Abstract: A method of electronically signing a document includes initializing a user, including generating an asymmetric key pair including a private signing key and a public signing key, and storing the private signing key and the public signing key; and providing an electronic signature, including receiving document data corresponding to at least one selected portion of the document, binding the stored private signing key and the document data to create an electronic signature, and providing the electronic signature for a recipient.

Abstract: A method of securing an object at an access level includes selecting a profile for a user, including a credential having an encrypted credential public key, an encrypted credential public key encryption key, and a multiple-level access identifier. A working key is generated by binding a domain value with a random value. The object is encrypted with the working key. A random value encryption key is generated based on the shared value by decrypting the credential public key encryption key with the profile key encryption key, decrypting the credential public key with the credential public key encryption key, generating an ephemeral key pair, and generating a shared value based on the ephemeral private key and the credential public key. The random value is encrypted with the random value encryption key, and the encrypted object, the ephemeral public key, and the encrypted random value are provided for an authorized recipient.

Abstract: A method of authenticating the identity of a user to determine access to a system includes providing a plurality of factor-based data instances corresponding to a user, evaluating the factor-based data instances to determine if the user's identity is authenticated, and granting or restricting the user's access to the system if the user's identity is authenticated. More particularly, the method includes providing a modified data instance based on a second data instance, generating a key based on a first data instance, applying the key to the modified data instance to generate a recovered data instance, interrogating the recovered data instance against the second data instance to generate an authentication value as a result of a correspondence evaluation, and granting or restricting the user's access to the system based at least in part on the validity of the authentication value.

Abstract: A method of authenticating the identity of a user to determine access to a system includes providing a plurality of factor-based data instances corresponding to a user, evaluating the factor-based data instances to determine if the user's identity is authenticated, and granting or restricting the user's access to the system if the user's identity is authenticated. More particularly, the method includes providing a modified data instance based on a second data instance, generating a key based on a first data instance, applying the key to the a modified data instance to generate a recovered data instance, interrogating the recovered data instance against the second data instance to generate an authentication value as a result of a correspondence evaluation, and granting or restricting the user's access to the system based at least in part on the validity of the authentication value.

Abstract: A computer program product, for producing a cryptographic key label for use in exchanging information between first and second organizations of members, resides on a computer-readable medium includes computer-readable instructions configured to cause a computer to: produce a read-write cryptographic key using at least one base value; produce a write-only cryptographic key using the read-write cryptographic key; combine a first identifier, uniquely associated with the first organization, and a second identifier, uniquely associated with the key label to be produced, using a one-way function to produce a pedigree; and associate the pedigree with the read-write key and the write-only key to form the cryptographic key label.

Abstract: A method of securing an object at an access level includes selecting a profile for a user, including a credential having an encrypted credential public key, an encrypted credential public key encryption key, and a multiple-level access identifier. A working key is generated by binding a domain value with a random value. The object is encrypted with the working key. A random value encryption key is generated based on the shared value by decrypting the credential public key encryption key with the profile key encryption key, decrypting the credential public key with the credential public key encryption key, generating an ephemeral key pair, and generating a shared value based on the ephemeral private key and the credential public key. The random value is encrypted with the random value encryption key, and the encrypted object, the ephemeral public key, and the encrypted random value are provided for an authorized recipient.

Abstract: A system for encrypting a data encryption key includes a key encryption key generator configured to receive a public portion of a label, the label including an asymmetric key pair of the public portion and a private portion, the key encryption key generator being further configured to process the public portion of the label to obtain a key encryption key, and a data encryption key encoder configured to receive the key encryption key from the key encryption key generator and to receive a data encryption key from a random number generator, the encoder being further configured to encrypt the data encryption key using the key encryption key to produce an encrypted data encryption key and to provide the encrypted data encryption key to an encryption device.

Abstract: A system for regulating access to information of different levels of sensitivity includes an input configured to receive authentication information from a user, and a processor configured to: produce a first token key; encrypt a read-write portion of a first cryptographic key associated with a first sensitivity level using the first token key; encrypt the first token key using first authentication information associated with the first sensitivity level; produce a second token key by applying a one-way function to the first token key; encrypt a read-write portion of a second cryptographic key associated with a second sensitivity level using the first token key, the second sensitivity level being lower than the first sensitivity level; and encrypt the second token key using second authentication information associated with the second sensitivity level.

Abstract: A method of authenticating the identity of a user to determine access to a system includes providing a plurality of factor-based data instances corresponding to a user, evaluating the factor-based data instances to determine if the user's identity is authenticated, and granting or restricting the user's access to the system if the user's identity is authenticated. More particularly, the method includes providing a modified data instance based on a second data instance, generating a key based on a first data instance, applying the key to the a modified data instance to generate a recovered data instance, interrogating the recovered data instance against the second data instance to generate an authentication value as a result of a correspondence evaluation, and granting or restricting the user's access to the system based at least in part on the validity of the authentication value.

Abstract: A method of authenticating the identity of a user to determine access to a system includes providing a plurality of factor-based data instances corresponding to a user, evaluating the factor-based data instances to determine if the user's identity is authenticated, and granting or restricting the user's access to the system if the user's identity is authenticated. More particularly, the method includes providing a modified data instance based on a second data instance, generating a key based on a first data instance, applying the key to the a modified data instance to generate a recovered data instance, interrogating the recovered data instance against the second data instance to generate an authentication value as a result of a correspondence evaluation, and granting or restricting the user's access to the system based at least in part on the validity of the authentication value.

Abstract: A method of securing an object at an access level includes selecting a profile for a user, including a credential having an encrypted credential public key, an encrypted credential public key encryption key, and a multiple-level access identifier. A working key is generated by binding a domain value with a random value. The object is encrypted with the working key. A random value encryption key is generated based on the shared value by decrypting the credential public key encryption key with the profile key encryption key, decrypting the credential public key with the credential public key encryption key, generating an ephemeral key pair, and generating a shared value based on the ephemeral private key and the credential public key. The random value is encrypted with the random value encryption key, and the encrypted object, the ephemeral public key, and the encrypted random value are provided for an authorized recipient.

Abstract: A method of securing an object at an access level includes selecting a profile for a user, including a credential having an encrypted credential public key, an encrypted credential public key encryption key, and a multiple-level access identifier. A working key is generated by binding a domain value with a random value. The object is encrypted with the working key. A random value encryption key is generated based on the shared value by decrypting the credential public key encryption key with the profile key encryption key, decrypting the credential public key with the credential public key encryption key, generating an ephemeral key pair, and generating a shared value based on the ephemeral private key and the credential public key. The random value is encrypted with the random value encryption key, and the encrypted object, the ephemeral public key, and the encrypted random value are provided for an authorized recipient.

Abstract: A method of authenticating the identity of a user to determine access to a system includes providing a plurality of factor-based data instances corresponding to a user, evaluating the factor-based data instances to determine if the user's identity is authenticated, and granting or restricting the user's access to the system if the user's identity is authenticated. More particularly, the method includes providing a modified data instance based on a second data instance, generating a key based on a first data instance, applying the key to the a modified data instance to generate a recovered data instance, interrogating the recovered data instance against the second data instance to generate an authentication value as a result of a correspondence evaluation, and granting or restricting the user's access to the system based at least in part on the validity of the authentication value.