Abstract: A method for allowing an operating system (OS), to access an encrypted data storage system of a computer, wherein: the data storage system comprises: a partition; and first encrypted data units that comprise partition table data of said data storage system; and said computer is connectable to an external device comprising: a boot loader for an external OS that is not installed on the computer; and partitioning information capturing an expected location of said partition in the data storage system; and wherein second encrypted data units that comprise reference partition table data for said data storage system are available from said computer or said external device, the method comprising: upon connection of said external device to the computer, instructing to boot the computer from said boot loader; and during or after booting of the computer: comparing the first and second encrypted data units; and if the first and second encrypted data units match, allow the external OS to access, based on the partitioning

Abstract: The present invention is notably directed to a method for allowing an operating system, or OS, to access an encrypted data storage system of a computer (10), wherein: the data storage system (11) comprises: a partition (122); and first encrypted data units (120) that comprise partition table data of said data storage system; and said computer (10) is connectable to an external device (20) comprising: a boot loader (24) for an external OS (112) that is not installed on the computer; and partitioning information (22) capturing an expected location of said partition (122) in the data storage system; and wherein second encrypted data units (220) that comprise reference partition table data for said data storage system are available from said computer (10) or said external device, the method comprising: upon connection (S21) of said external device (20) to the computer, instructing to boot (S23) the computer (10) from said boot loader (24); and during or after booting of the computer: comparing (S25) the first (12

Abstract: Methods and apparatus are provided for provisioning an operating system image from a server (2) to an untrusted user terminal (4) via a data communications network (3). A trusted device (5) such as a pocket USB device has tamper-resistant storage (9) containing bootloader logic, for controlling booting of a user terminal, and security data. On connection of the trusted device (5) to an untrusted user terminal (4), the user terminal is booted via the bootloader logic on the trusted device. Under control of the bootloader logic, a connection is established to the server (2) via the network (3) and the server is authenticated using the security data on the trusted device (5). An operating system boot image is received from the server (2) via this connection. The boot image is used to provision an operating system image from the server (2) to the user terminal (4) for execution of the operating system at the user terminal (4).

Abstract: A system and method for executing software modules on a computer, the method comprising: executing (S4) a bootloader (15, 16), at least partly (16) in the computer (101); and upon execution of the bootloader: accessing (S5) requirements as to an initial set (IS) of software modules (SMn); and hardware specifications of the computer; determining (S6) within said initial set, one or more candidate sets (CS1, CS2) of software modules that are compatible (S6a) with said hardware specifications and can (S6b) be stored as a RAM disk; and storing (S9) the software modules of a final set (FS) on a RAM disk (121), the final set (FS) being one of the one or more candidate sets, and instructing to execute the software modules stored on the RAM disk, wherein each of the initial set and the final set of software modules comprises application components and operating system image components, and preferably further comprises hardware component drivers.

Abstract: A method, a secure device and a computer program product for securely managing files. The method includes providing a secure device, where the secure device is protected by design against malicious software or malware and adapted to establish a connection to a server via a host, the host connected to the server through a telecommunication network, upon receiving a request for using a file stored on the secure device, processing the request at the secure device according to an updated use permission associated to the file, where the updated use permission is obtained by instructing at the secure device to establish a connection between the secure device and the server via the host and updating at the device the use permission associated to the file, according to permission data sent from the server through the established connection.

Abstract: An approach for authenticating a user computer, connectable to a mobile network includes a computing device retrieving an attribute credential, the attribute credential certifying a set of user attributes, a device identifier for identifying the user computer to the mobile network, a location credential, the location credential certifying a device identifier and location data indicating a location of the user computer determined by the mobile network. The approach includes a computer producing an authentication token comprising the attribute credential, the location credential, the location data and a proof for proving that the device identifier in the attribute credential equals the device identifier in the location credential.

Abstract: An approach for authenticating a user computer, connectable to a mobile network includes a computing device retrieving an attribute credential, the attribute credential certifying a set of user attributes, a device identifier for identifying the user computer to the mobile network, a location credential, the location credential certifying a device identifier and location data indicating a location of the user computer determined by the mobile network. The approach includes a computer producing an authentication token comprising the attribute credential, the location credential, the location data and a proof for proving that the device identifier in the attribute credential equals the device identifier in the location credential.

Abstract: In an approach for authenticating a user computer, connectable to a mobile network, a computer retrieves an attribute credential, the attribute credential certifying a set of user attributes and a device identifier for identifying the user computer to the mobile network. The computer requests a location credential, the location credential certifying a device identifier and location data indicating a current location of the user computer determined by the mobile network. Additionally, the computer produces an authentication token comprising the attribute credential, the location credential, the location data, and a proof for proving that the device identifier in the attribute credential equals the device identifier in the location credential. Furthermore, the computer sends the authentication token for authentication.

Abstract: In an approach for authenticating a user computer, connectable to a mobile network, a computer retrieves an attribute credential, the attribute credential certifying a set of user attributes and a device identifier for identifying the user computer to the mobile network. The computer requests a location credential, the location credential certifying a device identifier and location data indicating a current location of the user computer determined by the mobile network. Additionally, the computer produces an authentication token comprising the attribute credential, the location credential, the location data, and a proof for proving that the device identifier in the attribute credential equals the device identifier in the location credential. Furthermore, the computer sends the authentication token for authentication.

Abstract: A system and method of performing electronic transactions between a server computer and a client computer. The method implements a communication protocol with encrypted data transmission and mutual authentication between a server and a hardware device via a network, performs a decryption of encrypted server responses, forwards the decrypted server responses from the hardware device to the client computer, displays the decrypted server responses on a client display, receives requests to be sent from the client computer to the server, parses the client requests for predefined transaction information by the hardware device, encrypts and forwards client requests, displays the predefined transaction information upon detection, forwards and encrypts the client request containing the predefined transaction information to the server if a user confirmation is received, and cancels the transaction if no user confirmation is received.

Abstract: A system and method for executing software modules on a computer, the method comprising: executing (S4) a bootloader (15, 16), at least partly (16) in the computer (101); and upon execution of the bootloader: accessing (S5) requirements as to an initial set (IS) of software modules (SMn); and hardware specifications of the computer; determining (S6) within said initial set, one or more candidate sets (CS1, CS2) of software modules that are compatible (S6a) with said hardware specifications and can (S6b) be stored as a RAM disk; and storing (S9) the software modules of a final set (FS) on a RAM disk (121), the final set (FS) being one of the one or more candidate sets, and instructing to execute the software modules stored on the RAM disk, wherein each of the initial set and the final set of software modules comprises application components and operating system image components, and preferably further comprises hardware component drivers.

Abstract: A method for allowing an operating system (OS), to access an encrypted data storage system of a computer, wherein: the data storage system comprises: a partition; and first encrypted data units that comprise partition table data of said data storage system; and said computer is connectable to an external device comprising: a boot loader for an external OS that is not installed on the computer; and partitioning information capturing an expected location of said partition in the data storage system; and wherein second encrypted data units that comprise reference partition table data for said data storage system are available from said computer or said external device, the method comprising: upon connection of said external device to the computer, instructing to boot the computer from said boot loader; and during or after booting of the computer: comparing the first and second encrypted data units; and if the first and second encrypted data units match, allow the external OS to access, based on the partitioning

Abstract: The present invention is notably directed to a method for allowing an operating system, or OS, to access an encrypted data storage system of a computer (10), wherein: the data storage system (11) comprises: a partition (122); and first encrypted data units (120) that comprise partition table data of said data storage system; and said computer (10) is connectable to an external device (20) comprising: a boot loader (24) for an external OS (112) that is not installed on the computer; and partitioning information (22) capturing an expected location of said partition (122) in the data storage system; and wherein second encrypted data units (220) that comprise reference partition table data for said data storage system are available from said computer (10) or said external device, the method comprising: upon connection (S21) of said external device (20) to the computer, instructing to boot (S23) the computer (10) from said boot loader (24); and during or after booting of the computer: comparing (S25) the first (12

Abstract: The invention relates to a method for distribution of a set of credentials from a credential issuer to a credential user. The credential user is provided with a user device. A first channel and a second channel are provided for communication between the user device and the credential issuer. A shared key is distributed between the user device and the credential issuer by means of the second channel. A binary representation of the set of credentials with a predefined maximum level of deviation from a uniform distribution is generated. The binary representation of the set of credentials is encrypted by means of the shared key. The encrypted set of credentials is distributed via the first channel from the credential issuer to the user device. The encrypted set of credentials is decrypted by the user device by means of the shared key.

Abstract: Methods and apparatus are provided for authenticating communications between a user computer and a server via a data communications network. A security device has memory containing security data, and security logic to use the security data to generate an authentication response to an authentication message received from the server in use. An interface device communicates with the security device. The interface device has a receiver for receiving from the user computer an authentication output containing the authentication message sent by the server to the user computer in use, and interface logic adapted to extract the authentication message from the authentication output and to send the authentication message to the security device. Includes a communications interface for connecting to the server via a communications channel bypassing the user computer. Either the security device or interface device sends the authentication response to the server via the communications channel bypassing the user computer.

Abstract: A method for digitally signing a document, a secure device, and a computer program product for implementing the method. The method employs a secure device which is protected against malicious software or malware and is adapted to establish a secure connection to a recipient via a host. The method includes: connecting to a terminal; accessing the contents of a document received by the secure device; instructing at the secure device to communicate the accessed contents to an output device other than the terminal such that the contents can be verified by a user; ascertaining at the secure device a command received to digitally sign the document; executing at the secure device the ascertained command; and instructing to send a digitally signed document to a recipient over a connection established via the host connected to a telecommunication network.

Abstract: An authorization device for authorizing operations of a remote server requested from user computers via a data communications network includes a computer interface configured to connect to a local user computer for facilitating communication with the remote server via a data communications network, a user interface configured to present information to a user, and control logic. The control logic is adapted to use security data accessible to the control logic to establish, via the local user computer, a mutually-authenticated connection for encrypted end-to-end communications with the server; collect from the server, via the connection, information indicative of any operation requested via a different connection to the server and requiring authorization by the user; and present the information to the user via the user interface to prompt for authorization of the operation.

Abstract: Methods and apparatus are provided for provisioning an operating system image from a server (2) to an untrusted user terminal (4) via a data communications network (3). A trusted device (5) such as a pocket USB device has tamper-resistant storage (9) containing bootloader logic, for controlling booting of a user terminal, and security data. On connection of the trusted device (5) to an untrusted user terminal (4), the user terminal is booted via the bootloader logic on the trusted device. Under control of the bootloader logic, a connection is established to the server (2) via the network (3) and the server is authenticated using the security data on the trusted device (5). An operating system boot image is received from the server (2) via this connection. The boot image is used to provision an operating system image from the server (2) to the user terminal (4) for execution of the operating system at the user terminal (4).

Abstract: An authorization device for authorizing operations of a remote server requested from user computers via a data communications network includes a computer interface configured to connect to a local user computer for facilitating communication with the remote server via a data communications network, a user interface configured to present information to a user, and control logic. The control logic is adapted to use security data accessible to the control logic to establish, via the local user computer, a mutually-authenticated connection for encrypted end-to-end communications with the server; collect from the server, via the connection, information indicative of any operation requested via a different connection to the server and requiring authorization by the user; and present the information to the user via the user interface to prompt for authorization of the operation.

Abstract: A secure online banking transaction apparatus to communicate with a server over a non-secure connection is provided and includes a selector configured to allow for a selection of a mode of the apparatus, a processing unit coupled to the selector and including a secure communication unit, which is configured to set up a secure connection, along which a secure transaction occurs, with the server via the non-secure connection in accordance with the mode, an input unit coupled to the processing unit and configured to allow for a input of data into the apparatus, which is at least partly related to the secure transaction, and an interface coupled to the processing unit and configured to convey at least a status of the secure transaction and the contents off the inputted data.