Abstract: Systems and methods directed at enhancing the capability of a federated authentication system by configuring the system with extensibility points for adding new account stores and customizing claim transformations. The federated authentication system includes accounts stores, a security token service (STS), and custom claim transformation modules. The account stores are configured to maintain data associated with accounts and to provide security claims in an intermediate format. The STS is configured to retrieve the security claims provided by the account stores and includes built-in transformations for transforming each security claim from the intermediate format to formats associated with resource providers. The STS is further configured to provide extensibility points for custom claim transformations that are not available from the built-in transformations. The custom claim transformation modules are configured to perform at least one custom claim transformation.

Abstract: A system provides single sign-on capabilities for accessing a Web application through a passive client across multiple realms within a federation. A federation refers to different organizations or realms that have employed agreements, standards, and/or cooperative technologies to make user identity and entitlements portable between the organizations. Communications are redirected through a client in one realm to obtain a security token that can allow the resource server in the other realm to authenticate the user for access to the Web application.

Abstract: Systems and methods directed at transforming security claims in a federated authentication system using an intermediate format. The systems and methods described herein are directed at transforming security claims in a federated authentication system using an intermediate format. The federated authentication system includes an identity provider and a resource provider. The identity provider receives a request for information from the resource provider to authenticate an account by an application associated with the resource provider. A security claim associated with the account is retrieved where the security claim is provided by an account store in a format specific to the account store. The security claim is transformed from the account store specific format to an intermediate format. The security claim is then transformed from the intermediate format to a federated format recognized by the resource provider. The transformed security claim is provided in a security token to the resource provider.

Abstract: The described systems, methods, and data structures are directed at data transfer using Hyper-Text Transfer Protocol (HTTP) query strings. A block of data is partitioned into sections. Each section is encoded in a query string of a HTTP message. Each HTTP message is sent to a server by redirecting through a client. Multiple redirected messages are sent until the entire block of data is transferred to the server. The data block may be stored as a cookie on the client so that the data block does not have to persist on any server. Data transfer using HTTP query strings may be implemented to transfer a security token from a security token service (STS) server to an application server.

Abstract: A system for authenticating computer users comprising a single active directory disposed in an intranet, a web server disposed in a DMZ associated with the intranet, and a web client coupled to the web server through an internet connection that is capable of signing on to the web server.

Abstract: A system collects entropy data and stores the entropy data in a nonvolatile memory. The entropy data stored in the nonvolatile memory is updated with newly collected entropy data. The entropy data stored in the nonvolatile memory is used to generate a string of random bits. The entropy data is collected from multiple sources within a computer system and may include data related to a processor in the computer system and an operating system executing on the computer system. The entropy data is maintained in a protected portion of an operating system kernel. A hashing algorithm is applied to the entropy data to generate random seed data.

Abstract: A system provides single sign-on capabilities for accessing a Web application through a passive client across multiple realms within a federation. A federation refers to different organizations or realms that have employed agreements, standards, and/or cooperative technologies to make user identity and entitlements portable between the organizations. Communications are redirected through a client in one realm to obtain a security token that can allow the resource server in the other realm to authenticate the user for access to the Web application.

Abstract: An electronic commerce system facilitates secure electronic commerce transactions among multiple participants. Each electronic commerce transaction involves at least one commerce document defining the transaction and at least one commerce instrument defining a payment for the transaction. The electronic commerce system has a credential binding server at a trusted credential authority, multiple computing units at associated participants, and a communication system interconnecting the credential binding server and the multiple computing units. The electronic commerce system operates in two phases: a registration phase and a transaction phase. During the registration phase, each of the computing units generate and send a registration packet over the communication system to the credential binding server. Unique credentials are produced by the credential binding server based upon the registration packets sent back to the computing units.

Abstract: An electronic commerce system facilitates secure electronic commerce transactions among multiple participants. Each electronic commerce transaction involves at least one commerce document defining the transaction and at least one commerce instrument defining a payment for the transaction. The electronic commerce system has a credential binding server at a trusted credential authority, multiple computing units at associated participants, and a communication system interconnecting the credential binding server and the multiple computing units. The electronic commerce system operates in two phases: a registration phase and a transaction phase. During the registration phase, each of the computing units generate and send a registration packet over the communication system to the credential binding server. Unique credentials are produced by the credential binding server based upon the registration packets sent back to the computing units.

Abstract: A method of processing encrypted communications sent by a first party, the method including the steps of: receiving from the first party a message that has a first part, a second part, a third part and a fourth part, wherein the first part includes a first block of information that is encrypted by using a key k1, the second part includes a second block of information that is encrypted by using a key k2, the third part includes a third block of information that is encrypted by using a key R, and the fourth part includes a fourth block of information that is encrypted by using the key R, wherein the third block of information includes k1 and the fourth block of information includes k2; blinding the fourth part; sending the third part and the blinded fourth part to a recryptor; receiving from the recryptor the k1 key re-encrypted by using a first key; and receiving from the recryptor a fifth block of information which is the blinded fourth block of information that has been encrypted by using a second key.

Abstract: A method of processing encrypted communications sent by a first party, the method including the steps of: receiving from the first party a message that has a first part, a second part, a third part and a fourth part, wherein the first part includes a first block of information that is encrypted by using a key k1, the second part includes a second block of information that is encrypted by using a key k2, the third part includes a third block of information that is encrypted by using a key R, and the fourth part includes a fourth block of information that is encrypted by using the key R, wherein the third block of information includes k1 and the fourth block of information includes k2; blinding the fourth part; sending the third part and the blinded fourth part to a recryptor; receiving from the recryptor the k1 key re-encrypted by using a first key; and receiving from the recryptor a fifth block of information which is the blinded fourth block of information that has been encrypted by using a second key.

Abstract: A cryptography system architecture provides cryptographic functionality to support an application requiring encryption, decryption, signing, and verification of electronic messages. The cryptography system has a cryptographic application program interface (CAPI) which interfaces with the application to receive requests for cryptographic functions. The cryptographic system further includes at least one cryptography service provider (CSP) that is independent from, but dynamically accessible by, the CAPI. The CSP provides the cryptographic functionality and manages the secret cryptographic keys. In particular, the CSP prevents exposure of the encryption keys in a non-encrypted form to the CAPI or application. The cryptographic system also has a private application program interface (PAPI) to provide direct access between the CSP and the user. The PAPI enables the user to confirm or reject certain requested cryptographic functions, such as digitally signing the messages or exportation of keys.

Abstract: A method of recovering from a compromise of a root key which is the private key of a first public key-private key pair, the method including the steps of electronically sending out an emergency message indicating that the root key has been compromised and also containing a replacement key and a digital signature which was generated by using the root key; and publishing in an out-of-band channel a value V, wherein V is derived from the emergency message.

Abstract: A method of processing encrypted communications sent by a first party, the method including the steps of: receiving from the first party a message that has a first part, a second part, a third part and a fourth part, wherein the first part includes a first block of information that is encrypted by using a key k1, the second part includes a second block of information that is encrypted by using a key k2, the third part includes a third block of information that is encrypted by using a key R, and the fourth part includes a fourth block of information that is encrypted by using the key R, wherein the third block of information includes k1 and the fourth block of information includes k2; blinding the fourth part; sending the third part and the blinded fourth part to a recryptor; receiving from the recryptor the k1 key re-encrypted by using a first key; and receiving from the recryptor a fifth block of information which is the blinded fourth block of information that has been encrypted by using a second key.

Abstract: A cryptography system architecture provides cryptographic functionality to support an application requiring encryption. decryption, signing, and verification of electronic messages. The cryptography system has a cryptographic application program interface (CAPI) which interfaces with the application to receive requests for cryptographic functions. The cryptographic system further includes at least one cryptography service provider (CSP) that is independent from, but dynamically accessible by, the CAPI. The CSP provides the cryptographic functionality and manages the secret cryptographic keys. In particular, the CSP prevents exposure of the encryption keys in a non-encrypted form to the CAPI or application. The cryptographic system also has a private application program interface (PAPI) to provide direct access between the CSP and the user. The PAPI enables the user to confirm or reject certain requested cryptographic functions, such as digitally signing the messages or exportation of keys.