Abstract: Secure network systems and methods are provided. In an aspect of the invention, a secure network system is provided that includes a computing system that comprises a client system and a specialized NIC (network interface controller) system equipped with the capability to form a secure connection with an endpoint system and encrypt and decrypt communications between the client system and the network to which it is connected. This trusted network interface (TNI), which may present itself as a physical peripheral connected to a physical client system or a virtual peripheral connected to a virtual client system, takes the place of a client system's standard NIC, and the connection that it forms with the trusted network is negotiated and enforced externally to and independent of the client system.

Abstract: Secure network systems and methods are provided. In an aspect of the invention, a secure network system is provided that includes a computing system that comprises a client system and a specialized NIC (network interface controller) system equipped with the capability to form a secure connection with an endpoint system and encrypt and decrypt communications between the client system and the network to which it is connected. This trusted network interface (TNI), which may present itself as a physical peripheral connected to a physical client system or a virtual peripheral connected to a virtual client system, takes the place of a client system's standard NIC, and the connection that it forms with the trusted network is negotiated and enforced externally to and independent of the client system.

Abstract: In one embodiment, a method includes generating a treemap for a network space having an array of network addresses. The treemap includes a hierarchical network map with a plurality of leaf nodes, and each leaf node in the treemap characterizes a proper subset of the array of network addresses. The method includes overlaying an organizational schema for an organization on to the hierarchical network map to identify a plurality of nodes of the network space employed by the organization. The method includes generating a visualization for a graphical user interface (GUI) of the hierarchical network map with the organizational schema overlaid thereon that includes a visual indicia of network events that occur within the network space.

Abstract: A process for generating a unique, secure and printable identity document, for authenticating the use of the document, and for granting privileges based on the document, includes generating an identity certificate for an individual. This certificate incorporates a pointer to biometric and other identifying data for the individual which are stored in a reference database. The identity certificate is encoded to produce, for example, a machine-readable printable 2-dimensional barcode as an identity document. The identity document may then be used by the document holder for generation of an encoded privilege document and this, in turn, is compared with the stored reference data, including the stored biometric when the privilege is to be exercised.

Abstract: A method and computer program to assign certificates/private keys to a token. This method and computer program allows a user to access a certificate authority and have certificates/private keys that are used for signature, encryption and role purposes generated and downloaded to the token. The use of secure communication lines and computers is not necessary since the token contains a unique token ID and private key, while the certificate authority contains the associated public key for the token. The certificate generated is wrapped in the public key and only the token, having the associated private key, may activate the certificate.

Abstract: A method, and a corresponding apparatus, provide for remote, secure replacement of private keys in a private key infrastructure. The method is implemented as a secure key replacement protocol (SKRP), which includes the steps of receiving a rekey request, where the rekey request identifies a private key for replacement, authenticating the rekey request, replacing the identified private key with a SKRP key, signing the challenge with the SKRP key, and returning the signed challenge. The rekey request includes the SKRP key and the challenge.

Abstract: A method and computer program to revoke and update a token (130) having several encryption, signature and role certificates/private keys contained in the token (130). The certificates/private keys in the token 130 are transmitted wrapped by a public key and may only be activated by a private key contained in the token (130). The activation of any certificate/private key requires the entry of a passphrase by a user (132). Further, all certificates/private keys contained in a token (130) are stored in an authoritative database 104. In the event that a token (130) is lost then all certificates/private keys associated with the token (130) are revoked. Further, when new certificates/private keys are issued to a user (132) these certificates/private keys are encrypted using the token's (130) public key and downloaded to the token (130).

Abstract: A process for generating a unique, secure and printable identity document, for authenticating the use of the document, and for granting privileges based on the document, includes generating an identity certificate for an individual. This certificate incorporates a pointer to biometric and other identifying data for the individual which are stored in a reference database. The identity certificate is encoded to produce, for example, a machine-readable printable 2-dimensional barcode as an identity document. The identity document may then be used by the document holder for generation of an encoded privilege document and this, in turn, is compared with the stored reference data, including the stored biometric when the privilege is to be exercised.

Abstract: A method and computer program to assign certificates/private keys to a token (130). This method and computer program allows a user (132) to access a certificate authority (110) and have certificates/private keys that are used for signature, encryption and role purposes generated and downloaded to the token (130). The use of secure communication lines and computers is not necessary since the token (132) contains a unique token ID and private key, while the certificate authority (110) contains the associated public key for the token (130). The certificate generated is wrapped in the public key and only the token (130), having the associated private key, may activate the certificate.

Abstract: A token issuance and binding process includes providing a plurality of tokens, each token having a unique ID number stored therein. A unique public/private key pair is generated for each token and each token ID number and corresponding public key is stored in a directory/database. Each private key is stored in its respective token and a unique ID number of a user is bound to a corresponding one of the plurality of tokens by storing the correspondence there between in the directory/database.

Abstract: A method and computer program to revoke and update a token (130) having several encryption, signature and role certificates/private keys contained in the token (130). The certificates/private keys in the token 130 are transmitted wrapped by a public key and may only be activated by a private key contained in the token (130). The activation of any certificate/private key requires the entry of a passphrase by a user (132). Further, all certificates/private keys contained in a token (130) are stored in an authoritative database 104. In the event that a token (130) is lost then all certificates/private keys associated with the token (130) are revoked. Further, when new certificates/private keys are issued to a user (132) these certificates/private keys are encrypted using the token's (130) public key and downloaded to the token (130).

Abstract: Method and apparatus for centralized processing of hardware tokens for a public key infrastructure (PKI). A commercially available token is received at a secure processing facility. An operating system is installed on the token. A unique key encipherment certificate is created that includes a public key for the token. The unique key encipherment certificate is written onto the token. A Root Certificate Authority certificate is also written onto the token. A unique private key is written onto the token where the unique private key is the matching key for the unique key encipherment certificate. A software package is loaded onto the token. The software package is capable of cryptologically validating future keys and certificates, decrypting the keys and certificates, and installing the keys and certificates in the token.