Abstract: The present invention provides a new method of site and user authentication. This is achieved by creating a pop-up window on the user's PC that is in communication with a security server, and where this communication channel is separate from the communication between the user's browser and whichever web site they are at. A legitimate web site embeds code in the web page which communicates to the security server from the user's desktop. The security server checks the legitimacy of the'web site and then signals both the web page on the user's browser, as well as the pop-up window to which it has a separate channel. The security server also sends a random image to both the pop-up window and the browser. If user authentication is requested by the web site the user is first authenticated by the security server for instance by out of band authentication. Then the security server computes a one time password based on a secret it shares with the web site and sends it to the pop up window.

Abstract: A system for authenticating a user of a communication network is disclosed. The system includes a user station associated with the user and an authenticating station communicatively coupled to the user station via the communication network. The authenticating station is configured to authenticate the user. The authenticating station is further configured to perform an operation, which includes receiving a first value, from a user station associated with the user, via the communication network. The first value represents a first user credential. A first key portion is generated based on the first value and a second value that is unknown to the user. The first key portion, along with a second key portion, is used for authenticating credentials of the user for a predefined period of time or for authenticating user credentials for a predefined number of times. The second key portion is generated based on the first key portion.

Abstract: The present invention provides a method that allows three parties to mutually authenticate each other and share an encrypted channel. The invention is based on a novel twist to the widely used two party transport level SSL protocol. One party, typically a user at a browser, acts as a man in the middle between the other two parties, typically two web servers with regular SSL credentials. The two web servers establish a standard mutually authenticated SSL connection via the user's browser, using a novel variation of the SSL handshake that guarantees that a legitimate user is in the middle.

Abstract: The present invention provides a new method for policy enforcement in a virtualized or cloud environment. We break down the environment into layers, which are further sub-divided into security units. Each security unit has a security profile based on its own security properties and those of the layers below. The security profile also reflects the floor, ceiling and wall security properties. Each security unit has an agent which is used to establish communications with other security units. Such communication is mediated by a cloud trust broker which determines if the communication is permitted based on access control list or else retrieves the security profiles and applies pre-defined rules. If the communications are allowed the cloud trust broker runs a mutual authentication and key distribution protocol that results in the two security units obtaining a session key which they can then use for further communications which can proceed directly.

Abstract: The present invention provides a method that allows the MashSSL protocol to be used to provide a secure and efficient way for delegated authentication. The invention allows services which already have an SSL infrastructure to reuse that infrastructure for delegated authentication, and to do so in a fashion where the cryptographic overhead is amortized across multiple users, and which provides the user with greater control of what information is shared on their behalf.

Abstract: To establish credentials, a user network station transmits a first value. An authenticating entity network station generates a first key portion based on the transmitted first value and a second value unknown to the user, splits one of a private key and a public key of a user asymmetric crypto-key into the first key portion and a second key portion, stores the second key portion of the one key so as to be accessible only to the authenticating entity network device, generates a cookie including the second value, transmits the generated cookie to the user network station, and destroys the transmitted first value, the second value, the one key, and the first key portion of the one key. The first value represents a first and the second value included in the transmitted cookie represents a second user credential useable to authenticate the user.

Abstract: To authenticate a user of a communications network, credentials from the user are centrally receiving. An authentication sequence is retrieved from a plurality of retrievable authentication sequences, and the retrieved authentication sequence is performed to authenticate the user based on the received credentials.

Abstract: To authenticate a user having an associated asymmetric crypto-key having a private/public key pair (D,E) based on a one-time-password, the user partially signs a symmetric session key with the first portion D1 of the private key D. The authenticating entity receives the partially signed symmetric session key via the network and completes the signature with the second private key portion D2 to recover the symmetric session key. The user also encrypts a one-time-password with the symmetric session key. The authenticating entity also receives the encrypted one-time-password via the network, and decrypts the received encrypted one-time-password with the recovered symmetric session key to authenticate the user.

Abstract: A method and system for electronic billing across unassociated electronic bill presentment networks is provided. Each network includes a billing service provider. A request to receive an electronic bill from a biller not associated with a first network is received by a first billing service provider. A request to determine a network with which the biller is associated is transmitted by the first billing service provider. In response to this determination request, information indicating that the biller is associated with a second network is received. An activation instruction to receive electronic bills is transmitted from the first billing service provider to a second billing service provider which is a part of the network with which the biller is associated.

Abstract: To electronically present bills and request payment of presented bills, billing information representing a bill of a biller for a payee, and an associated selectable payment indicator having a first linking function, are received from a first network site associated with a bill presentment entity via a first communications link over a communications network. The received billing information and payment indicator are displayed. An input representing a selection of the displayed payment indicator is received. Based on the receipt of this input, the first linking function is activated to establish a second communications link over the communications network to a second network site, different that the first network site, associated with a bill payment entity, and to transmit a request to pay the represented bill on behalf of the payee to the second network site via the second communications link.

Abstract: Techniques for securing an asymmetric crypto-key having a public key and a split private key with multiple private portions are provided. A first one of multiple factors is stored. All of the factors are under the control of a user and all are required to generate a first private portion of the split private key. The first private portion not stored in a persistent state. A second private portion of the split private key under control of an entity other than the user is also stored. The first private portion and the second private portion are combinable to form a complete private portion.

Abstract: A user network station transmits a cookie that includes a user identifier and an augmenting factor transformed with one key of a first asymmetric crypto-key or with a symmetric crypto-key. An authenticating entity network station recovers the augmenting factor from the transformed augmenting factor included in the transmitted cookie, with the other key of the first asymmetric crypto-key or with the symmetric crypto-key, and transmits a customized login page corresponding to the user identifier. The user network station transmits a factor responsive to the transmitted customized login page. The authenticating entity network station generates a first key portion based on the transmitted factor and the recovered augmenting factor, and validates the generated first key portion based on a second key portion of one key of a second asymmetric crypto-key associated with the user and on the other key of the second asymmetric crypto-key, to thereby authenticate the user.

Abstract: A user network station transmits a cookie including a user identifier and an augmenting factor transformed with one key of a first asymmetric crypto-key or with a symmetric crypto-key. A authenticating entity network station recovers the augmenting factor from the transformed augmenting factor with the other key of the first asymmetric crypto-key or with the symmetric crypto-key, and transmits a customized login page corresponding to the user identifier included in the received cookie. The user network station transmits a factor responsive to the transmitted customized login page. The authenticating entity network station generates a first key portion based on the transmitted factor, and validates the generated first key portion based on a second key portion of one key of a second asymmetric crypto-key associated with the user and on the other key of the second asymmetric crypto-key, and the recovered augmenting factor, to thereby authenticate the user.

Abstract: A processor generates an asymmetric crypto-key, such as an RSA crypto-key, which is associated with the user and includes a private key and a public key. It computes a first key portion based on a stored random number generation function, which has one or more constants such as a salt and/or iteration count, and a first value of a constant, and a second key portion based on the computed first key portion and one of the private key and the public key. It additionally computes another first key portion based on the stored random number generation function and a second value of that constant, and another second key portion based on the computed other first key portion and the one key. The computed first and second key portions and the computed other first and second key portions form first and second splits of the one key of the asymmetric crypto-key.

Abstract: Bill information is electronically presented to a user via a wide-area communications network. The wide-area communications network has multiple different network sites, including a first network site associated with a first bill information presentment entity, a second network site associated with a first user entity, and a third network site associated with a second bill information presentment entity. First information for authenticating the first user entity is received by the first bill information presentment entity. The first user entity is authenticated to the third network site based on this received first authentication information. First bill information, which represents a first bill of a first biller for the first user entity, is accessed at the third network site based on the authentication of the first user entity to this site. The accessed first bill information is transmitted from the first network site to the second network site, for presentation to the first user entity.

Abstract: Systems and methods for making a payment on behalf of a payer to a payee are provided. A request to make a payment on behalf of a payer to a payee is received at a first payment service provider. The first payment service provider supports a first payment network within a plurality of payment networks that each include a respective plurality of payers and payees. The payer is one of the plurality of payers and payees associated with the first payment network, and the payor is not one of the plurality of payers and payees associated with the first payment network. A second payment network within the plurality of payment networks with which the payee is associated is identified by the first payment service provider. A payment instruction to make the payment to the payee is transmitted by the first payment service provider to a second payment service provider associated with the second payment network.

Abstract: The present invention provides a method that allows three parties to mutually authenticate each other and share an encrypted channel. The invention is based on a novel twist to the widely used two party transport level SSL protocol. One party, typically a user at a browser, acts as a man in the middle between the other two parties, typically two web servers with regular SSL credentials. The two web servers establish a standard mutually authenticated SSL connection via the user's browser, using a novel variation of the SSL handshake that guarantees that a legitimate user is in the middle.

Abstract: Systems and methods for electronic billing activation are provided. A request on behalf of a payer to activate electronic billing from a biller for the payer is received by a first electronic financial service provider (EFSP) that supports a first of a plurality of electronic financial service networks (EFSNs) from a second EFSP that supports a second of the plurality of EFSNs. Each of the plurality of EFSNs includes a respective plurality of billers or payers, and the biller is associated with the first EFSN and not associated with the second EFSN, while the payer is not associated with the first EFSN. In response to the received request, activation confirmation information is transmitted by the first EFSP to the second EFSP. The electronic billing activation enables subsequent electronic transmission of a bill from the biller for the payer.

Abstract: Techniques for generating a private portion of a split private key of an asymmetric key pair are provided. Multiple factors upon which the private portion of the split private key is based are received. Each of these multiple factors is under control of a user associated with the asymmetric key pair. Multiple cryptographic operations are then performed using the received multiple factors to generate the private portion.

Abstract: The present invention provides a method that facilitates secure cross domain mashups in an efficient fashion. The invention allows a first entity, the Masher, to establish at a second entity, the User, a secure mashup by obtaining information from, or taking actions at, a third entity, the Mashee, by using a novel twist to the SSL protocol. The invention is further extended to secure a hub and widget architecture, which allows one Masher to establish at a User, communication with several Mashees. Mutual authentication of all entities, key distribution for authentication, privacy and code verification and dynamic authorization based on the certificate information are provided by the invention.