Abstract: A computer network security system and method utilizes digitally signed and centrally assigned policy data, such as password length rules, that is unilaterally enforced at network nodes by node policy enforcement engines. The policy data may be variable on a per client or network node basis through a centralized authority, such as a certification authority. The computer network security system provides variable security policy rule data for distribution to at least one network node through a central security policy rule data distribution source, such as the certification authority. The central security policy rule data distribution source associates a digital signature to the variable security policy rule data to ensure the integrity of the policies in the system. Each network node uses a policy rule data engine and policy rule table to decode policy rule data and enforce the policy rules as selectively determined through the central authority.

Abstract: Methods and systems are provided which convey access control information from a first server to a second server through an end user device, for example in a system in which these servers and devices are all connected to the Internet. The method starts after the first server receives a message from the end user device. The first server in response to this message from the end user device sends a response message to the end user device containing the access control information to be conveyed to the second server, optionally after performing authentication. The response message also contains an instruction for the end user device to post a second message to the second server containing the information. The information is preferably contained in a content portion of the message. A hidden form may be used in the response message to contain the information. Optionally, the end user may be presented with an option to post the second message or not.

Abstract: A system and method for controlling program execution for a first-party includes providing application registration data, by a second-party (trusted party), wherein the application registration data contains a plurality of first unique application verification data (i.e., data elements), such as a list of hash values. Each unique application verification data element corresponds to at least one of the plurality of approved executable programs. The unique application verification data element is determined as a uniquely associatable data corresponding to each of corresponding executable programs from the plurality of executable programs. Prior to allowing individual program execution by the first-party, the first-party generates a second unique application verification data element, such as a hash value, of an executable file designated for execution on a processing device and compares the generated hash value to the list of hash values. If a match is found, the program is allowed to execute.

Abstract: A computer based encryption and decryption system and method provides content analysis through a content inspection mechanism, such as detection of a computer virus using a virus detection algorithm based on determining whether digital input information is encrypted. The content inspection mechanism analyzes decrypted content for such things as virus patterns, keywords, unknown program format, or any other content based criteria. The system generates a decryption request to decrypt encrypted digital input information prior to applying content analysis, such as virus detection.

Abstract: A method and apparatus for public key management is accomplished when an associated authority provides, from time to time, a public key of at least one of a plurality of certificate authorities to a client. The associated authority provides the public key in a trustworthy manner over an on-line communication path and/or a store and forward communication path, which may be done using a self-signed signature public key certificate. Upon receiving the public key, the client maintains it in a storage medium associated with a client cryptographic engine. When a client application needs a security-related operation to be performed, it evokes the client cryptographic engine via an application program interface. Upon being evoked the client cryptographic engine determines whether a public key certificate associated with the security-related operation is verified as authentic based on the public key of at least one of the plurality of certification authorities.

Abstract: An apparatus and methods for facilitating an encryption process for use in systems employing cryptography based security, removes unnecessary data relating to encryption keys prior to storing the data after receipt of the encrypted information from a sender. Encrypted data, such as message data for multiple recipients, is analyzed to determine whether encryption related data for other recipients may be removed and/or whether a preferred encrypting process was used. In one embodiment, the apparatus and method also determines whether a non-preferred encryption process was used to encrypt encrypted data and re-encrypts the encrypted data with a different encryption process in response to detected non-preferred encryption key usage.

Abstract: A public key cryptography based security system and method stores decryption private key history data in a common directory accessible by roaming users, to facilitate roaming use of the encryption system. A security management server stores per user security data, such as decryption private key history data in a secure database as master copy data. A public repository unit stores remotely accessible per user security data including the decryption private key history data stored in the security management server. A second computing device, different from a primary computing device, communicates with the public repository unit to obtain the decryption private key history data to decrypt encrypted data associated with the primary computing device to facilitate portable security capability.

Abstract: A method and apparatus for accessing user specific encryption information is accomplished upon receiving a request for access to user specific encryption information from a requesting entity. Based on the identity of the requesting entity and/or the type of request, a server determines the requesting entity's authorized level of access to user specific encryption information. Based on the authorized level of access, the requesting entity is provided with controlled access to the user specific information.

Abstract: A method and apparatus for creating communities of trust within a secure communications system is accomplished by allowing end-users to obtain arbitrary lists of trusted public keys from other end-users and from associated authorities. Once an arbitrary list has been obtained by an end-user, the end-user determines whether it was obtained in a manner consistent with a security policy of the secured community. The security policy may enable an end-user to receive trusted public keys from other end-users, from associated authorities only, to receive public keys of associated authorities, other end users, or any combination thereof. When the arbitrary lists of trusted keys are obtained in a manner consistent with the security policy, the end-user adds keys of the arbitrary lists to a trusted key list. When a security-related operation is to be performed (e.g.

Abstract: A computer network security system and method utilizes digitally signed and centrally assigned policy data, such as password length rules, that is unilaterally enforced at network nodes by node policy enforcement engines. The policy data may be variable on a per client or network node basis through a centralized authority, such as a certification authority. The computer network security system provides variable security policy rule data for distribution to at least one network node through a central security policy rule data distribution source, such as the certification authority. The central security policy rule data distribution source associates a digital signature to the variable security policy rule data to ensure the integrity of the policies in the system. Each network node uses a policy rule data engine and policy rule table to decode policy rule data and enforce the policy rules as selectively determined through the central authority.

Abstract: A method and apparatus constructs a preferred certificate chain, such as a list of all certificate authorities in a shortest trusted path, based on generated certificate chain data, such as a table of trust relationships among certificate issuing units in a community of interest, to facilitate rapid validity determination of the certificate by a requesting unit. In one embodiment, requesting units, such as certificate validation units or subscribers, send queries to a common certificate chain constructing unit. Each query may identify a beginning and target certification authority in the community. The certificate chain constructing unit then automatically determines the certification chain among certification issuing units between the beginning and target certification authorities for each query and provides certificate chain data to the requesting unit. The requesting unit then performs validity determination on the certificate to be validated based on the certificate chain data.

Abstract: A method and apparatus for creating communities of trust within a secure communications system is accomplished by allowing end-users to obtain arbitrary lists of trusted public keys from other end-users and from associated authorities. Once an arbitrary list has been obtained by an end-user, the end-user determines whether it was obtained in a manner consistent with a security policy of the secured community. The security policy may enable an end-user to receive trusted public keys from other end-users, from associated authorities only, to receive public keys of associated authorities, other end users, or any combination thereof. When the arbitrary lists of trusted keys are obtained in a manner consistent with the security policy, the end-user adds keys of the arbitrary lists to a trusted key list. When a security-related operation is to be performed (e.g.

Abstract: A computer network security system provides generation of a certificate revocation list (CRL) upon each revocation. The entire certificate revocation list may be published on demand, or only the portion that has changed. The computer network security system provides on-demand publishing of data identifying revoked certificates, such as revocation and expiration data, in response to receipt of revocation request data. The computer network security system stores the on-demand published data for analysis by one or more network nodes, such as a client, to determine whether a certificate is valid. The network nodes include certificate revocation list cache memory that may be selectively activated/deactivated, to effect storage/non-storage of the data identifying the revoked certificates.

Abstract: A method and apparatus for extending secure communication operations via shared lists is accomplished by creating a shared list in accordance with authorization parameters by one user and subsequently accessing the shared list via the authorization parameters by this and other users. To create the list, a user within the secured communication system determines whether it has been enabled, or authorized, to create a shared list. If so, the user identifies at least one other user to be added to the shared list. Having identified another user, the user creating the shared list verifies that the secure communication parameters (which includes a public key certificate of an end-user or of a certification authority) it has received regarding the another user is trustworthy. If the secure communication parameters are identified as trustworthy, the secure communication parameters of the another user are added to the shared list. To authenticate the shared list, the user creating the list digitally signs it.

Abstract: The invention allows for transporting, in different degrees of security strength, a symmetric key encrypted using an asymmetric encryption technique, and along with this transporting ciphertext derived from plaintext encrypted under this symmetric key. The encryptor encrypts the plaintext using a symmetric whose strength is commensurate with the trust level of the environment in which the encryptor is located. The encryptor encrypts this symmetric key for one or more intended recipients using an asymmetric technique commensurate with a high-trust environment. In the case of the encryptor residing in the low-trust environment, the encryptor additionally encrypts this symmetric key using an asymmetric encryption public key of the originator itself (or alternatively, that of a third party). Decryption equipment in all environments uses the decryption process corresponding to an algorithm identifier included by the originator.

Abstract: A method which allows implementation of the revocation of public-key certificates facilitates engineering of certificate revocation lists (CRLs). It solves the practical problem of CRLs potentially growing to unmanageable lengths by allowing CRLs to be segmented, based on size considerations or priority considerations related to revocation reasons. The method is used to distribute CRL information to users of certificate-based public-key systems. It is also applied more generally to update any field in a certificate by reference to a secondary source of authenticated information.

Abstract: Hash functions are important in modern cryptography. Main applications are their use in conjunction with digital signature schemes and message authentication. Hash functions, commonly known as message authentication codes (MACs), have received widespread use in practice for data integrity and data origin authentication. New and inventive ways of building fast MACs from hash functions involve keyed hash functions in which secret keys are used at certain locations of the compression process and the keys are also hashed.