Abstract: A URL verification service is provided that is used to evaluate the trustworthiness of universal resource locators (URLs). As a user browses the world wide web, a URL verification client captures a URL associated with a web page of unknown authenticity. The URL verification client transmits the captured URL to a URL verification server. The URL verification server compares the URL to actively maintained whitelist and blacklist information. The server also uses the URL and a user-supplied or automatically-extracted brand to query a search engine. The URL verification server processes the response of the search engine to the search engine queries and the results of cache and whitelist and blacklist comparisons to determine whether the captured URL is legitimately associated with the brand. The results of the URL evaluation process are transmitted from the URL verification server to the URL verification client, which notifies user.

Abstract: A data processing system is provided that includes format-preserving encryption and decryption engines. A string that contains characters has a specified format. The format defines a legal set of character values for each character position in the string. During encryption operations with the encryption engine, a string is processed to remove extraneous characters and to encode the string using an index. The processed string is encrypted using a format-preserving block cipher. The output of the block cipher is post-processed to produce an encrypted string having the same specified format as the original unencrypted string. During decryption operations, the decryption engine uses the format-preserving block cipher in reverse to transform the encrypted string into a decrypted string having the same format.

Abstract: Systems and methods for secure messaging are provided. A sender may encrypt an email message for a recipient. The email message may contain authenticated sender-recipient mapping information. When a recipient requests a client software download or private key from a service provider, the service provider can verify the authenticity of the sender-recipient mapping information. This assures the service provider that the recipient has received a communication from the sender and allows the service provider to provide services to the recipient based on the status of the sender. If the sender is a member of an organization that is a direct customer of the service provider, the service provider may satisfy the recipient's service request.

Abstract: Cryptographic systems and methods are provided in which authentication operations, digital signature operations, and encryption operations may be performed. Authentication operations may be performed using authentication information. The authentication information may be constructed using a symmetric authentication key or a public/private pair of authentication keys. Users may digitally sign data using private signing keys. Corresponding public signing keys may be used to verify user signatures. Identity-based-encryption (IBE) arrangements may be used for encrypting messages using the identity of a recipient. IBE-encrypted messages may be decrypted using appropriate IBE private keys. A smart card, universal serial bus key, or other security device having a tamper-proof enclosure may use the authentication information to obtain secret key information. Information such as IBE private key information, private signature key information, and authentication information may be stored in the tamper-proof enclosure.

Abstract: A system is provided that uses identity-based encryption to support secure communications between senders and recipients over a communications network. Private key generators are used to provide public parameter information. Senders encrypt messages for recipients using public keys based on recipient identities and using the public parameter information as inputs to an identity-based encryption algorithm. Recipients use private keys to decrypt the messages. There may be multiple private key generators in the system and a given recipient may have multiple private keys. Senders can include private key identifying information in the messages they send to recipients. The private key identifying information may be used by the recipients to determine which of their private keys to use in decrypting a message. Recipients may obtain the correct private key to use to decrypt a message from a local database of private keys or from an appropriate private key server.

Abstract: Secure messages may be sent between senders and recipients using symmetric message keys. The symmetric message keys may be derived from a master key using a key generator at an organization. A gateway may encrypt outgoing message using the derived keys. Senders in the organization can send messages to recipients who are customers of the organization. The recipients can authenticate to a decryption server in the organization using preestablished credentials. The recipients can be provided with copies of the derived keys for decrypting the encrypted messages. A hierarchical architecture may be used in which a super master key generator at the organization derives master keys for delegated key generators in different units of the organization. An organization may have a policy server that generates non-customer symmetric message keys. The non-customer symmetric message keys may be used to encrypt messages sent by a non-customer sender to a recipient at the organization.

Abstract: A system is provided that uses identity-based encryption (IBE) to allow a sender to securely convey information in a message to a recipient over a communications network. IBE public key information may be used to encrypt messages and corresponding IBE private key information may be used to decrypt messages. Information on which IBE public key information was used in encrypting a given message may be provided to the message recipient with the message. Multiple IBE public keys may be used to encrypt a single message. A less sensitive IBE public key may be used to encrypt a more sensitive public key, so that the more sensitive public key can remain hidden as it is sent to the recipient.

Abstract: A system is provided that uses identity-based encryption to support secure communications between senders and recipients over a communications network. Private key generators are used to provide public parameter information. Senders encrypt messages for recipients using public keys based on recipient identities and using the public parameter information as inputs to an identity-based encryption algorithm. Recipients use private keys to decrypt the messages. There may be multiple private key generators in the system and a given recipient may have multiple private keys. Senders can include private key identifying information in the messages they send to recipients. The private key identifying information may be used by the recipients to determine which of their private keys to use in decrypting a message. Recipients may obtain the correct private key to use to decrypt a message from a local database of private keys or from an appropriate private key server.

Abstract: Systems and methods for managing email are provided. Some of the email may be encrypted using identity-based-encryption (IBE) techniques. When an incoming IBE-encrypted message for a recipient in an organization is received by a gateway at the organization, the gateway may request an IBE private key from an IBE private key generator. The IBE private key generator may generate the requested IBE private key for the gateway. The gateway may use an IBE decryption engine to decrypt the incoming message. The decrypted message can be scanned for viruses and spam and delivered to the recipient. Outgoing email messages can also be processed. If indicated by message attributes or information provided by a message sender, an outgoing message can be encrypted using an IBE encryption engine and the IBE public key of a desired recipient.

Abstract: Systems and methods for managing email are provided. Some of the email may be encrypted using identity-based-encryption (IBE) techniques. When an incoming IBE-encrypted message for a recipient in an organization is received by a gateway at the organization, the gateway may request an IBE private key from an IBE private key generator. The IBE private key generator may generate the requested IBE private key for the gateway. The gateway may use an IBE decryption engine to decrypt the incoming message. The decrypted message can be scanned for viruses and spam and delivered to the recipient. Outgoing email messages can also be processed. If indicated by message attributes or information provided by a message sender, an outgoing message can be encrypted using an IBE encryption engine and the IBE public key of a desired recipient.

Abstract: Key requests in a data processing system may include identifiers such as user names, policy names, and application names. The identifiers may also include validity period information indicating when corresponding keys are valid. When fulfilling a key request, a key server may use identifier information from the key request in determining which key access policies to apply and may use the identifier in determining whether an applicable policy has been satisfied. When a key request is authorized, the key server may generate a key by applying a one-way function to a root secret and the identifier. Validity period information for use by a decryption engine may be embedded in data items that include redundant information. Application testing can be facilitated by populating a test database with data that has been encrypted using a format-preserving encryption algorithm. Parts of a data string may be selectively encrypted based on their sensitivity.

Abstract: Cryptographic systems and methods are provided in which authentication operations, digital signature operations, and encryption operations may be performed. Authentication operations may be performed using authentication information. The authentication information may be constructed using a symmetric authentication key or a public/private pair of authentication keys. Users may digitally sign data using private signing keys. Corresponding public signing keys may be used to verify user signatures. Identity-based-encryption (IBE) arrangements may be used for encrypting messages using the identity of a recipient. IBE-encrypted messages may be decrypted using appropriate IBE private keys. A smart card, universal serial bus key, or other security device having a tamper-proof enclosure may use the authentication information to obtain secret key information. Information such as IBE private key information, private signature key information, and authentication information may be stored in the tamper-proof enclosure.

Abstract: Systems and methods for secure messaging are provided. A sender may encrypt content and send the encrypted content to a recipient over a communications network. The encrypted content may be decrypted for the recipient using a remote decryption service. Encrypted message content may be placed into a markup language form. Encrypted content may be incorporated into the form as a hidden form element. Form elements for collecting recipient credential information such as username and password information may also be incorporated into the form. At the recipient, the recipient may use the form to provide recipient credential information to the remote decryption service. The recipient may also use the form to upload the encrypted content from the form to the decryption service. The decryption service may provide the recipient with access to a decrypted version of the uploaded content over the communications network.

Abstract: Systems and methods for secure messaging are provided. A sender may encrypt content and send the encrypted content to a recipient over a communications network. The encrypted content may be decrypted for the recipient using a remote decryption service. Encrypted message content may be placed into a markup language form. Encrypted content may be incorporated into the form as a hidden form element. Form elements for collecting recipient credential information such as username and password information may also be incorporated into the form. At the recipient, the recipient may use the form to provide recipient credential information to the remote decryption service. The recipient may also use the form to upload the encrypted content from the form to the decryption service. The decryption service may provide the recipient with access to a decrypted version of the uploaded content over the communications network.

Abstract: A system is provided that uses identity-based encryption (IBE) to support secure communications. Messages from a sender may be encrypted using an IBE public key and IBE public parameter information associated with a recipient. The recipient may decrypt IBE-encrypted messages from the sender using an IBE private key. A host having a service name may be used to store the IBE public parameter information. The sender may use a service name generation rule to generate the service name based on the IBE public key of the recipient. The sender may use the service name to obtain the IBE public parameter information from the host.

Abstract: A system is provided that uses identity-based encryption (IBE) to allow a sender to securely convey information in a message to a recipient over a communications network. IBE public key information may be used to encrypt messages and corresponding IBE private key information may be used to decrypt messages. The IBE private keys may be provided to message recipients by an IBE private key generator. The IBE private key generator and the recipients who obtain their IBE private keys from that generator form a district. District policy information may be provided by the IBE private key generator that specifies which encryption and communications protocols are used by the district. The district policy information may also specify which authentication protocols are used by the district and may set forth how content-based protocols are implemented. This information may be used by senders in sending messages to recipients.

Abstract: A system is provided that allows encrypted content to be distributed to users over a communications network. A policy enforcement service may use an identity-based encryption algorithm to generate public parameter information and private keys. Data content may be encrypted prior to distribution using an identity-based encryption engine. The encryption engine may use the public parameter information from the policy service and public key information to encrypt the data. The public key information may be based on policy information that specifies which types of users are allowed to access the data that is encrypted using that public key. A user may obtain a private key for unlocking particular encrypted data by providing a key request to the policy enforcement service that contains the public key. The policy enforcement service may enforce the policies given by the policy information and may provide private keys only to authorized users.

Abstract: Cryptographic systems and methods are provided in which authentication operations, digital signature operations, and encryption operations may be performed. Authentication operations may be performed using authentication information. The authentication information may be constructed using a symmetric authentication key or a public/private pair of authentication keys. Users may digitally sign data using private signing keys. Corresponding public signing keys may be used to verify user signatures. Identity-based-encryption (IBE) arrangements may be used for encrypting messages using the identity of a recipient. IBE-encrypted messages may be decrypted using appropriate IBE private keys. A smart card, universal serial bus key, or other security device having a tamper-proof enclosure may use the authentication information to obtain secret key information. Information such as IBE private key information, private signature key information, and authentication information may be stored in the tamper-proof enclosure.

Abstract: A system is provided that uses identity-based encryption (IBE) to support secure communications. Messages from a sender may be encrypted using an IBE public key and IBE public parameter information associated with a recipient. The recipient may decrypt IBE-encrypted messages from the sender using an IBE private key. A host having a service name may be used to store the IBE public parameter information. The sender may use a service name generation rule to generate the service name based on the IBE public key of the recipient. The sender may use the service name to obtain the IBE public parameter information from the host.

Abstract: A system is provided that allows encrypted content to be distributed to users over a communications network. A policy enforcement service may use an identity-based encryption algorithm to generate public parameter information and private keys. Data content may be encrypted prior to distribution using an identity-based encryption engine. The encryption engine may use the public parameter information from the policy service and public key information to encrypt the data. The public key information may be based on policy information that specifies which types of users are allowed to access the data that is encrypted using that public key. A user may obtain a private key for unlocking particular encrypted data by providing a key request to the policy enforcement service that contains the public key. The policy enforcement service may enforce the policies given by the policy information and may provide private keys only to authorized users.