Abstract: The systems and methods described herein provide computationally effective ways to calculate cryptography key pairs for a variety of cryptography applications, including but not limited to encryption/decryption systems, digital signature systems, encrypting file systems, etc. In various implementations, a cryptography key computation system identifies an encryption function, such as an elliptical curve function, that is used as the basis of a cryptography key pair. The cryptography key computation system may further identify a basepoint on the encryption function as well as a scalar that is to be multiplied by the basepoint. The cryptography key computation system may decompose the scalar into a sum of “folding units,” e.g., smaller scalars that are represented by the product of a coefficient and a power of an integer. In some implementations, the coefficients of the folding units may be precomputed. Permutations of specific coefficients may be cached/stored using the techniques described herein.

Abstract: A computer security system may include a removable security device adapted to connect to the input/output port of a computer. The security device may include: a random access memory (RAM) cell; and a processor. The security system may further include: at least one encrypted update packet stored remotely from the security device and adapted to modify the contents of the RAM cell; and a private key located on the security device and adapted to decrypt the update packet; and at least one of a device driver, a software application, and/or a library stored remotely from, and in communication with, the security device and adapted to cause the contents of the at least one cell to be switched out of the cell, stored remotely from the cell, and loaded back into the cell.

Abstract: A method for preventing unauthorized use of a software program on a computing device includes updating a state of a software program on a computing device to an updated state. Transmitting an update signal from the software program to a hardware token coupled to the computing device and updating a state of the hardware token to an updated state in response to the received update signal. Performing a first cryptographic check using the updated state of the software program and the updated state of the hardware token with the hardware token. Transmitting the first cryptographic check from the hardware token to the software program and performing a second cryptographic check using the state of the hardware token and the state of the software program with the computing device.

Abstract: A computer-implemented method of generating an elliptic curve cryptosystem (ECC) signature includes the steps of: generating a first random key (k1) having n bits, where n is a natural number; calculating a first ECC point (V) from k1 and a base point; and storing k1 and V securely in a computer-readable medium. To digitally sign electronic data, the method further includes the steps of generating a second random key (k2), where k2 has fewer than n bits; calculating a second ECC point (Q) from V and k2; and digitally signing electronic data using Q.

Abstract: A computer security system may include a removable security device adapted to connect to the input/output port of a computer. The security device may include: a random access memory (RAM) cell; and a processor. The security system may further include: at least one encrypted update packet stored remotely from the security device and adapted to modify the contents of the RAM cell; and a private key located on the security device and adapted to decrypt the update packet; and at least one of a device driver, a software application, and/or a library stored remotely from, and in communication with, the security device and adapted to cause the contents of the at least one cell to be switched out of the cell, stored remotely from the cell, and loaded back into the cell.

Abstract: A system and method in which the operating system of the user computer loads the software application and a DLL having a portion of the application execution code stored therein into memory is disclosed. At selected points during its execution, the software application calls the DLL to execute a portion of the application code that was saved into the DLL before delivery to the end user. Since this code is encrypted and the encryption key is stored in a hardware security device and not in the DLL or the software application, the application code portion cannot be executed without recovering the key.

Abstract: A compact, self-contained, personal key is disclosed. The personal key comprises a USB-compliant interface releaseably coupleable to a host processing device; a memory; and a processor. The processor provides the host processing device conditional access to data storable in the memory as well as the functionality required to manage files stored in the personal key and for performing computations based on the data in the files. In one embodiment, the personal key also comprises an integral user input device and an integral user output device. The input and output devices communicate with the processor by communication paths which are independent from the USB-compliant interface, and thus allow the user to communicate with the processor without manifesting any private information external to the personal key.

Abstract: A device that secures a token from unauthorized use is disclosed. The device comprises a user interface for accepting a personal identifier, a processor, communicatively coupled to the user interface device, and a token interface. The token interface includes a token interface IR emitter that produces an IR signal having information included in the PIN. The token IR emitter is coupled to the processor and is further communicatively coupled to a token IR sensor when the token is physically coupled with the token interface. The token interface also includes a shield, substantially opaque to the IR signal, for substantially confining the reception of the IR signal to the token IR sensor. In one embodiment, the shield substantially circumscribes the IR emitter. In another embodiment, the interface also comprises a token interface IR sensor, which allows communications from the token to the device as well.

Abstract: A computer-implemented method of generating an elliptic curve cryptosystem (ECC) signature includes the steps of: generating a first random key (k1) having n bits, where n is a natural number; calculating a first ECC point (V) from k1 and a base point; and storing k1 and V securely in a computer-readable medium. To digitally sign electronic data, the method further includes the steps of generating a second random key (k2), where k2 has fewer than n bits; calculating a second ECC point (Q) from V and k2; and digitally signing electronic data using Q.

Abstract: A method for preventing unauthorized use of a software program on a computing device includes updating a state of a software program on a computing device to an updated state. Transmitting an update signal from the software program to a hardware token coupled to the computing device and updating a state of the hardware token to an updated state in response to the received update signal. Performing a first cryptographic check using the updated state of the software program and the updated state of the hardware token with the hardware token. Transmitting the first cryptographic check from the hardware token to the software program and performing a second cryptographic check using the state of the hardware token and the state of the software program with the computing device.

Abstract: A method, apparatus, and article of manufacture provide the ability to rapidly generate a large prime number to be utilized in a cryptographic key of a cryptographic system. A candidate prime number is determined and a mod remainder table is initialized for the candidate prime number using conventional mod operations. If all mod remainder entries in the table are non-zero, the candidate number is tested for primality. If the candidate prime number tests positive for primality, the candidate number is utilized in a cryptographic key of a cryptographic system. If any of the table entries is zero, the candidate number and each mod remainder entry are decremented/incremented. If any mod remainder entry is less than zero or greater than the corresponding prime number, the corresponding prime number is added/subtracted to/from the mod remainder. The process then repeats until a satisfactory number is obtained.

Abstract: A method and apparatus for securing a token from unauthorized use is disclosed. The method comprises the steps of receiving a first message transmitted from a host processing device and addressed to a PIN entry device according to a universal serial bus (USB) protocol; accepting a PIN entered into the PIN entry device; and transmitting a second message comprising at least a portion of the first message and the PIN from the PIN entry device to the token along a secure communication path.

Abstract: A method and apparatus for protecting computer software from unauthorized execution or duplication using a hardware key is disclosed. The apparatus comprises a means for communicating with the computer to receive command messages from the computer in the hardware key and to provide response messages to the computer, a memory for storing data for translating command messages into response messages enabling software execution, and a processor coupled to the communicating means for translating command messages into response messages using the data stored in the memory. The processor further comprises a memory manager, including means for logically segmenting the memory storing the data into at least one protected segment, and a means for controlling access to the protected segment.

Abstract: A method and apparatus for communicating information between a token and a host computer having a host computer operating system (OS) supplied inherent driver for communicating with an OS-supported USB-compliant device. The method comprising the steps of coupling to the host computer, and emulating the OS-supported USB-compliant device. In one embodiment, the step of emulating the OS-supported USB-compliant device comprises the steps of accepting a message from the OS-supplied inherent driver in the token, the message transmitted according to a format and protocol for the OS-supported USB-compliant device; generating a second message from the accepted first message; and providing a second message from the token to the OS-supplied inherent driver.

Abstract: A method, apparatus, article of manufacture, and a memory structure for a USB-compliant personal key has been described. The personal key includes an integrated connector design that is simple and easy to manufacture, and allows broken or defective connecting pins to be easily replaced. In the several embodiments disclosed, the personal key also comprises a biometric sensor for authenticating the identity of the user, and visual and aural sensors for providing information to the user.

Abstract: A method and apparatus for protecting computer software from unauthorized execution or duplication using a hardware key is disclosed. The apparatus comprises a means for communicating with the computer to receive command messages from the computer in the hardware key and to provide response messages to the computer, a memory for storing data for translating command messages into response messages enabling software execution, and a processor coupled to the communicating means for translating command messages into response messages using the data stored in the memory. The processor further comprises a memory manager, including means for logically segmenting the memory storing the data into at least one protected segment, and a means for controlling access to the protected segment.

Abstract: A method, apparatus, and article of manufacture provide the ability to rapidly generate a large prime number to be utilized in a cryptographic key of a cryptographic system. A candidate prime number is determined and a mod remainder table is initialized for the candidate prime number using conventional mod operations. If all mod remainder entries in the table are non-zero, the candidate number is tested for primality. If the candidate prime number tests positive for primality, the candidate number is utilized in a cryptographic key of a cryptographic system. If any of the table entries is zero, the candidate number and each mod remainder entry are decremented/incremented. If any mod remainder entry is less than zero or greater than the corresponding prime number, the corresponding prime number is added/subtracted to/from the mod remainder. The process then repeats until a satisfactory number is obtained.

Abstract: A system and method in which the operating system of the user computer loads the software application and a DLL having a portion of the application execution code stored therein into memory is disclosed. At selected points during its execution, the software application calls the DLL to execute a portion of the application code that was saved into the DLL before delivery to the end user. Since this code is encrypted and the encryption key is stored in a hardware security device and not in the DLL or the software application, the application code portion cannot be executed without recovering the key.

Abstract: A method and apparatus for protecting computer software from unauthorized execution or duplication using a hardware key is disclosed. The apparatus comprises a means for communicating with the computer to receive command messages from the computer in the hardware key and to provide response messages to the computer, a memory for storing data for translating command messages into response messages enabling software execution, and a processor coupled to the interface port for translating command messages into response messages using the data stored in the memory. The processor further comprises a memory manager, for logically segmenting the memory storing the data into at least one protected segment, and for controlling access to the protected segment.

Abstract: A device that secures a token from unauthorized use is disclosed. The device comprises a user interface for accepting a personal identifier, a processor, communicatively coupled to the user interface device, and a token interface. The token interface includes a token interface IR emitter that produces an IR signal having information included in the PIN. The token IR emitter is coupled to the processor and is further communicatively coupled to a token IR sensor when the token is physically coupled with the token interface. The token interface also includes a shield, substantially opaque to the IR signal, for substantially confining the reception of the IR signal to the token IR sensor. In one embodiment, the shield substantially circumscribes the IR emitter. In another embodiment, the interface also comprises a token interface IR sensor, which allows communications from the token to the device as well.