Abstract: In many information security scenarios, a certificate issued by a certificate authority on behalf of a domain is presented to a client in order to verify the identity of the domain. However, due to a decentralized structure and incomplete coordination among certificate authorities, the presence and exploitation of security vulnerabilities to issue untrustworthy certificates may be difficult for an individual client to determine. Presented herein are techniques for advising clients of the trustworthiness of respective certificate authorities by evaluating the certificates issued by such certificate authorities for suspicious indicators, such as hashcode collisions with other certificates and public key re-use.

Abstract: A terminal unique information transmission method including: receiving, by a server, from a terminal, a terminal unique information acquisition request including a terminal unique public key certificate of the terminal; generating an encrypted terminal unique public key certificate by encrypting the terminal unique public key certificate of the terminal; checking, by the server, whether the generated encrypted terminal unique public key certificate is described in a discarded terminal information table; and transmitting, by the server, when the generated encrypted terminal unique public key certificate is not described in the discarded terminal information table, a terminal unique information of the terminal to the terminal.

Abstract: A method, system and computer-readable medium for establishing secure connections using compressed cryptographic chaining certificates, the method including receiving a first compact representation corresponding to a certificate for validating a first entity at a second entity, retrieving a local list of one or more compact representations corresponding to one or more certificates locally available to the second entity, comparing the first compact representation to the one or more compact representations within the local list, determining if the first compact representation matches at least one of the one or more compact representations, retrieving the certificate corresponding to the at least one of the one or more compact representations if the first compact representation matches the at least one of the one or more compact representations and validating the first entity using the retrieved certificate corresponding to the at least one of the one or more compact representations.

Abstract: An information processing apparatus for accessing a server via a network transmits an issuance request of a certificate including information unique to the information processing apparatus to a certificate authority, and receives the certificate transmitted by the certificate authority in response to the issuance request. The apparatus determines whether or not it is possible to access the server by comparing information unique to the information processing apparatus with the unique information included in the received certificate, and restricts, if it is determined that it is not possible to access the server, issuance of a connection request to the server.

Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.

Abstract: Methods and systems for generating or validating compact certificates include receiving a first format of the certificate. Moreover, obtain a signature for the certificate in the first format. For each field of the certificate decode the field to obtain a value for the field from the first format and encoding the value for the field into a second format. Decoding and encoding for each field is done incrementally in the same order of the fields as the first format. In other words, a next field is not decoded from the first format until the field is encoded in the second format. Furthermore, a security envelope is encoded using the signature in the first format and the fields.

Abstract: A system and method involve determining that one or more data packets received from a first device on a communications network are one of data at rest and data in transit, performing one of an encryption operation and a decryption operation on the data packets, and storing the data packets in a memory device if they are data at rest or transmitting the data packets over the communications network if they are data in transit. If the data packets are data in transit, the method may involve, prior to transmission, encapsulating information into a frame of the data packets to indicate they are data in transit. The data packets may be compressed prior to encryption. The determination that the data packets are one of data at rest and data in transit may be based upon a value of at least one data field of the data packets.

Abstract: Exposure of sensitive information to users is controlled using a first security token containing user identity and user credentials to represent the user who requests services, and a second security token containing two other identities, one identifying the token issuer and the other identifying the owning process. When requesting services, the token-owning process sends a security token to indicate who is making the request, and uses its key to digitally sign the request. The token-owning process signs the request to indicate that it endorses the request.

Abstract: Location brokering technique embodiments are presented that employ sensor data captured by a user's mobile device to determine the device's location, encrypt the location data and store it in a database. The location data is encrypted in such a way that it is possible to determine when a user's mobile device is currently in the same vicinity as another user's mobile device who is a member of the same group as the first user. However, the actual location and relative mobility or immobility of the users cannot be ascertained except by the users themselves via a decryption procedure or by trusted components. Services are provided can read the stored encrypted location data, processes it to determine if group members are in the same vicinity, and either respond to user queries about the location of other members of a group the user belongs to, or push this information to appropriate users.

Abstract: In one embodiment, a processor has at least one core to execute instructions, a security engine coupled to the at least one core, a first storage to store a first immutable key associated with a vendor of the processor, and a second storage to store a second immutable key associated with an original equipment manufacturer (OEM) of the system. A first portion of firmware is to be verified based at least in part on the first immutable key and a second portion of firmware is to be verified based at least in part on the second immutable key, the first portion of firmware associated with the vendor and the second portion of firmware associated with the OEM. Other embodiments are described and claimed.

Abstract: A system for secure communication, including a first security computer communicatively coupled with a client computer via an SSL connection, including a certificate creator, for receiving certificate attributes of a server computer certificate and for creating a signed certificate therefrom, and an SSL connector, for performing an SSL handshake with the client computer using the signed certificate created by said certificate creator, and a second security computer communicatively coupled with a server computer via an SSL connection, and communicatively coupled with the first security computer via a non-SSL connection, including an SSL connector, for performing an SSL handshake with the server computer using a signed certificate provided by the server computer, and a protocol appender, for appending attributes of the signed certificate provided by the server computer within a message communicated to the first security computer. A method is also described and claimed.

Abstract: Techniques for controlling authentication are provided. An enterprise injects a control and/or audit manager into the enterprise environment to control and in some instances audit third-party authentication services. A user attempts to access a resource that uses a third-party authentication service. The attempt is intercepted and third-party authentication handled by the manager. After authentication, a session between the user and the resource is established during which auditing services may be enacted. The user authenticates to the enterprise environment and the manager provides authentication for the user to the resource via the third-party authentication service.

Abstract: A system and method for domain control validation is presented. At a certificate authority a request is received. The request includes a certificate signing request and a first Internet protocol address. The certificate signing request identifies a domain and a certificate. A second Internet protocol address for the domain is retrieved from a domain name system. When the first Internet protocol address is the same as the second Internet protocol address, the certificate is signed, and the signed certificate is transmitted to a requester of the request. When the first Internet protocol address is not the same as the second Internet protocol address, the certificate signing request is rejected.

Abstract: Example embodiments disclosed herein relate to implementing an authorization cache. An authorization fact is determined based on a grant. The authorization fact is cached. The grant is revoked. The authorization fact is revoked based on a grant index.

Abstract: Disclosed are an apparatus and method for providing a digital signature. The apparatus includes a certificate unit, an input unit receives a selection input for a certificate related to signature content received from a signature-requesting terminal, and a control unit for determining whether the certificate unit is capable of performing a digital signature function corresponding to a selected certificate. If the certificate unit is capable of performing the digital signature function, the certificate unit creates a digital signature based on a private key corresponding to the selected certificate when the control unit commands the certificate unit to create a digital signature. Further, if the certificate unit is not capable of performing the digital signature function, the control unit creates a digital signature based on a private key corresponding to a certificate selected from the certificate unit. The control unit transmits the digital signature to the signature-requesting terminal.

Abstract: Methods, apparatus, and systems for securing a mobile application are disclosed. Users of the mobile application may be authenticated using a smartphone or other device including a Near-Field Communication (NFC) transfer device capable of NFC communication. An authentication device may be adapted to present itself to the NFC transfer device as an NFC tag and make a dynamic credential available to the NFC transfer device by including the dynamic credential in an NFC tag readable by the NFC transfer device using NFC mechanisms for reading data contents of NFC tags. An access device comprising the NFC transfer device may then provide the dynamic credential to an application server for verification.

Abstract: Disclosed is an authentication method of a wireless mesh network capable of reducing overload and communication delay during authentication procedure by performing authentication between nodes without accessing an authentication server. The authentication method of a wireless mesh network according to an exemplary embodiment of the present disclosure includes: selecting, by a new node, a first neighbor node among one or more adjacent nodes; transmitting, by the new node, an authentication request message including a public key of the new node; authenticating, by the first neighbor node, the public key of the new node; transmitting, by the first neighbor node, an authentication response message including a public key of the first neighbor node to the new node; and authenticating, by the new node, the public key of the first neighbor node; transmitting, by the new node, an authentication identification message to the first neighbor node.

Abstract: Methods, apparatus, and systems for generating digital signatures are disclosed. An apparatus may present itself to a host computer as a mass storage device to provide cryptographic processing results through a standard mass storage access mechanism for exchanging files.

Abstract: A method for authenticating a memory device by a controller device. The method including sending, to the memory device by the controller device, a pre-stored number, a random number and information related to a key which is stored in the memory device; receiving, by the controller device, authentication information from the memory device; verifying, by the controller device, the authentication information using verification data; and if verification succeeds, generating, by the controller device, an Enhanced Media IDentifier (EMID) using a pre-stored value and unique information related to the memory device.

Abstract: A method and system is operable to provide credentials by generating a first credential that conforms to a first specified format. A second credential conforming to a second specified format is included in the first credential so that the second credential may be distributed through the cryptosystem using the first specified format. The credential may be a digital certificate.

Abstract: Embodiments disclosed facilitate secure communication for cloud-based and/or distributed computing applications. In some embodiments, a method may comprise: instantiating a first Virtual Machine (VM) on a cloud infrastructure, wherein the at least one first VM is dynamically configured with a private key and a wildcard security certificate comprising a public key corresponding to the private key, and registering, with a domain name server, a domain name derived from an Internet Protocol (IP) address associated with the first VM and a Common Name associated with the wildcard security certificate.

Abstract: The present invention is generally directed toward a mobile device that can be used in a secure access system. More specifically, the mobile device can have credential data loaded thereon remotely updated, enabled, disabled, revoked, or otherwise altered with a message sent from, for example, a control panel and/or controller in the system.

Abstract: Various embodiments illustrated and described herein include at least one of systems, modules, processes, methods, and software that operate to keep customer, vendor, and business partner private information private.

Abstract: Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein.

Abstract: A method of operating a network server, such as a mobile application gateway, connect devices on a cellular or carrier network with individual networks, such as enterprise voice and data networks or residential networks. The effects of the present invention are far reaching in terms of transferring effective call control from the cellular network into the control of the individual network, such as the enterprise, and enabling new business models for the purchase of cellular service from a public cellular carrier by an enterprise.

Abstract: Exemplary embodiments provide various techniques for providing backup functionalities in a cloud computing system. In one exemplary method, a workflow that defines a set of actions associated with a backup functionality in a cloud computing system is accessed. A plug-in module that is configured to perform at least one of the set of actions associated with the backup functionality is identified from a number of plug-in modules. This identified plug-in module is then called to execute the action defined in the workflow.

Abstract: Encryption logic to identify a particular session key, where the particular session key is one of a plurality of session keys for use in encrypting content to be sent from a first device. The encryption logic is to encrypt particular content with the particular session key to obtain encrypted particular content. I/O logic is provided that can cause the particular content to be sent with a key refresh structure, where the key refresh structure is to identify that the particular session key was used to encrypt the particular content.

Abstract: Providing information about digital certificate validity includes ascertaining digital certificate validity status for each of a plurality of digital certificates in a set of digital certificates, generating a plurality of artificially pre-computed messages about the validity status of at least a subset of the set of digital certificate of the plurality of digital certificates, where at least one of the messages indicates validity status of more than one digital certificate and digitally signing the artificially pre-computed messages to provide OCSP format responses that respond to OCSP queries about specific digital certificates in the set of digital certificates, where at least one digital signature is used in connection with an OCSP format response for more than one digital certificate. Generating and digitally signing may occur prior to any OCSP queries that are answered by any of the OCSP format responses.

Abstract: A device executes debugging instructions received from a debugging computer. The device receives a debugging establishment request from the debugging computer. The device transmits a unique identifier associated with the device and a secured expiration value to the debugging computer. The device receives a transport layer security (TLS) certificate from the debugging computer and establishes a secured and authenticated link with the debugging computer using the TLS certificate. The device enables a debugging mode, responsive to determining that an identifier in the TLS certificate matches the unique identifier and that a secured expiration value in the TLS certificate is valid and within a predefined validity range, and executes, in the debugging mode, debugging instructions received from the debugging computer.

Abstract: A method for attesting a component of a system during a boot process. The method includes steps of: verifying that the system is in a trusted state; in response to verifying that the system is in a trusted state, requesting an enrollment of the system wherein the requesting step further comprises the step of: retrieving enrollment data associated with the system; retrieving current input data associated with the component of the system; comparing the current input data against the enrollment data in order to determine whether the system can retain its trusted state; wherein in response to the comparing step, if the current input data matches the enrollment data, the system retains its trusted state; and accepting the trusted state until receipt of a notification, from the system having a retained trusted state, of an update to the system.

Abstract: Automated provisioning of hosts on a network with reasonable levels of security is described in this application. A certificate management service (CMS) on a host, one or more trusted agents, and a public key infrastructure are utilized in a secure framework to establish host identity. Once host identity is established, signed encryption certificates may be exchanged and secure communication may take place.

Abstract: Provided is a method of providing secure communication between an initiator and a responder in a communication network. The method includes providing an encryption key for securing communications between an initiator and a responder in a communications network that includes the initiator generating an initiator Diffie-Hellman computed value, the initiator transmitting the initiator Diffie-Hellman computed value to the responder, the responder generating the encryption key and a responder Diffie-Hellman computed value, the responder transmitting the responder Diffie-Hellman computed value to the initiator, and the initiator generating the encryption key.

Abstract: A method for permitting single sign-on to multiple independent applications in a single framework.

Abstract: Plural modes of operation may be established on a mobile device. Specific modes of operation of the mobile device may be associated with specific spaces in memory. By using a “class” designation within the existing certificate store structure and key store structure, certificates and keys can be assigned to one space among plural spaces. Accordingly, a personal certificate store and a personal key store may exist in a personal space. Similarly, a corporate certificate store and a corporate key store may exist in a corporate space. APIs designed to work within such a system may be arranged to employ a “class” attribute when managing certificates and cryptographic keys.

Abstract: A low-energy transceiver tag is described, as well as methods of using the low-energy transceiver tag to enable secure communication with a vehicle. The low-energy transceiver tag includes a substrate, and electronic circuitry carried by the substrate having a transceiver circuit coupled to a power circuit. The transceiver circuit may be configured to transmit a preconfigured answer signal in response to receiving a query signal. In addition, the preconfigured answer signal may be a low-energy response associated with a remotely-located trust anchor.

Abstract: A method to authenticate an identity of a responder. The method includes receiving a request and determining, by one or more computer processors, a reviewer for the request. A custom key is generated for the reviewer and the request, and at least one URL is generated that contains the custom key. At least one URL is sent, along with the request, to the reviewer. Upon receiving a response to the request that includes a selection of one URL, it is determined whether the response was received from the determined reviewer for the request.

Abstract: Disclosed is a system and method of allowing multiple customer support organizations to establish virtual mobile management sessions with a mobile device using a multi-persona client on the mobile device that does not have to reconfigured for each of the multiple customer support organizations.

Abstract: Disclosed is a system and method for managing web services. The described exemplary system and method provides an infrastructure for managing various aspects of publishing and using web services, such as logging, security, monitoring, SLA management, service level metrics and notification.

Abstract: Provided is a management server system that accepts a transition instruction for transition between tenants of an agent device, generates symmetric keys consisting of a first key and a second key, responds the second key to the agent device, and verifies signature information included in a transition request using the first key when the agent device makes a tenant transition request. Upon successful verification of signature information, the management server system transmits new authentication information for communication between the management server system and the agent device to the agent device. After transition of the tenant, the agent device communicates with the management server system using the new authentication information.

Abstract: There is provided a method for secure communications. The method includes a computing device receiving a notification comprising a message, a counter value, a signature signed by a signer and based on the message and the counter value, and an indication of the signer. The device obtains a current counter value based on an identity of the signer, checks the signature and compares the counter value with the current counter value; and, if the counter comparison and the signature checking is successful, accepting the message.

Abstract: In a digital certificate automatic application method, device and system, a digital certificate applicant notifies a digital certificate issuer of supported digital certificate generation methods. If a digital certificate issued by the issuer is available, then the issuer is notified of the existing digital certificate information. Otherwise, the issuer is notified of the certificate information required to be contained in a newly applied digital certificate. The issuer selects a digital certificate generation method from the digital certificate generation methods supported by the applicant, and notifies the applicant. If the applicant must apply for a new digital certificate, then the new digital certificate information is generated and the applicant is notified. Otherwise, the applicant is notified of the invalid digital certificate information. The applicant determines the digital certificate to be used according to the notification from the issuer.

Abstract: A system and method configured for providing a cryptographic platform for exchanging information. One or more information transactions including encrypted information may be generated and/or provided to a distributed ledger. The one or more information transactions may include information intended for one or more parties. Information transactions intended for one or more parties may be identified. An information transaction may include one or more of a transaction identifier associated with one or more parties, an information payload, and/or other information. The information payload may include encrypted information. The encrypted information may be encrypted with one or more public keys associated with one or more parties. One or more information transactions may be retrieved from the distributed ledger. The encrypted information may be decrypted with one or more private keys that correspond to the public keys. Presentation of the encrypted information to one or more parties may be facilitated.

Abstract: An information operating device has a first connection unit, a second connection unit, a machine operating command for operating the information output device and a usage certificate certifying that the machine operating web application, a domain name attacher to attach a domain name of the first communication device, when the connection is established by the second connection unit to transmit the machine operating command for operating the information output device using the connection, an application executing unit to execute the PIN code input web application acquired from the first communication device through the first connection unit, an encryption information generator to generate encryption information and transmit it to the information output device, and a client processing unit to transmit the usage certificate and the encryption information to the information output device through the second connection unit.

Abstract: A content distribution network includes a proxy server in communication with one or more content distribution servers. The proxy server services connections to the content distribution servers from one or more client devices. If connection request from a client device seeks a secure transmission that requires a certificate from a content distribution server, the proxy server determines the required certificate and transmits the certificate identification to the content distribution server.

Abstract: A processing device implementing creation of secure Original Equipment Manufacturer (OEM) identifiers (IDs) in a processing device is disclosed. A processing device of the disclosure includes a one-time programmable storage device and an execution unit. The execution unit can implement a one-way cryptographic hash function that is to receive a secret OEM key from an OEM system, generate an OEM public ID from the secret OEM key, and send the OEM public ID to the one-time programmable storage device for storage.

Abstract: A process/method is provided, which authenticates electronic devices allowing the installation and utilization of encryption enabling software capable of facilitating a public key infrastructure in combination with electronic devices without need for such encryption enabling software capable of facilitating a public key infrastructure to be installed at the same time as manufacture of the electronic device. The disclosed process/method may then provide a system for monitoring various metrics and statuses of the electronic devices through the manufacturing chain, distribution chain and product lifecycle. The process/method can be utilized to create electronic devices secured with encryption enabling software capable of facilitating a public key infrastructure, free from the security risks inherent with the current method of installing encryption enabling software onto electronic devices, which will render such secured electronic devices suitable for tasks requiring such enhanced security or encryption.

Abstract: A method of credentialing network-based sources of information, commentary, and opinion is provided. The method includes receiving a request for recognition, the request received by a credential clearinghouse (CCH) from at least one credential-granting organization (CGO), and, in response to the request for recognition, granting recognition to the CGO if the CGO is determined by the CCH to satisfy a predetermined standard of credibility. The method further includes, after the CGO is granted recognition, receiving from a user entity a request for a credential granted by the CGO, and granting the credential if the user entity is determined to satisfy a predetermined set of credentialing benchmarks. Additionally, the method includes posting on a publicly-accessible data communications network site an object comprising at least one among information content, commentary, and opinion, the object being associated with the user entity and including an indicator indicating the grant of the credential.

Abstract: An authentication method is provided between a device (e.g., a client device or access terminal) and a network entity. A removable storage device may be coupled to the device and stores a subscriber-specific key that may be used for subscriber authentication. A secure storage device may be coupled to the device and stores a device-specific key used for device authentication. Subscriber authentication may be performed between the device and a network entity. Device authentication may also be performed of the device with the network entity. A security key may then be generated that binds the subscriber authentication and the device authentication. The security key may be used to secure communications between the device and a serving network.

Abstract: Private anonymous electronic messaging between a message originator and a message recipient within an organization encourages open communication which can provide information to the organization that might otherwise be secreted from the organization, and can allow the message originator to obtain desired help (e.g., counseling). By profiling of the message originator based on current and previous electronic messaging within the system as well as external organizational information (e.g., behavioral or financial information), the system can assess concerns yet act as a gateway to protect the message originator's true identity through escalating levels of concern unless a genuine concern about the health, well-being, and/or safety of the message originator, others, or the organization is indicated, in which case the system can reveal the true identity of the message originator as appropriate.

Abstract: It is determined whether a user who has logged in in communication using a selfsigned certificate stored by default is an administrator or a general user. If it is determined that the user is an administrator, an install page for a CA-signed certificate which is more reliable than the selfsigned certificate is returned to the user. Alternatively, if it is determined that the user is a general user, an error page is returned to the user.