Abstract: A system and method for controlling program execution for a first-party includes providing application registration data, by a second-party (trusted party), wherein the application registration data contains a plurality of first unique application verification data (i.e., data elements), such as a list of hash values. Each unique application verification data element corresponds to at least one of the plurality of approved executable programs. The unique application verification data element is determined as a uniquely associatable data corresponding to each of corresponding executable programs from the plurality of executable programs. Prior to allowing individual program execution by the first-party, the first-party generates a second unique application verification data element, such as a hash value, of an executable file designated for execution on a processing device and compares the generated hash value to the list of hash values. If a match is found, the program is allowed to execute.

Abstract: Briefly, a centralized secure data backup system pulls information to be securely backed-up from one or more data sources such as computer nodes or other communication units. A processor or other suitable processor centrally initiates extraction of data to be backed-up from a plurality of processing nodes. The processor employs a backup data encryptor that encrypts the centrally extracted data using a public key based cryptographic system. Data is encrypted using a suitable symmetric key and symmetric cryptosystem. Then the symmetric key is wrapped using the public encryption key of the data source, such as a user, organization administrator, software application or other entity.

Abstract: A data deletion system and method detects data deletion notification data representing a desire to delete data, such as a data delete command from a storage management system such as an operating system or other software application. The system and method provides a system invoked deletion process that modifies the desired data to be deleted in response to the detected data deletion notification data. The system does not require continued user invocation to select data to be deleted. Modification of the desired data to be deleted includes actual deletion of the information by overwriting the desired data to be deleted with random data or other process such as overwriting original data multiple times, to ensure that there is no detectable electronic signature of the original data.

Abstract: An apparatus and method facilitates information security policy control for an information security engine by utilizing security policy association data on a per security engine user basis. Security policy association data may include, for example, data representing identification information of the user of the security engine along with corresponding policy identification data. Policy user identification data may be a hash value of the disk image of an executable software application which uses the security engine, along with policy object identification data which indicates which policy (or policies) that particular application is required to use. A security engine obtains access to this information and also obtains comparison information such as generating a realtime hash value of a calling application that is requesting use of the security engine and compares the newly generated hash value to a stored hash value included as the policy association data.

Abstract: An application registration data generator, on a per application basis, generates application registration data that contains at least application identification data, such as, the name of a software application or a pathname to a software application, and stored unique application verification data that is based on executable file data. A data access determinator determines whether a calling application should be allowed access to the limited access based data by, for example, computing a hash value of the executable file and checking whether this hash value matches the corresponding stored unique application verification data. If there is a match, the application is granted access to the user's cryptographic parameters, privilege data, or other limited access based data on a per application basis.

Abstract: A method for securing group communications with reduced message overhead begins by initiating a secure group communication, where a group communication is secured based on security credentials of the group. The secured group communication is then provided to members of the group, where the secured group communication includes a secured message portion and an overhead portion based on the group, not each member. Each member of the group that receives the message determines that the secured message is group communication for its particular group. Each member then obtains at least a portion of the security credentials (e.g., the private decryption key) of the group to decrypt the secured group communication.

Abstract: A method and apparatus for secure group communication detects the deletion of a member of the group and uses the detected deletion to update the security credentials of a group by updating a repository containing credentials of members of a group. Alternatively, updating of the security credentials may be performed by sending a group credential deletion request for a member that has been deleted from the group so that the member deletes a stored copy of the group security credential.

Abstract: A method and apparatus for secure group communication allows on-demand procurement of stored security credentials of a group. In one embodiment, this is done by having a processor store at least a portion of the security credentials of the group in a location accessible from more than one member of the group, such as in an encrypted form in a public directory. Security credentials include at least a cryptographic key use to secure information. Each member may have a dedicated entry containing a group security credential associated with that member. The information may also be stored in a variety of other ways including, for example, storing a composite set of encrypted group security credentials. A member accesses the stored group security credentials on an on-demand basis.