Abstract: In a device, method and/or computer-readable medium for secure communication between a client device and a server, the client device includes a browser for accessing a website provided by the server, the client device generates a key according to a key generating cryptographic routine; tags the key with a marker associating the key with the website; and stores the tagged key in a memory associated with the browser.

Abstract: Methods, systems and computer readable mediums are provided for recovering keys. A key transport session key is generated, and a key encryption key is derived based on a server master key and an identification associated with a token. The key transport session key is encrypted with the key encryption key as a first wrapped key transport session key. An encrypted storage session key and an encrypted private key are retrieved from an archive. The encrypted storage session key is decrypted with a server storage key as a storage session key. The encrypted private key is decrypted with the storage session key. The decrypted private key is encrypted with the key transport session key as a wrapped private key. The wrapped private key and the first wrapped key transport session key are forwarded.

Abstract: According to embodiments of the present disclosure, expanded destination information is provided to prevent information theft. In some embodiments, a browser is configured to provide a user with information about a secure destination, for example, a SSL website. By providing the user with information about the secure destination, the user may confirm that the secure destination is the correct destination. In addition, embodiments of the present invention may indicate to the user whether the requested destination is “safe” or “unsafe” before the user submits any information to that destination. In particular, if form fields are being submitted by the user, then a safe/unsafe indication may be provided before the user submits any information. The safety of the submission may be indicated in various ways, such as making the background of the web page a prominent color, making the “submit” button a certain color, or by writing text into a part of the browser's display.

Abstract: An embodiment relates generally to receiving a plurality of security certificates for each user of a plurality of users and generating a random renewal period for a selected security certificate. The method also includes associating the random renewal period to the selected security certificate and providing the selected security certificate with the random renewal period to the respective user of the plurality of users.

Abstract: Embodiments of the present invention provide a method and system, including a client and security token, for reducing a size of a security-related object stored in the token. The object is stored in a storage structure that is indexed according to an identity reference to a certificate associated with the object and a private key identifier identifying a private key assigned to an owner of the token. A request to access an encrypted data object results in accessing the private key identifier in the storage structure using only the identity reference as an index.

Abstract: Embodiments of the present invention provide a compression capability for compressing a CRL, such as an X.509 CRL, stored as a file, data structure or data object in a computer system having a certification authority (CA) and a security client. An exemplary method provides for accessing the CRL contents including a certificate revocation record and performing compression procedure, such as a lossless compression procedure on the contents of the CRL. The compressed CRL contents can be stored in another file, data structure or data object. A request for the compressed CRL is from a security client whereupon the compressed CRL is returned to the security client by transferring the compressed CRL contents to the security client. The security can client un-compress the compressed CRL contents. In some cases the uncompressed CRL contents can be transferred to the security client.

Abstract: An embodiment generally relates to a method of increasing user convenience The method includes displaying a log-in user interface and receiving an authentication attempt in the log-in user interface.

Abstract: An embodiment generally relates to a method of managing tokens. The method includes detecting a presence of a token at a client and determining a status of the token. The method also includes formatting the token at the client in response to the status of the token being unformatted.

Abstract: Embodiments of the present invention provide a secure remote password reset capability. In some embodiments, an exemplary method provides a remote reset of a password associated with a token in a computer system having a security server. A token-based authentication process is activated by connecting the token to the security server. A server-based authentication process is initiated in the security server by activating a password reset process in a security client. The server-based authentication process communicates with the token-based authentication process over a secure channel. An authentication credential is managed by a third party agent that supplies a query and the authentication credential as a correct response to the query to the security server. A prompt provided by the password reset process collects the authentication credential and a new password. After the authentication credential is validated mutually authentication is performed between the security server and the token.

Abstract: Embodiments of the present invention provide a multiple source entropy feed for a PRNG that is used to generate server-side encryption keys. In particular, embodiments of the present invention provide a data recovery manager that collects additional entropy sources that feed into the PRNG between each key generation. The entropy may be collected from a variety of sources, for example, high-resolution timer intervals between input/output interrupts, hard disk access operations, and the like. The number of bits of entropy collected may be configured for each key generation.

Abstract: An embodiment pertains generally to a method of delivering keys in a server. The method includes generating a subject key pair, where the subject key pair includes a subject public key and a subject private key. The method also includes retrieving a storage key and encrypting the subject private key with the storage key as a wrapped storage private key. The method further includes storing the wrapped storage private key.

Abstract: An embodiment pertains generally to a method of storing keys. The method includes receiving a request for generating a subject private key at a token processing system and generating a subject key pair, where the subject key pair includes a subject public and the subject private key. The method also includes archiving the subject private key within the token processing system.

Abstract: An embodiment pertains generally to a method of generating credentials for a token. The method includes detecting the token and the server determining that the token is to be enrolled and generating a subject key pair within the server, where the subject key pair includes a subject public key and the subject private key. The method also includes encrypting the subject private key with a key transport session key to arrive at a wrapped private key and forwarding the wrapped private key to the token.

Abstract: Embodiments of the present invention provide a profile framework for handling enrollment requests. In particular, when a token processing system receives an enrollment request, it selects an applicable profile based on information in the request. The profile may indicate a variety of parameters for fulfilling the enrollment request, such as the locations of the applicable certificate authority, token key service, and the like. The profile may also indicate items, such as the number of keys to generate on a token, a token label, and connection information to securely communicate with other components and the client making the enrollment request.

Abstract: Embodiments of the present invention provide identity management security domains that may be used in an enterprise security system. A security domain provides a centralized registry of services provided by the enterprise security system. For example, certificate authorities and other services, such as key archives, and the like, in the enterprise security system may register information about themselves in the security domain. Authorized users can then discover the location of these services. In some embodiments, the security domain may provide an interface that indicates a topology between services of the enterprise security system. The security domain may also serve as a distribution point for security policies. A security policy may comprise information that indicates, for example, a set of trusted certificate authorities, certificate templates, certificate revocation lists, and the locations of the services in the enterprise security system.

Abstract: Methods, systems and computer readable mediums are provided for recovering keys. A key transport session key is generated, and a key encryption key is derived based on a server master key and an identification associated with a token. The key transport session key is encrypted with the key encryption key as a first wrapped key transport session key. An encrypted storage session key and an encrypted private key are retrieved from an archive. The encrypted storage session key is decrypted with a server storage key as a storage session key. The encrypted private key is decrypted with the storage session key. The decrypted private key is encrypted with the key transport session key as a wrapped private key. The wrapped private key and the first wrapped key transport session key are forwarded.

Abstract: A person-portable object tracking system for identifying a location of a tracked person-portable object such as a security tracking bag, money pack or other container by a location identifier powered by a portable power source, the location transmitted to a central processor by a communicator. The location identifier preferably uses the global positioning satellite system or a radio frequency identification tag. An event detector sends a signal by way of the communicator to the central processor, the signal indicating the occurrence of a predetermined event such as a change from darkness to light, movement of a handle or the like and/or opening of an enclosure, cutting, motion and/or exceeding a distance from a desired location. Using plural event detectors in logical AND combination prevents unwanted event indications. The central processor archives a history of locations of the tracked person-portable object.

Abstract: The present invention relates to devices for treating liquids, and methods for treating liquids, particularly by using such devices. Reticulated electrode structures with a high proportion of surface area to volume are formed with at least two metals, and are coupled in arrays to an electrical driving signal such as an alternating and/or direct current voltage source, for ion exchange with a liquid to be treated, to produce, e.g., potable water.

Abstract: A process is provided for regulating server request loads by use of a scheduling technique in a system having a client application and a server application. The process involves the server application receiving a request for service from a client application, determining a quality of service for each request, and returning an appointment to the client application reflecting a time at or after which the server application will be able to process the request.