policies and token security policies which are logically combined by the middleware application at the beginning of a session.

Abstract: The invention concerns a method for obtaining assurance that a content control key is securely stored in a remote security module for further secure communications between a content provider and said security. A security module manufacturer, which has a pre-established trustful relation with the security module, imports a symmetric transport key into the security module, wherein the symmetric transport key is unique to the security module. The content provider shares the symmetric transport key with the security module manufacturer and exchanges messages with the security module through a security module communication manager in order to get the proof that the security module stores the content control key. At least a portion of the messages exchanged between the content provider and the security module are protected using the symmetric transport key.

Abstract: A strong authentication method and system using a Secure ICC component coupled with a Personal device, and relying on the existing cryptographic protocols and keys for managing the secure ICC to generate One-Time-Passwords when the necessary authentication keys or cryptographic protocols are not already present in the Secure ICC configuration for that purpose.

Abstract: A security framework for a host computer system which allows a host to control access to a compliant security token by ensuring enforcement of established security policies administered by a middleware application. Processing between the host computer system and the security token is performed using one or more modular security application agents. The modular security application agents are counterpart applications to security applications installed in the security token and may be retrieved and installed upon to ensure compatibility between counterpart token and host security applications. The security policies are a composite of host security policies and token security policies which are logically combined by the middleware application at the beginning of a session.

Abstract: An anonymous secure messaging method and system for securely exchanging information between a host computer system and a functionally connected cryptographic module. The invention comprises a Host Security Manager application in processing communications with a security executive program installed inside the cryptographic module. An SSL-like communications pathway is established between the host computer system and the cryptographic module. The initial session keys are generated by the host and securely exchanged using a PKI key pair associated with the cryptographic module. The secure communications pathway allows presentation of critical security parameter (CSP) without clear text disclosure of the CSP and further allows use of the generated session keys as temporary substitutes of the CSP for the session in which the session keys were created.

Abstract: This invention provides a mechanism for performing secure configuration and data changes between a PSD and a hardware security module (HSM) using a communications pipe established between said PSD and said HSM. The data changes and configuration changes include but are not limited to installing, updating, replacing, deleting digital certificates cryptographic keys, applets, other digital credentials, attributes of installed objects, or other stored proprietary information.

Abstract: This invention provides a security token architecture which supports modular security application installations without loss of existing data or requiring the reinstallation of existing applications served by the security application modules. The architecture is compliant with the international standard ISO/IEC 7816-4, “Information technology—Identification tokens—Integrated circuit(s) tokens with contacts—Part 4: Interindustry commands for interchange.” An application is integrated into a security domain which serves as a centralized security applications programming interface between one or more token service applications and a series of security application modules. The API provides a more uniform security application interface which improves overall interoperability of the modular security applications and simplifies security application development.

Abstract: A system is used for authorizing access to a Personal Security Device. This system comprises a Personal Security Device 75 and another device 105 which is in functional communication with said Personal Security Device. Said Personal Security Device comprises identification information retrieval data and a biometric authentication application 200 which transfers said identification information retrieval data to said other device 105 in response to an identified match between biometric data sent by said other device and a predetermined biometric reference. Said other device 105 comprises a security executive application 230 for retrieving an Identification Information with at least said identification information retrieval data, thus generating a retrieved Identification Information, and transferring said retrieved Identification Information to said Personal Security Device 75.

Abstract: A secure and transparent digital credential sharing arrangement which utilizes one or more cryptographic levels of indirection to obfuscate a sharing entity's credentials from those entities authorized to share the credentials. A security policy table is provided which allows the sharing entity to selectively authorize or revoke digital credential sharing among a plurality of entities. Various embodiments of the invention provide for secure storage and retrieval of digital credentials from security tokens such as smart cards. The secure sharing arrangement may be implemented in hierarchical or non-hierarchical embodiments as desired.

Abstract: A method, system and computer program product for improving error discrimination in biometric authentication systems. The error discrimination is set to a predetermined security policy. A plurality of biometric samples are provided and authenticated by a computer system in conjunction with a security token. An alternate embodiment allows inputting of the plurality of biometric samples in a predetermined sequence. The predetermined input sequence is maintained as an authentication secret which may be used to further reduce the authentication transaction error rate.

Abstract: A method and computer program product which comprises storing at least one data file inside a portable device such as security token or flash memory drive associated with a security badge. The data file includes sufficient information to allow a third party to verify the identity of an assignee of the security badge. The identity of the assignee is based at least in part on the information included in the data file by the third party without having to rely on a presentation affixed to one or more exterior surfaces of the security badge. Other embodiments of the invention comprises operatively coupling the security token to a security system, authenticating the assignee to the security token, generating a digital signature of the data file using a private key, and sending the digital signature, the data file and a digital certificate associated with the private key to said security system.

Abstract: A method, system and computer program product for ensuring PKI key pairs are operatively installed within a secure domain of a security token prior to generating a digital certificate. The public key component of the PKI key pair is incorporated into a digital certificate which is returned to the security token for storage. The arrangement included herein incorporates the use of a critical security parameter to ensure a chain of trust with an issuing entity such as a registration authority. Furthermore, the arrangement does not require security officer or system administrator oversight during digital certificate generation as the critical security parameter provides a sufficient level of trust to ensure that digital certificate generation is being performed in conjunction with a designated security token rather than a rogue application. Lastly, separate inventive embodiments allow alternate communications and verification arrangements to be implemented.

Abstract: A method, system and computer program product for accessing one or more security token resources using an authentication server as an intermediary before access is permitted to the security token resources. The server intermediary performs an initial authentication based on a user supplied critical security parameter. To ensure confidentiality of transported critical security parameters, a secure messaging session is established which provides end-to-end security between the authentication server and the security token. A second critical security parameter is then sent to the security token. The security token authenticates the second critical security parameter and allows access token resources. Alternate secure communications mechanisms and an invalid entry counter reset capability are also described.

Abstract: An intelligent remote device equipped with a security token operatively coupled thereto is processing communications with a security token enabled computer system over a wireless private network. The intelligent remote device is adapted to emulate a local security device peripheral connected to the computer system. Multiple computer systems may be authenticated to using the intelligent remote device. Additionally, various secure communications connections mechanisms are described which are intended to augment existing security protocols available using wireless network equipment. Authentication of a user supplied critical security parameter is performed by the security token. The critical security parameter may be provided locally via the intelligent remote device or received from the wireless network and routed to the security token. Aural, visual or vibratory feedback may be provided to the user to signal a successful authentication transaction.

Abstract: A security framework for a host computer system which allows a host to control access to a compliant security token by ensuring enforcement of established security policies administered by a middleware application. Processing between the host computer system and the security token is performed using one or more modular security application agents. The modular security application agents are counterpart applications to security applications installed in the security token and may be retrieved and installed upon to ensure compatibility between counterpart token and host security applications. The security policies are a composite of host security policies and token security policies which are logically combined by the middleware application at the beginning of a session.

Abstract: An anonymous secure messaging method and system for securely exchanging information between a host computer system and a functionally connected cryptographic module. The invention comprises a Host Security Manager application in processing communications with a security executive program installed inside the cryptographic module. An SSL-like communications pathway is established between the host computer system and the cryptographic module. The initial session keys are generated by the host and securely exchanged using a PKI key pair associated with the cryptographic module. The secure communications pathway allows presentation of critical security parameter (CSP) without clear text disclosure of the CSP and further allows use of the generated session keys as temporary substitutes of the CSP for the session in which the session keys were created.

Abstract: This invention provides a security token architecture which supports modular security application installations without loss of existing data or requiring the reinstallation of existing applications served by the security application modules. The architecture is compliant with the international standard ISO/IEC 7816-4, “Information technology—Identification tokens—Integrated circuit(s) tokens with contacts—Part 4: Interindustry commands for interchange.” An application is integrated into a security domain which serves as a centralized security applications programming interface between one or more token service applications and a series of security application modules. The API provides a more uniform security application interface which improves overall interoperability of the modular security applications and simplifies security application development.

Abstract: This invention provides a security token architecture which supports modular security application installations without loss of existing data or requiring the reinstallation of existing applications served by the security application modules. The architecture is compliant with the international standard ISO/IEC 7816-4, “Information technology—Identification tokens—Integrated circuit(s) tokens with contacts—Part 4: Interindustry commands for interchange.” An application is integrated into a security domain which serves as a centralized security applications programming interface between one or more token service applications and a series of security application modules. The API provides a more uniform security application interface which improves overall interoperability of the modular security applications and simplifies security application development.