Abstract: An approach that manages a service oriented architecture (SOA) shared service is provided. In one embodiment, there is a service management tool, including an identification component configured to identify a SOA shared service that needs to be revised; and a revision component configured to develop a revision procedure to address the SOA shared service that needs to be revised, and implement the revision procedure for the SOA shared service.

Abstract: An approach that selects a service oriented architecture (SOA) shared service is provided. In one embodiment, there is a service selection tool, including an input component configured to gather service requirements of a SOA shared service project; an identification component configured to identify a set of candidate SOA shared services that meets the service requirements of the SOA shared services project; an analysis component configured to compare the set of candidate SOA shared services to a set of technical and business requirements, and select a set of SOA shared services from the set of candidate SOA shared services for construction based on a comparison of the set of candidate SOA shared services to the set of technical and business requirements.

Abstract: An approach that constructs a service oriented architecture (SOA) shared service is provided. In one embodiment, there is a service construction tool, including an input component configured to receive design input for a SOA shared service solution; and a construction component configured to construct a SOA shared service based on the design input for the SOA shared service solution.

Abstract: An approach that manages a service oriented architecture (SOA) shared service that fails to meet a set of objectives of the SOA shared service is provided. In one embodiment, there is a management tool, including an evaluation component configured to receive a SOA shared service that is developed as part of a potential SOA shared services project, and evaluate whether a set of objectives of the SOA shared service has been met; and a determination component configured to determine whether the SOA shared service should be developed in the case that the set of objectives of the SOA shared service has not been met.

Abstract: An approach that transitions to management of a service oriented architecture (SOA) shared service is provided. In one embodiment, there is a service transition tool, including a project component configured to provide a SOA shared service developed as part of a SOA shared services project, and a planning component configured to plan a transition from development of the SOA shared service to management of the SOA shared service.

Abstract: An approach that evaluates a service oriented architecture (SOA) shared services project is provided. In one embodiment, there is a service discovery tool, including an analysis component configured to analyze a potential SOA shared services project, and a determination component configured to determine whether the potential SOA shared services project should proceed to an inception process based on an analysis of the potential SOA shared services project.

Abstract: An approach that identifies a service oriented architecture (SOA) shared services project is provided. In one embodiment, there is a project identification tool, including an opportunity component configured to identify a SOA shared services opportunity. A project component is configured to identify a potential SOA shared services project based on the SOA shared services opportunity.

Abstract: A method to distribute and authenticate public encryption keys. A client concatenates its ID, its public key, and a secret password known to the client and a server, and hashes the result. The client forms an extended concatenation including the ID, the public key, and the hashed value, and sends the extended concatenation to the server. The server reads the ID and public key, and re-computes the hashed value based on its own knowledge of the password. If the received and the computed hashed values are the same, the server concludes that the client's public key is authentic. An analogous process enables the server to distribute its public key, and enables the client to authenticate the server's distributed public key.

Abstract: A system and method for classifying structured data by automatically suggesting classification labels. The system comprises a taxonomy configured to provide one or more normalized labels and a classification tool configured to automatically classify data across an enterprise system using the one or more normalized labels. The method comprises extracting metadata from one or more relational databases; suggesting classifications based on the metadata; and converting one or more names to normalized labels across an enterprise system based on the suggested classifications.

Abstract: A method to exchange and authenticate public cryptographic keys between parties that share a common but secret password. The parties exchange public keys, where the public keys are accompanied by hashed values based on the keys, the password, and random numbers. Each party then encrypts its random number using the public key of the other party, and the encryptions are exchanged. Based on the received encryptions and the known password, each party then re-computes the hashed value received from the other party, and compares the re-computed hashed value with the received hashed value. If the two are the same, the public key that accompanied the hashed value is judged authentic.

Abstract: A method for protecting data for access by a plurality of users. A server encrypts data using a master key and a symmetric encryption algorithm. For each authorized user, a key encryption key (KEK) is derived from a passphrase, and the master key is encrypted using the KEK. The server posts the encrypted data and an ancillary file that includes, for each user, a user identifier and the master key encrypted according to the user's KEK. To access the data, a user enters the passphrase into a client, which re-derives the user's KEK, and finds, in the ancillary file, the master key encrypted using the user's KEK. The client decrypts the master key and then decrypts the data. A KEK may be derived from a natural language passphrase by hashing the passphrase, concatenating the result and a predetermined text, hashing the concatenation, and truncating.

Abstract: A method and system for controlling access to data via a data-centric security model. A business data classification scheme is defined as a hierarchy that includes data types aligned with business operations. A data element is labeled with a data label. The data label includes multiple attributes associated with a data-centric security model. A first attribute is a data type of the data element. A second attribute includes security requirements. Data control rules are automatically generated for an enforcement of the security requirements. The enforcement grants or denies to a user an access to the data element via a predefined action. The enforcement is based on a predefined association among the predefined action, a predefined role that includes the user, the data type and, optionally, a purpose for performing the predefined action.

Abstract: A system to exchange and authenticate public cryptographic keys between parties that share a common but secret password, using a pair of random numbers, a pair of Diffie-Hellman public keys computed from the random numbers and the password, a Diffie-Hellman symmetric secret key computed from the Diffie-Hellman public keys and the random numbers, and hashed values of arguments that depend upon these elements.

Abstract: A method and system are disclosed for analyzing policies for compliance with a specified policy. The method comprises the steps of creating a policy template representing said specified policy, and comparing a group of given policies to said policy template to determine whether said given policies conflict with said specified policy. In the preferred embodiment of the invention, the specified policy may include specified rules, the given policies include a plurality of given rules, and the policy template expresses said specified rules. In this preferred embodiment, the comparing step includes the step of comparing said plurality of given rules to the policy template to determine whether any of said given rules conflicts with said specified rules. In addition, preferably, if conflicts are found between said given policies and said specified policy, the given policies are modified to eliminate the conflicts.

Abstract: A method for time stamping a digital document employs a two-part time stamp receipt. The first part of the time stamp receipt includes identifying data associated with a document and a nonce. The second part of the time stamp receipt includes a time indication and the nonce. The nonce serves as a link between the first and second parts.

Abstract: A method for time stamping a digital document is disclosed. The document originator creates a time stamp receipt using the document and the current time. The time stamp receipt is submitted to a time stamping authority having a trusted clock. The time stamping authority validates the time stamp receipt by comparing the time value specified in the time stamp receipt to the current time. If the time value specified in the time stamp receipt is within a predetermined time window, the time stamping authority cryptographically binds the time value and document, or the time value and some representation of the document, e.g., by signing the time stamp receipt with its private signature key.

Abstract: A time stamping protocol has two stages referred to as the ticketing stage and the certification stage. During the ticketing stage, the document or other identifying data is sent to the TSA. The TSA generates a “ticket” based on the document or other identifying data and a time indication derived from a trusted clock. The ticket, which serves as an unsigned time stamp receipt, is transmitted back to the document originator. During the certification stage, the holder of the ticket requests a certified time stamp receipt by presenting the ticket to the TSA. The TSA verifies the ticket and generates a signed time stamp receipt, called the ticket stub, which is then transmitted back to the document originator. The ticket stub serves as a “universal time-stamp” that the holder of the ticket stub can use to prove the date of the document.

Abstract: A method to exchange and authenticate public cryptographic keys between parties that share a common but secret password, using a pair of random numbers, a pair of Diffie-Hellman public keys computed from the random numbers and the password, a Diffie-Hellman symmetric secret key computed from the Diffie-Hellman public keys and the random numbers, and hashed values of arguments that depend upon these elements.

Abstract: A time stamping protocol has two stages referred to as the ticketing stage and the certification stage. During the ticketing stage, the document or other identifying data is sent to the TSA. The TSA generates a “ticket” based on the document or other identifying data and a time indication derived from a trusted clock. The ticket, which serves as an unsigned time stamp receipt, is transmitted back to the document originator. During the certification stage, the holder of the ticket requests a certified time stamp receipt by presenting the ticket to the TSA. The TSA verifies the ticket and generates a signed time stamp receipt, called the ticket stub, which is then transmitted back to the document originator. The ticket stub serves as a “universal time-stamp” that the holder of the ticket stub can use to prove the date of the document.

Abstract: A method for protecting data for access by a plurality of users. A server encrypts data using a master key and a symmetric encryption algorithm. For each authorized user, a key encryption key (KEK) is derived from a passphrase, and the master key is encrypted using the KEK. The server posts the encrypted data and an ancillary file that includes, for each user, a user identifier and the master key encrypted according to the user's KEK. To access the data, a user enters the passphrase into a client, which re-derives the user's KEK, and finds, in the ancillary file, the master key encrypted using the user's KEK. The client decrypts the master key and then decrypts the data. A KEK may be derived from a natural language passphrase by hashing the passphrase, concatenating the result and a predetermined text, hashing the concatenation, and truncating.