Abstract: A validation device in a communication network is configured to communicate control information bidirectionally via a control plane of the network and access message data via a production plane of the network. The validation device receives key data via the control plane, and accesses a message received via the production plane by a message receiving device. The message includes a signature derived from the first key data. The validation device uses the first key data to check validity of the signature.

Abstract: A validation device in a communication network is configured to communicate control information bidirectionally via a control plane of the network and access message data via a production plane of the network. The validation device receives key data via the control plane, and accesses a message received via the production plane by a message receiving device. The message includes a signature derived from the first key data. The validation device uses the first key data to check validity of the signature.

Abstract: A data validation system in a communication network has a bidirectional control plane and an independent message production plane. A sending device and a validation device communicate via the control plane and the production plane. A signer device and a validation device access message data from the sending device via the production plane. A computer-based network key manager conveys key data to the signer device and validation device via the control plane. The signer device accesses a message from the message sending device, produces a signature, and attaches the signature to the message. The validation device accesses the message received at the receiving device and uses the key data to validate the signature.

Abstract: A data validation system in a communication network has a bidirectional control plane and an independent message production plane. A sending device and a validation device communicate via the control plane and the production plane. A signer device and a validation device access message data from the sending device via the production plane. A computer-based network key manager conveys key data to the signer device and validation device via the control plane. The signer device accesses a message from the message sending device, produces a signature, and attaches the signature to the message. The validation device accesses the message received at the receiving device and uses the key data to validate the signature.

Abstract: A computer-based method includes transmitting a packet from a source across a packet-switched network that includes multiple network switches, and attaching, or otherwise associating, a unique signature to the packet at one or more of the network switches. Each unique signature identifies a corresponding one of the network switches, through which the packet passes as it travels from the source toward a destination. The packet and an attached, or otherwise associated, string of signatures from the plurality of network switches, is received at or near the destination in the packet-switched network. In a typical implementation, the validity of the packet is checked, by a validator (e.g., at or near the destination).

Abstract: A computer-based method includes transmitting a packet from a source across a packet-switched network that includes multiple network switches, and attaching, or otherwise associating, a unique signature to the packet at one or more of the network switches. Each unique signature identifies a corresponding one of the network switches, through which the packet passes as it travels from the source toward a destination. The packet and an attached, or otherwise associated, string of signatures from the plurality of network switches, is received at or near the destination in the packet-switched network. In a typical implementation, the validity of the packet is checked, by a validator (e.g., at or near the destination).

Abstract: A computing system, method, and storage medium prevent denial of provision of a network service by a server computer to an authorized client device. The computing system receives network service data that include a credential, then transmits that credential to a cloud-based identity system. The computing system responsively receives data pertaining to either zero or one identities related to the credential. If the data pertain to zero identities, the transaction is immediately terminated, preventing denial of the service. Only when the data pertain to exactly one identity does the computing system transmit the data to the server computer. Moreover, the computing system may terminate the transaction unless the server computer is similarly validated by the cloud-based identity system, thereby preventing access from an unauthorized device. The computing system may hide a network address of the client device from the server computer, and vice versa, and perform other useful supporting functions.

Abstract: A computing system, method, and computer program product provide cryptographic isolation between a client device and a server computer for providing a network service to the client device. The computing system stores encrypted user authentication data of the client device and its user, and encrypted service authorization data of the server computer in such a way that neither the client device nor the server computer can obtain information about the other. Upon subsequent receipt in the computing system of purported user authentication data and a request to access the network service, the computing system encrypts the purported authentication data and compares it against the stored, encrypted data. Only when these encrypted data match is the computing system able to decrypt the service authorization data and provide it to the server computer to gain access to the network service.

Abstract: A router is placed between a protected computer and devices with which the computer communicates, including peripherals and other computers. The router includes a list of authorized devices that are permitted to send data to the protected computer, against which requests to send data are checked. The router also communicates with a remote authentication service to authenticate devices requesting such permission. The authentication service may be a cloud-based identity service.

Abstract: A computing system, method, and computer program product provide cryptographic isolation between a client device and a server computer for providing a network service to the client device. The computing system stores encrypted user authentication data of the client device and its user, and encrypted service authorization data of the server computer in such a way that neither the client device nor the server computer can obtain information about the other. Upon subsequent receipt in the computing system of purported user authentication data and a request to access the network service, the computing system encrypts the purported authentication data and compares it against the stored, encrypted data. Only when these encrypted data match is the computing system able to decrypt the service authorization data and provide it to the server computer to gain access to the network service.

Abstract: A router is placed between a protected computer and devices with which the computer communicates, including peripherals and other computers. The router includes a list of authorized devices that are permitted to send data to the protected computer, against which requests to send data are checked. The router also communicates with a remote authentication service to authenticate devices requesting such permission. The authentication service may be a cloud-based identity service.

Abstract: A router is placed between a protected computer and devices with which the computer communicates, including peripherals and other computers. The router includes a list of authorized devices that are permitted to send data to the protected computer, against which requests to send data are checked. The router also communicates with a remote authentication service to authenticate devices requesting such permission. The authentication service may be a cloud-based identity service.

Abstract: An Identity Ecosystem Cloud (IEC) provides global, scalable, cloud-based, cryptographic identity services as an identity assurance mechanism for other services, such as data storage, web services, and electronic commerce engines. The IEC complements these other services by providing enhanced identity protection and authentication. An IEC performs identity services using surrogate digital certificates having encryption keys that are never exposed to the public. An individual requesting other services must meet an identity challenge before access to these other services is granted. Service requests to the IEC, and responses from the IEC, are securely encrypted. An IEC integrates smoothly into existing services by layering on top of, or being used in conjunction with, existing security measures. Identity transactions may be logged in a manner that complies with strict medical and financial privacy laws.

Abstract: Systems and methods are provided to prevent unauthorized credit and debit transactions. A system creates a transactional, or one-time-use PIN in response to a request from a mobile device, such as a smartphone or tablet computer, belonging to an authorized user. This PIN is securely transmitted to the mobile device, and used in combination with a credit or debit account number to complete the transaction. The user is determined to be authorized by the fact that they are able to access an application on the mobile device that sends the request. The application itself may be protected using a non-changing PIN.

Abstract: A system and method for engaging in a credit or debit transaction do not transmit an individual's account number to a vendor or merchant. The individual provides the account number to a transaction acquiring device (TAD). The TAD requires the individual to provide one or more pseudo-random numbers that identify the individual. These numbers are only obtainable from an authentication device that can be unlocked only by passing an authentication challenge. The TAD then provides transaction data to a credit or debit issuer and the vendor, but does not provide or store the account number. The issuer provides the merchant with an identifier other than the account number that is nevertheless unique to the individual. This identifier may be used to track the individual's purchase history or perform other business functions.

Abstract: A router is placed between a protected computer and devices with which the computer communicates, including peripherals and other computers. The router includes a list of authorized devices that are permitted to send data to the protected computer, against which requests to send data are checked. The router also communicates with a remote authentication service to authenticate devices requesting such permission. The authentication service may be a cloud-based identity service.

Abstract: Physical access systems and methods securely grant physical access to restricted areas in high-volume applications. An electronic device, such as a smartphone, stores a digitally signed physical access rights file. An individual uses this rights file to gain access to a restricted area only after self-authenticating to the device. A physical access control system receives the rights file, validates it, and determines whether to permit passage through a physical barrier. The determination may be made by a physical barrier system, or by a remote access control headend. An access control gateway, which may be an access control headend, may either unlock the physical barrier system when the electronic device is near the physical barrier, or it may transmit an authorization code to the electronic device and the physical barrier system, whereby passage is only permitted if the barrier system subsequently receives the authorization code from the electronic device using near field communications.

Abstract: An Identity Ecosystem Cloud (IEC) provides global, scalable, cloud-based, cryptographic identity services as an identity assurance mechanism for other services, such as data storage, web services, and electronic commerce engines. The IEC complements these other services by providing enhanced identity protection and authentication. An IEC performs identity services using surrogate digital certificates having encryption keys that are never exposed to the public. An individual requesting other services must meet an identity challenge before access to these other services is granted. Service requests to the IEC, and responses from the IEC, are securely encrypted. An IEC integrates smoothly into existing services by layering on top of, or being used in conjunction with, existing security measures. Identity transactions may be logged in a manner that complies with strict medical and financial privacy laws.

Abstract: A cloud-based system having a secure database of certificate information and associated methods are provided. The system and methods may be used to supplement or replace traditional OCSP processing systems. Responses to OCSP requests are digitally signed and cached in a cloud database server remote from the requester. Other servers in the cloud may access the cached OCSP responses from the database server, rather than the originating certificate authority. Thus, the work traditionally done by the certificate authority is moved to the cloud, which eliminates a single point of failure and improves the resources available to perform transactional processing.

Abstract: Encrypted communications between servers and client devices over an unsecured channel, such as the Internet, without using a public key infrastructure are disclosed. Messages to a client device are encrypted using an encryption key of an authorized individual, regardless of the identity of the user of the client device. Encryption is performed by a system that does not expose encryption keys to the client device or the server, thereby preventing man-in-the-middle attacks against the encryption key. Secure communications are combined with a two-factor protocol for authenticating the identity of an individual. An individual authenticates by generating a cipher using a light-weight certificate that has a shared secret but no other information identifying the individual. Separately, a server generates the same cipher using the shared secret, thereby authenticating the individual's identity to a relying party.