Abstract: The present invention provides a method that allows three parties to mutually authenticate each other and share an encrypted channel. The invention is based on a novel twist to the widely used two party transport level SSL protocol. One party, typically a user at a browser, acts as a man in the middle between the other two parties, typically two web servers with regular SSL credentials. The two web servers establish a standard mutually authenticated SSL connection via the user's browser, using a novel variation of the SSL handshake that guarantees that a legitimate user is in the middle.

Abstract: Systems and methods for electronic billing activation are provided. A request on behalf of a payer to activate electronic billing from a biller for the payer is received by a first electronic financial service provider (EFSP) that supports a first of a plurality of electronic financial service networks (EFSNs) from a second EFSP that supports a second of the plurality of EFSNs. Each of the plurality of EFSNs includes a respective plurality of billers or payers, and the biller is associated with the first EFSN and not associated with the second EFSN, while the payer is not associated with the first EFSN. In response to the received request, activation confirmation information is transmitted by the first EFSP to the second EFSP. The electronic billing activation enables subsequent electronic transmission of a bill from the biller for the payer.

Abstract: Techniques for generating a private portion of a split private key of an asymmetric key pair are provided. Multiple factors upon which the private portion of the split private key is based are received. Each of these multiple factors is under control of a user associated with the asymmetric key pair. Multiple cryptographic operations are then performed using the received multiple factors to generate the private portion.

Abstract: The present invention provides a method that facilitates secure cross domain mashups in an efficient fashion. The invention allows a first entity, the Masher, to establish at a second entity, the User, a secure mashup by obtaining information from, or taking actions at, a third entity, the Mashee, by using a novel twist to the SSL protocol. The invention is further extended to secure a hub and widget architecture, which allows one Masher to establish at a User, communication with several Mashees. Mutual authentication of all entities, key distribution for authentication, privacy and code verification and dynamic authorization based on the certificate information are provided by the invention.

Abstract: Techniques for providing different levels of access based upon a same authentication factor are provided. A first message is received that is transformed with a first portion of a split private key, the first portion based upon a user password and another factor, and the split private key associated with an asymmetric key pair having a public key and the split private key. The user is authenticated for a first level of network access based upon the received first message being transformed with the first portion. A second message is received that is transformed with a second portion of the split private key, the second portion based upon the password only and not combinable with the first portion to complete the split private key. The user is authenticated for a second level of network access different that the first level based upon the received second message being transformed with the second portion.

Abstract: Techniques for authentication are provided. A first authentication request transformed with a private portion of a first type split private key is received. A first user is authenticated for a first level of network access based upon the first request being transformed with the first type of split private key. A second authentication request that is transformed with a private portion of a second type private key is also received. A second user is authenticated for a second level of network access based upon the second request being transformed with the second type of split private key.

Abstract: Techniques for generating a portion of a split private key are provided. A first symmetric key and a second symmetric key different than the first symmetric key are generated at a first location. The generated second symmetric key and a first one of multiple factors for generating the private key portion encrypted with the generated first symmetric key are transmitted. Then, at a second network location, the symmetric keys are again generated. The encrypted first factor is received at the second network location subsequent to a user authentication based upon the second symmetric key generated at the second network location. The received encrypted first factor is then decrypted with the first symmetric key generated at the second network location, the decrypted first factor usable to generate the portion of the split private key of the asymmetric key pair.

Abstract: A first network station encrypts a first message with a first key portion from a first split of a private or public key of a user's asymmetric crypto-key and transmits it during a network session. The second network station decrypts the transmitted encrypted first message with a second key portion from the first split of the one key of the asymmetric crypto-key to initially authenticate the user for access, during the session, to store information. The first network station also encrypts a second message with another first key portion from a second split of that one key, and subsequently transmits it during the same network session. The second network station decrypts the subsequently transmitted encrypted second message with another second key portion from the second split of that same one key to subsequently authenticate the user for access, during the same session, to other stored_information.

Abstract: Techniques for generating a multi-factor asymmetric key pair having a public key and split private key with multiple private portions, at least one of the multiple portions being a multiple factor private key portion, are provided. First and second asymmetric key pairs are generated, each having a private key and a public key. A text string and the first private key are cryptographically combined to make a first private key portion of the split private key. This first private key portion is a multiple factor private key portion. A second private key portion of the split private key is generated based upon the generated first private key portion and the second private key.

Abstract: A method, system and article of manufacture for making a monetary gift. The system includes a communications port, a memory, and a processor. The processor functions to perform the method of the present invention. A request to make a monetary gift to a recipient on behalf of a donor is received. An input associated with an electronic greeting card is also received. The request and the input are processed to generate the electronic greeting card with a notification of the gift. The electronic greeting card is transmitted to the recipient, and the gift is credited to the recipient's bank account.

Abstract: Systems and methods for controlling access to information on a network where a first network entity receives a message requesting access to stored information via a network communication. The received message includes a first component encrypted with a first crypto-key associated with the first network entity and a second component encrypted with a second crypto-key associated with a second network entity such that both can be decrypted by the first network entity. The second network entity controls access to the network by the user. After receiving the message, the first network entity decrypts the first component and the second component and then transmits the stored information to the user based on the content of the first component and the second component.

Abstract: Systems and methods for facilitating access to stored information associated with a user, where a service provider receives, from a network entity controlling access to the stored information, a first message component encrypted with a first crypto-key associated with the network entity that can be decrypted by the network entity and a network address associated with the stored information. The service provider then receives a request for information enabling access to the stored information from an access portal associated with the user. Next, the service provider generates a response that includes the network address and the first message component and transmits the response to the access portal. The generated response is extensible by the access portal to include a second message component. The second message component is encrypted with a second crypto-key associated with the access portal. The extended response is usable to obtain access to the stored information.

Abstract: A user instruction communicated over a communications network via a first communication channel to a relying entity for action, is confirmed by having a trusted entity receive verification information corresponding to the communicated user instruction from the user over the network via a second communication channel and/or verification information corresponding to a received user instruction from the relying entity via a third communication channel. If verification information is received from only the user, it is communicated to the relying entity. If from both, the trusted entity verifies the received user instruction based on the received verification information. If from only the relying entity, it is communicated to the user.

Abstract: An electronic bill payment network includes a plurality of user network stations associated with different users, a plurality of biller network stations associated with different billers, and a central network station. A first user station operates, in real time, to transmit information relevant to an amount of an available bill and an instruction to pay the available bill. A first biller station operates, in real time, to receive the transmitted information and to compute the amount of the available bill based upon the received information. The central network station operates to receive the computed amount of the available bill and the transmitted pay instruction, and to direct payment of the computed amount of the available bill based upon the transmitted instruction to pay that bill.

Abstract: Techniques for user authentication based upon an asymmetric key pair having a public key and a split private key are provided. A first portion of the split private key is generated based upon multiple factors under control of the user. The factors include a password. A challenge is cryptographically combined with a first one of the multiple factors, but not the user password, to form a first message. The first message is transformed with the generated first portion to form a second message, which is then sent to an authentication entity. The sent second message is transformed to authenticate the user by proving direct verification of user control of the first factor.

Abstract: An electronic bill presentment network includes a central network station and a plurality of different user stations. The central network station transmits bill availability information to the user stations to identify available bills of different billers for the different users. Information associated with each available bill of a respective biller is available at one of multiple networks addresses associated with that biller. The associated information could, for example, be the bill itself and/or promotional information. Each user station is associated with a respective one of the users and receives the transmitted bill availability information for its associated user and selects one of the identified available bills, such as for viewing or payment. A user station associated with a first user is linked to the first network address associated with the bills of the first biller, based on a bill selection by the first user station.

Abstract: To facilitate access to information on a network, an extended network universal resource locator is generated. The generated extended network universal resource locator has (i) a network address, such as an Internet URL, at which stored information, such as detailed bill information, can be accessed on a network, (ii) identity information associated with a first network entity and an integrity value corresponding to the identity information, and (iii) voucher information indicating that a third network entity has authenticated the first network entity and that transmission of the extended network universal resource locator by the third network entity to the first network entity occurred at a particular time. The identity information could, for example, include an identification of the stored information and an account number associated with the first network entity. The integrity value could, for example, be a hash of the identity information.

Abstract: The present invention provides a method, system, and article of manufacture for presenting information via a network. Multiple information identifiers, each associated with information to be directed to a network user, are received and stored. A notice of availability of the information, as well as one of the information identifiers, are transmitted to the network user. Only after the network user views the information associated with the transmitted information identifier, another information identifier is transmitted to the network user to allow the network user to view the information associated with the other information identifier.

Abstract: A processor generates an asymmetric crypto-key, such as an RSA crypto-key, which is associated with the user and includes a private key and a public key. It computes a first key portion based on a stored random number generation function, which has one or more constants such as a salt and/or iteration count, and a first value of a constant, and a second key portion based on the computed first key portion and one of the private key and the public key. It additionally computes another first key portion based on the stored random number generation function and a second value of that constant, and another second key portion based on the computed other first key portion and the one key. The computed first and second key portions and the computed other first and second key portions form first and second splits of the one key of the asymmetric crypto-key.

Abstract: A first network station encrypts a first message with a first key portion from a first split of a private or public key of a user's asymmetric crypto-key and transmits it during a network session. The second network station decrypts the transmitted encrypted first message with a second key portion from the first split of the one key of the asymmetric crypto-key to initially authenticate the user for access, during the session, to store information. The first network station also encrypts a second message with another first key portion from a second split of that one key, and subsequently transmits it during the same network session. The second network station decrypts the subsequently transmitted encrypted second message with another second key portion from the second split of that same one key to subsequently authenticate the user for access, during the same session, to other stored_information.