Abstract: A containerized cross-domain solution (CDS) is disclosed herein. In some examples, a first network interface container can be executed on a server to run a first network interface application to receive a data packet that includes data generated by a first process executing at a first security domain. A filter container can be executed on the server to run a data filter to evaluate a data content of the data to determine whether the data content violates a set of data rules. A second network interface container can be executed on the server to run a second network interface application. The data packet can be provided to the second network interface application in response to determining that the data content does not violates the set of data rules. The second network interface application can provide the data packet to a second security domain for a second process executing therein.

Abstract: A containerized cross-domain solution (CDS) is disclosed herein. In some examples, a first network interface container can be executed on a server to run a first network interface application to receive a data packet that includes data generated by a first process executing at a first security domain. A filter container can be executed on the server to run a data filter to evaluate a data content of the data to determine whether the data content violates a set of data rules. A second network interface container can be executed on the server to run a second network interface application. The data packet can be provided to the second network interface application in response to determining that the data content does not violates the set of data rules. The second network interface application can provide the data packet to a second security domain for a second process executing therein.

Abstract: In an example, a system can include a web service interface (WSI) and a service directory for enabling communication between a web and non-web service. The WSI can be configured to communicate with the non-web service to receive reader data and/or writer data. The service directory can be configured to provide the WSI with non-web service subscriber data and/or non-web service publisher data for the non-web service in response to receiving the reader and/or writer data. The non-web service subscriber data identifies a web service as a subscriber of data provided by the non-web service and the non-web service publisher data identifies the web service as a publisher of data from which the non-web service is enabled to retrieve data. The WSI can be configured to provide the web service subscriber and/or publisher data to the non-web service to enable the non-web service to communicate with the web service.

Abstract: In an example, a system can include a web service interface (WSI) and a service directory for enabling communication between a web and non-web service. The WSI can be configured to communicate with the non-web service to receive reader data and/or writer data. The service directory can be configured to provide the WSI with non-web service subscriber data and/or non-web service publisher data for the non-web service in response to receiving the reader and/or writer data. The non-web service subscriber data identifies a web service as a subscriber of data provided by the non-web service and the non-web service publisher data identifies the web service as a publisher of data from which the non-web service is enabled to retrieve data. The WSI can be configured to provide the web service subscriber and/or publisher data to the non-web service to enable the non-web service to communicate with the web service.

Abstract: A process for generating a unique, secure and printable identity document, for authenticating the use of the document, and for granting privileges based on the document, includes generating an identity certificate for an individual. This certificate incorporates a pointer to biometric and other identifying data for the individual which are stored in a reference database. The identity certificate is encoded to produce, for example, a machine-readable printable 2-dimensional barcode as an identity document. The identity document may then be used by the document holder for generation of an encoded privilege document and this, in turn, is compared with the stored reference data, including the stored biometric when the privilege is to be exercised.

Abstract: A method and computer program to assign certificates/private keys to a token. This method and computer program allows a user to access a certificate authority and have certificates/private keys that are used for signature, encryption and role purposes generated and downloaded to the token. The use of secure communication lines and computers is not necessary since the token contains a unique token ID and private key, while the certificate authority contains the associated public key for the token. The certificate generated is wrapped in the public key and only the token, having the associated private key, may activate the certificate.

Abstract: A method, and a corresponding apparatus, provide for remote, secure replacement of private keys in a private key infrastructure. The method is implemented as a secure key replacement protocol (SKRP), which includes the steps of receiving a rekey request, where the rekey request identifies a private key for replacement, authenticating the rekey request, replacing the identified private key with a SKRP key, signing the challenge with the SKRP key, and returning the signed challenge. The rekey request includes the SKRP key and the challenge.

Abstract: A method and computer program to revoke and update a token (130) having several encryption, signature and role certificates/private keys contained in the token (130). The certificates/private keys in the token 130 are transmitted wrapped by a public key and may only be activated by a private key contained in the token (130). The activation of any certificate/private key requires the entry of a passphrase by a user (132). Further, all certificates/private keys contained in a token (130) are stored in an authoritative database 104. In the event that a token (130) is lost then all certificates/private keys associated with the token (130) are revoked. Further, when new certificates/private keys are issued to a user (132) these certificates/private keys are encrypted using the token's (130) public key and downloaded to the token (130).

Abstract: A method, and a corresponding apparatus, provide for remote, secure replacement of private keys in a private key infrastructure. The method is implemented as a secure key replacement protocol (SKRP), which includes the steps of receiving a rekey request, where the rekey request identifies a private key for replacement, authenticating the rekey request, replacing the identified private key with a SKRP key, signing the challenge with the SKRP key, and returning the signed challenge. The rekey request includes the SKRP key and the challenge.

Abstract: A process for generating a unique, secure and printable identity document, for authenticating the use of the document, and for granting privileges based on the document, includes generating an identity certificate for an individual. This certificate incorporates a pointer to biometric and other identifying data for the individual which are stored in a reference database. The identity certificate is encoded to produce, for example, a machine-readable printable 2-dimensional barcode as an identity document. The identity document may then be used by the document holder for generation of an encoded privilege document and this, in turn, is compared with the stored reference data, including the stored biometric when the privilege is to be exercised.

Abstract: A method and computer program to assign certificates/private keys to a token (130). This method and computer program allows a user (132) to access a certificate authority (110) and have certificates/private keys that are used for signature, encryption and role purposes generated and downloaded to the token (130). The use of secure communication lines and computers is not necessary since the token (132) contains a unique token ID and private key, while the certificate authority (110) contains the associated public key for the token (130). The certificate generated is wrapped in the public key and only the token (130), having the associated private key, may activate the certificate.

Abstract: A method and computer program to revoke and update a token (130) having several encryption, signature and role certificates/private keys contained in the token (130). The certificates/private keys in the token 130 are transmitted wrapped by a public key and may only be activated by a private key contained in the token (130). The activation of any certificate/private key requires the entry of a passphrase by a user (132). Further, all certificates/private keys contained in a token (130) are stored in an authoritative database 104. In the event that a token (130) is lost then all certificates/private keys associated with the token (130) are revoked. Further, when new certificates/private keys are issued to a user (132) these certificates/private keys are encrypted using the token's (130) public key and downloaded to the token (130).

Abstract: Method and apparatus for centralized processing of hardware tokens for a public key infrastructure (PKI). A commercially available token is received at a secure processing facility. An operating system is installed on the token. A unique key encipherment certificate is created that includes a public key for the token. The unique key encipherment certificate is written onto the token. A Root Certificate Authority certificate is also written onto the token. A unique private key is written onto the token where the unique private key is the matching key for the unique key encipherment certificate. A software package is loaded onto the token. The software package is capable of cryptologically validating future keys and certificates, decrypting the keys and certificates, and installing the keys and certificates in the token.

Abstract: A token issuance and binding process includes providing a plurality of tokens, each token having a unique ID number stored therein. A unique public/private key pair is generated for each token and each token ID number and corresponding public key is stored in a directory/database. Each private key is stored in its respective token and a unique ID number of a user is bound to a corresponding one of the plurality of tokens by storing the correspondence there between in the directory/database.