Abstract: The invention includes systems and methods to asymmetrically encrypt audit logs, store a limited period of the encrypted audit logs, periodically send the encrypted audit logs to a central location for storage and further process in order to provide tamper-proof evidence of an activity. The system comprises a secure audit client enabled to perform various activities. A secure audit manager logs such activities in an audit log for uploading to a secure audit server. The secure audit server receives the audit logs from the secure audit manager. Finally a secure audit log consumer requests audit log data from the secure audit log manager to review the secure audit log.

Abstract: The invention includes a system comprising a device, software installed on the device and coupled to the device's hardware and software stack to execute data encryption and remote attestation. The invention includes a process to configure the device for encryption and remote attestation and performing an initial inventory and content scan of the device's hardware and software stack with results transmitted across a communication network to the attestation server. The invention includes periodic inventory and content scans of the device's hardware and software stack with results transmitted again to the server via the network. The attestation server stores the results in a database for comparison to subsequent results sent by devices. The attestation server notes any differences in the most recent results and sends an alert to the device if the device is configured differently based on the previous scan, or configured the same if no differences were noted.

Abstract: The application illustrates methods, apparatuses, and systems for securely transmitting data between a first endpoint device and a second endpoint device comprising the first endpoint device, a first security gateway, a first network infrastructure, a secure network with the secure network enabled to establish a secure communication link directly between the first security gateway and the second security gateway enabling the first endpoint device to transmit data directly to the second endpoint device via the secure communication link.

Abstract: This invention includes a solution to enable a digital authentication solution comprising a network. Next, a first device is coupled to the network. The first device may include an authentication key generator that is able to generate both public and private keys in electronic formats. Next, the first device is coupled to a certificate authority gateway. The certificate authority gateway includes devices capable of converting the electronically formatted public key to a non-electronic format, and vice versa. Next, the certificate authority gateway is coupled to a certificate authority server. The certificate authority server includes devices capable of converting the electronically formatted public key to a non-electronic format, and vice versa. The certificate authority server is also contained in a secure area such as a locked room, or a safe. The secure area includes features that allow the non-electronically formatted public key to be passed across the boundary of the secure area.

Abstract: The invention provides novel methods, apparatuses, and systems for securely creating, storing, and transmitting data. The invention enables data exchange between a first and second device. The second device establishes a network session with a first device. An application running on the second device requests the secure messaging service to send a set of application data to the first device via the secure network. The network application initiates a network group session and allocates a relay from the secure messaging service. The first and second device creates an initialization vector and initiates an encrypt cipher stream using the network session key and the initialization vector. The first and second device initiates a decrypt stream using the initialization vector and network session key.

Abstract: The application illustrates methods, apparatuses, and systems for securely transmitting data between a first endpoint device and a second endpoint device comprising the first endpoint device, a first security gateway, a first network infrastructure, a secure network with the secure network enabled to establish a secure communication link directly between the first security gateway and the second security gateway enabling the first endpoint device to transmit data directly to the second endpoint device via the secure communication link.

Abstract: The invention includes systems and methods to asymmetrically encrypt audit logs, store a limited period of the encrypted audit logs, periodically send the encrypted audit logs to a central location for storage and further process in order to provide tamper-proof evidence of an activity. The system comprises a secure audit client enabled to perform various activities. A secure audit manager logs such activities in an audit log for uploading to a secure audit server. The secure audit server receives the audit logs from the secure audit manager. Finally a secure audit log consumer requests audit log data from the secure audit log manager to review the secure audit log.

Abstract: A system, method and computer program product for proximity-based access control, including a physical token device having a programmable computing device, a memory storage device, and a wireless radio device having a limited range; and a user device that couples to the physical token device over one of: a wireless interface to the wireless radio device integrated into the physical token, and a physical interface to the physical token with electrical connectivity between the physical token and the user device. The programmable computing device is configured to only allow the user device to access the memory storage device over the wireless or physical interface when the physical token device is either within the limited range of the wireless radio device, or physically attached such that electrical connection is possible, respectively.

Abstract: This invention includes apparatus, systems, and methods to secure data in a remote storage device where an end-point device does not have direct access to the storage device to secure the data, or the end-point device does not trust the storage device to adequately secure the data, comprising securing an authenticated communication between the end-point device and a synchronized storage server via a communication network. The synchronized storage server sends the end-point device a notification including the root folder list. The end-point device compares the sent root folder list to a previously stored root folder list in the end-point devices' memory. If the end-point device detects either a new root folder on the synchronized storage server, a change in an existing folder, or deleted content in a folder the end-point device will determine that a change is required to the stored data. Next the end-point device will synchronize with the synchronized storage server and create a new storage list.

Abstract: This invention includes a solution to enable a digital authentication solution comprising a network. Next, a first device is coupled to the network. The first device may include an authentication key generator that is able to generate both public and private keys in electronic formats. Next, the first device is coupled to a certificate authority gateway. The certificate authority gateway includes devices capable of converting the electronically formatted public key to a non-electronic format, and vice versa. Next, the certificate authority gateway is coupled to a certificate authority server. The certificate authority server includes devices capable of converting the electronically formatted public key to a non-electronic format, and vice versa. The certificate authority server is also contained in a secure area such as a locked room, or a safe. The secure area includes features that allow the non-electronically formatted public key to be passed across the boundary of the secure area.

Abstract: This invention includes a system and method to enable a device to determine the presence information of another device over a secure communication network. First, the device and a presence server establish a secure connection. Next, while the initial secure connection with the presence server is established, the device generates a randomly created token and provides it to the presence server. The token is used as a shared-secret by the device and the presence server to secure future presence communications over a non-secure connection. Next, without the need to again enter a password or establish a secure connection with the presence server, the device uses the shared-secret to sign, encrypt and convey presence information to the presence server over an arbitrary connection. Finally, the presence server may share the first device's presence information with another device.

Abstract: The invention includes a system for transmitting multi-wrapped VPN enabled-data across a communication network from a device to another destination device within a remote protected network. The device comprises a software stack, hardware layer, application-layer VPN software, link-layer VPN software, and user-based application software. Next, the device is coupled to a communication network. Next, the system includes a link-layer VPN aggregator and an application-layer VPN aggregator. Finally, the system includes a protected network that includes the destination device. The invention includes embodiments for configuring a device to transmit multi-wrapped VPN enabled-data and processes for transmitting multi-wrapped VPN enabled-data across a communication network from a device to another destination device within a remote protected network. Finally, the invention includes inverse processes so the destination device can transmit data back through the communication network and to the device.

Abstract: This invention includes a system and method to enable a device to determine the presence information of another device over a secure communication network. First, the device and a presence server establish a secure connection. Next, while the initial secure connection with the presence server is established, the device generates a randomly created token and provides it to the presence server. The token is used as a shared-secret by the device and the presence server to secure future presence communications over a non-secure connection. Next, without the need to again enter a password or establish a secure connection with the presence server, the device uses the shared-secret to sign, encrypt and convey presence information to the presence server over an arbitrary connection. Finally, the presence server may share the first device's presence information with another device.

Abstract: A smartphone is adapted, through software modifications, to provide multiple operating domains or domains that provide differing levels of security and reliability. Each operating domain is isolated from the others. Detection of unauthorized modification is provided in some embodiments. Cross domain activity notification is provided in some embodiments.

Abstract: The invention includes a system comprising a device, software installed on the device and coupled to the device's hardware and software stack to execute data encryption and remote attestation. The invention includes a process to configure the device for encryption and remote attestation and performing an initial inventory and content scan of the device's hardware and software stack with results transmitted across a communication network to the attestation server. The invention includes periodic inventory and content scans of the device's hardware and software stack with results transmitted again to the server via the network. The attestation server stores the results in a database for comparison to subsequent results sent by devices. The attestation server notes any differences in the most recent results and sends an alert to the device if the device is configured differently based on the previous scan, or configured the same if no differences were noted.

Abstract: This invention provides a novel method, system, and apparatus allowing an authorized user access to controlled assets when a passcode method malfunctions, such as when a user forgets a password, a token malfunction, or a biometric mismatch. The invention allows temporary access to an access control system without knowing the password and without sending the user the password or a new random password. The user is able to set a new password without knowing the previous password. Furthermore, stored encrypted data is preserved and made accessible once again via the new passcode. This invention works for many authentication methods such as restoring access when a password, token, access card, or biometric sample is used.

Abstract: A method for a mobile communication device to indicate activity associated with an operating domain includes establishing a plurality of operating domains for the mobile communication device each operating as an independent virtual machine. The method also includes providing a trusted indicator at the mobile communication device for indicating activity associated with a high-side domain. The method also includes providing an input on the mobile communication device for switching from a low-side domain to the high-side domain. The method also includes providing a trusted element for the mobile communication device that is independent of either the high-side domain or the low-side domain. The trusted element may be configured to receive a signal from the input for switching from the low-side domain to the high-side domain and to perform user authentication for switching from the low-side domain to the high-side domain.

Abstract: A smartphone is adapted, through software modifications, to provide multiple operating domains or domains that provide differing levels of security and reliability. Each operating domain is isolated from the others. Detection of unauthorized modification is provided in some embodiments. Cross domain activity notification is provided in some embodiments.

Abstract: A method for validating integrity of a mobile communication device includes provisioning the mobile communication device by deleting existing software and installing an integrity verification application. The method also includes establishing a first pass indicator and a second pass indicator including receiving a first instance of the first pass indicator. The method also includes receiving a second instance of the first pass indicator as a challenge for verification. In response to receiving the second instance of the first pass indicator, the second pass indicator may be displayed as an indication of the integrity.

Abstract: A commercial off-the-shelf smartphone is adapted, through software modifications only, to provide multiple operating domains or domains that provide differing levels of security and reliability. Each operating domain is isolated from the others. Detection of unauthorized modification is provided. Cross domain activity notification is provided.