Abstract: A key management system includes secured data stored on a first system secured by a control key stored securely on a key server. The secured data is secured against attacks such as unauthorized use, modification or access, where authorization to access the secured data is determined by knowledge of an access private key of an access key pair. When an authorized user is to access the secured data, the first system generates a request to the key server, signed with the access private key, wherein the request is for a decryption control key and the request includes a one-time public key of a key pair generated by the first system for the request. The first system can decrypt the decryption control key from the response, using a one-time private key. The first system can then decrypt the secured data with the decryption control key remaining secured in transport.

Abstract: Systems, methods and articles of manufacture for evaluating a password policy are disclosed. The password evaluation system receives password policy data regarding a password policy, including a password constraint. The system analyzes the password policy data to determine a usability index and a password strength index for the password policy, and also determines a usability index and password strength index for a plurality of modified password policies having password constraints different from the password policy. The system then provides a graphical representation of the usability index and the password strength for the password policy and the modified password policies, thereby allowing a password designer to optimize the tradeoffs between usability and security of a password policy.

Abstract: A key management system includes secured data stored on a first system secured by a control key stored securely on a key server. The secured data is secured against attacks such as unauthorized use, modification or access, where authorization to access the secured data is determined by knowledge of an access private key of an access key pair. When an authorized user is to access the secured data, the first system generates a request to the key server, signed with the access private key, wherein the request is for a decryption control key and the request includes a one-time public key of a key pair generated by the first system for the request. The first system can decrypt the decryption control key from the response, using a one-time private key. The first system can then decrypt the secured data with the decryption control key remaining secured in transport.

Abstract: A key management system includes secured data stored on a first system secured by a control key stored securely on a key server. The secured data is secured against attacks such as unauthorized use, modification or access, where authorization to access the secured data is determined by knowledge of an access private key of an access key pair. When an authorized user is to access the secured data, the first system generates a request to the key server, signed with the access private key, wherein the request is for a decryption control key and the request includes a one-time public key of a key pair generated by the first system for the request. The first system can decrypt the decryption control key from the response, using a one-time private key. The first system can then decrypt the secured data with the decryption control key remaining secured in transport.

Abstract: A key management system includes secured data stored on a first system secured by a control key stored securely on a key server. The secured data is secured against attacks such as unauthorized use, modification or access, where authorization to access the secured data is determined by knowledge of an access private key of an access key pair. When an authorized user is to access the secured data, the first system generates a request to the key server, signed with the access private key, wherein the request is for a decryption control key and the request includes a one-time public key of a key pair generated by the first system for the request. The first system can decrypt the decryption control key from the response, using a one-time private key. The first system can then decrypt the secured data with the decryption control key remaining secured in transport.

Abstract: In a cryptographic system, the unlocking of secret keys on a user system is audited and correlated with other events that typically occur after the secret key is used to perform a cryptographic operation. Audit evidence of secret key cryptographic operations is recorded for later review and/or analysis, for use as stored evidence of unauthorized activity and/or for use in refuting false claims of repudiation of authorized activity. Some systems might also provide users with user activity reports that can alert a user to suspicious or unauthorized activity using that user's access.

Abstract: In a cryptographic system, the unlocking of secret keys on a user system is audited and correlated with other events that typically occur after the secret key is used to perform a cryptographic operation. Audit evidence of secret key cryptographic operations is recorded for later review and/or analysis, for use as stored evidence of unauthorized activity and/or for use in refuting false claims of repudiation of authorized activity. Some systems might also provide users with user activity reports that can alert a user to suspicious or unauthorized activity using that user's access.

Abstract: A computer program product for a client computing system including a processor includes code that directs the processor to request a challenge from a authentication server, code that directs the processor to receive the challenge from the authentication server via a first secure communications channel, the challenge comprising an identity code, code that directs the processor to receive user authentication data from a user, code that directs the processor to determine a private key and a digital certificate in response to the user authentication data, code that directs the processor to form a digital signature in response to the identity code and the private key, code that directs the processor to communicate the digital signature to the authentication server, code that directs the processor to communicate the digital certificate to the authentication server, the digital certificate comprising a public key in an encrypted form, and code that directs the processor to communicate network user authentication dat

Abstract: Techniques are disclosed to increase the efficiency of multi-party authentication communications protocols. One technique includes a four party authentication method utilizing a general authenticator to store and provide a credit card authentication password and other payment information to an issuing bank and/or other parties involved in the transaction. Other techniques include the use of skeleton messages to minimize the forwarding of information through a forwarding party, the elimination of redundant communications exchanges, the use of a merchant appliance hardware solution to minimize system integration difficulties, and/or the imposition of credit card constraints. The techniques may be used singly or in combination.

Abstract: A method for communicating passwords includes receiving at a server a challenge from a authentication server via a first secure communications channel, the challenge comprising a random password that is inactive, communicating the challenge from the server to a client computer via a second secure communications channel, receiving at the server a challenge response from the client computer via the second secure communications channel, the challenge response comprising a digital certificate and a digital signature, the digital certificate including a public key in an encrypted form, the digital signature being determined in response to the random password and the private key, and communicating the challenge response from the server to the authentication server via the first secure communications channel, wherein the random password is activated when the authentication server verifies the challenge response.

Abstract: A computer-readable medium having stored thereon computer-executable instructions for implementing a method of verifying a digitally-signed document includes stored instruction for verifying a digital signature related to the document, stored instruction for validating at least one certificate associated with the signature, and stored instruction for storing audit information into a data structure movable as a unit. The audit information relates to verifying the digital signature and validating the at least one certificate, thereby retaining evidence that the document was verified. The instructions further include stored instruction for thereafter displaying the audit information.

Abstract: In a cryptographic system, the unlocking of secret keys on a user system is audited and correlated with other events that typically occur after the secret key is used to perform a cryptographic operation. Audit evidence of secret key cryptographic operations is recorded for later review and/or analysis, for use as stored evidence of unauthorized activity and/or for use in refuting false claims of repudiation of authorized activity. Some systems might also provide users with user activity reports that can alert a user to suspicious or unauthorized activity using that user's access.

Abstract: Techniques are disclosed to increase the efficiency of multi-party authentication communications protocols. One technique includes a four party authentication method utilizing a general authenticator to store and provide a credit card authentication password and other payment information to an issuing bank and/or other parties involved in the transaction. Other techniques include the use of skeleton messages to minimize the forwarding of information through a forwarding party, the elimination of redundant communications exchanges, the use of a merchant appliance hardware solution to minimize system integration difficulties, and/or the imposition of credit card constraints. The techniques may be used singly or in combination.

Abstract: A key management system includes secured data stored on a first system secured by a control key stored securely on a key server. The secured data is secured against attacks such as unauthorized use, modification or access, where authorization to access the secured data is determined by knowledge of an access private key of an access key pair. When an authorized user is to access the secured data, the first system generates a request to the key server, signed with the access private key, wherein the request is for a decryption control key and the request includes a one-time public key of a key pair generated by the first system for the request. The first system can decrypt the decryption control key from the response, using a one-time private key. The first system can then decrypt the secured data with the decryption control key remaining secured in transport.

Abstract: A computer program product for a client computing system including a processor includes code that directs the processor to request a challenge from a authentication server, code that directs the processor to receive the challenge from the authentication server via a first secure communications channel, the challenge comprising an identity code, code that directs the processor to receive user authentication data from a user, code that directs the processor to determine a private key and a digital certificate in response to the user authentication data, code that directs the processor to form a digital signature in response to the identity code and the private key, code that directs the processor to communicate the digital signature to the authentication server, code that directs the processor to communicate the digital certificate to the authentication server, the digital certificate comprising a public key in an encrypted form, and code that directs the processor to communicate network user authentication dat

Abstract: A method for communicating passwords includes receiving at a server a challenge from a authentication server via a first secure communications channel, the challenge comprising a random password that is inactive, communicating the challenge from the server to a client computer via a second secure communications channel, receiving at the server a challenge response from the client computer via the second secure communications channel, the challenge response comprising a digital certificate and a digital signature, the digital certificate including a public key in an encrypted form, the digital signature being determined in response to the random password and the private key, and communicating the challenge response from the server to the authentication server via the first secure communications channel, wherein the random password is activated when the authentication server verifies the challenge response.