Abstract: The present invention is directed towards systems and methods for maintaining Certificate Revocation Lists (CRLs) for client access in a multi-core system. A first core may generate a secondary CRL corresponding to a master CRL maintained by the first core. The CRLs may identify certificates to revoke. The first core can store the secondary CRL to a memory element accessible by the cores. A second core may receive a request to validate a certificate. The second core can provisionally determine, via access to the secondary CRL, whether the certificate is revoked. The second core may also determine not to revoke the certificate. Responsive to the determination, the second core may request the first core to validate the certificate. The first core can determine whether to revoke the certificate based on the master CRL. The first core may send a message to the second core based on the determination.

Abstract: Systems and methods are disclosed for providing certificate status information about a certificate includes receiving, at a Certificate Status Information Protocol (CSIP) proxy device the certificate identity information about the certificate of the second device. Then determining, using the CSIP proxy device, whether the certificate status information is stored in a CSIP proxy device memory. If the certificate status information is not stored in the CSIP proxy device memory, creating a CSIP request based on the certificate identity information and sending the CSIP request, including the certificate identity information, to a CSIP responder computer outside the local network domain. If the certificate status information is stored in the CSIP proxy device memory, sending the certificate status information to the first device. Also, a system and method are disclosed for using a CSIP responder computer.

Abstract: A card management device includes: a card device configured to include a controller on which a cryptographic IP is mounted in advance; and an individual information writing device configured to allow the card device to be connected to the individual information writing device in such a way that the card device is capable of data transfer to the individual information writing device, individual information assigned to the card device in advance being set in the individual information writing device, the individual information writing device being capable of writing the individual information to the card device connected to the individual information writing device.

Abstract: A computer-implemented system for implementing maintenance and distribution of revocation information within an ad-hoc network. The system includes at least one network node. The network node includes a computer implemented application configured to maintain revocation information in computer memory and distribute the revocation information to other network nodes using a two stage distribution method. The distribution method includes a first stage wherein the revocation message is transmitted to all certifier nodes within the ad-hoc network, and a second stage wherein each certifier node distributes the revocation message to at least one non-certifier node associated with the certifier node.

Abstract: An authentication-authorization system for a mobile communication terminal and a method therefore are provided. When a mobile communication terminal is in a connect state, code data randomly generated by a remote encoding terminal is continuously provided to the terminal and data management terminal. When an application service program on the mobile communication terminal or an application service terminal connected to the mobile communication terminal need to execute an authentication-authorization, identification data of the mobile communication terminal and its card and code data can be offered to the data management terminal to carry out a bidirectional dynamic authentication-authorization, to determine whether allow the application service program or the application service terminal to keep providing an application service or not.

Abstract: A conditional access system (CAS) computer in a downloadable CAS receives a downloadable management certificate (DMC) and determines, using the DMC, security information including a DMC key size and an expiration time of a DMC subordinate certificate authority (sub-CA) certificate, for the client device. The CAS computer then determines whether the DMC is valid based on the expiration time of the DMC sub-CA certificate. If the DMC is determined to be valid, the CAS server sends a cryptographic identity for the client device and a CAS client to the client device protected using the DMC. At a later time, if the DMC key size is considered to be still sufficiently secure, the validity of the DMC is extended by issuing a new DMC sub-CA certificate with the same public key as the original DMC sub-CA certificate.

Abstract: Revocation of digital certificates in a public-key infrastructure is disclosed, particularly in the case when a certificate might need to be revoked prior to its expirations. For example, if an employee was terminated or switched roles, his current certificate should no longer be valid. Accordingly, novel methods, components and systems are presented for addressing this problem. A solution set forth herein is based on the construction of grounded dense hash trees. In addition, the grounded dense hash tree approach also provides a time-communication tradeoff compared to the basic chain-based version of NOVOMODO, and this tradeoff yields a direct improvement in computation time in practical situations.

Abstract: To verify a qualification on a network without notifying verifier privacy information that can identify as a subject of a public key certificate while keeping safety of the public key infrastructure technology. An attribute certificate validation method wherein by preparing an environment in which only an attribute certificate validation device operated by a trusted third party can access a user's public key certificate, the verifier transmits attribute certificate and signed data received from a user having presented a qualification, to the attribute certificate validation device to thereby request the device to make a check to confirm authenticity of the holder of the attribute certificate, thereby preventing the public key certificate (particularly, privacy information contained in the public key certificate) of the user from being passed to the verifier.

Abstract: Different targets (c0, N1) of a digital certificate are mapped into a “super-target” using methods allowing a certificate validity verifier (110) to compute the super-target. The certificate includes the super-target instead of the targets. Also, a certificate with multiple targets can be signed with a redactable signature by the certification authority (CA 120). When the certificate's owner provides the certificate to a verifier together with a validity proof, the owner redacts the certificate to delete unnecessary targets. A single validity proof (ci(F)) may be provided to certificate owners for a set (F) of the certificates via a multicast transmission if a multicasting group (2010) is formed to correspond to the set. A verifier (110) may decide to cache the validity proof for a set provide the cached proof to other parties. The caching decision is based on the caching priority of the set F.

Abstract: A secure mechanism for transparent key recovery for a user who has changed authentication information is disclosed. A password manager agent intercepts requests by a user to access secure resources that require user credentials. Upon detecting changed authentication information for the user, the password manager agent automatically regenerates the components of a cryptographic key associated with the user that was previously used to encrypt user credentials for the user and then destroyed. After regeneration of the original cryptographic key, the password manager agent uses the key to decrypt the user credentials necessary for the requested application. The regenerated key is then destroyed and the user credentials are re-encrypted by the password manager agent using a new cryptographic key associated with the user made up of multiple components.

Abstract: An authentication communication system is capable of storing information relating to revoked devices in less area than is conventionally required. A computer unit stores in advance revocation information that indicates at least one revoked apparatus, and when authenticating a driver unit judges, based on the revocation information, whether or not the driver unit is revoked. The computer unit prohibits communication with the driver unit when the driver unit is judged to be revoked, and communicates with the driver unit when the driver unit is judged not to be revoked.

Abstract: The present invention discloses a hallmark verification process for verifying a hallmark of a web site, the process comprising the step of a user activating a hallmark verification process on a device with access to the web site in which the web site does not have access to the activation of the verification request.

Abstract: We propose new systems for certificate revocation that are more economical and efficient than traditional ones. We also point out what we believe to be a structural problem in traditional public-key infrastructures, and various ways to solve it.

Abstract: In one embodiment, a method is provided that may include one or more operations. One of these operations may include, in response, at least in part, to a request to store input data in storage, encrypting, based least in part upon one or more keys, the input data to generate output data to store in the storage. The one or more keys may be authorized by a remote authority. Alternatively or additionally, another of these operations may include, in response, at least in part, to a request to retrieve the input data from the storage, decrypting, based at least in part upon the at least one key, the output data. Many modifications, variations, and alternatives are possible without departing from this embodiment.

Abstract: A uniform certificate revocation list managing apparatus is provided for managing canceled register information of all believable groups in a believable anonymous register system. Canceled register information includes canceled member information of each believable group, list information of unbelievable groups, and list information of unbelievable register service institutions. The uniform certificate revocation list managing apparatus interacts with each believable group and each register system, so as to update a certificate revocation list of each believable group in real time.

Abstract: Controlling access includes providing a barrier to access that includes a controller that selectively allows access, at least one administration entity generating credentials/proofs, wherein no valid proofs are determinable given only the credentials and values for expired proofs, the controller receiving the credentials/proofs, the controller determining if access is presently authorized, and, if access is presently authorized, the controller allowing access. The credentials/proofs may be in one part or may be in separate parts. There may be a first administration entity that generates the credentials and other administration entities that generate proofs. The first administration entity may also generate proofs or the first administration entity may not generate proofs. The credentials may correspond to a digital certificate that includes a final value that is a result of applying a one way function to a first one of the proofs.

Abstract: The invention presents a network data security system and a protecting method applied in network data transmission. Meanwhile the network data security system includes a client, an authentication dispatching server and a number of distributed servers. The authentication dispatching server includes a first determination device and a user certificate generator; and each distributed server includes a second determination device, a second user certificate generator and a processor. The method for protecting data of the present invention introduces the authentication dispatching server providing the client with a user certificate in a valid period of time and further introduces an updated certificate mechanism for preventing the user certificate from being stolen and further preventing network data from being let out.

Abstract: A configuration is provided wherein usage restrictions of an application are determined in accordance with timestamps. A certificate revocation list (CRL) in which the revocation information of a content owner who is a providing entity of an application program recorded in a disc is recorded is referred to verify whether or not a content owner identifier recorded in an application certificate is included in the CRL, and in the case that the content owner identifier is included in the CRL, comparison between a timestamp stored in a content certificate and a CRL timestamp is executed, and in the case that the content certificate timestamp has date data equal to or later than the CRL timestamp, utilization processing of the application program is prohibited or restricted. According to the present configuration, a configuration is realized wherein an unrevoked application is not subjected to utilization restriction, and only a revoked application is subjected to utilization restriction.

Abstract: Different targets (c0, N1) of a digital certificate are mapped into a “super-target” using methods allowing a certificate validity verifier (110) to compute the super-target. The certificate includes the super-target instead of the targets. Also, a certificate with multiple targets can be signed with a redactable signature by the certification authority (CA 120). When the certificate's owner provides the certificate to a verifier together with a validity proof, the owner redacts the certificate to delete unnecessary targets. A single validity proof (ci(F)) may be provided to certificate owners for a set (F) of the certificates via a multicast transmission if a multicasting group (2010) is formed to correspond to the set.

Abstract: A method and apparatus for propagating certificate revocation information. A certificate revocation list is received that includes a plurality of entries. The plurality of entries are grouped other than by order of appearance in the certificate revocation list. Certification statements are generated based on the grouped entries.

Abstract: Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein.

Abstract: An examination apparatus includes a receiving part, an acquisition part, and an examination part. The receiving part receives a public key certificate and identification information of the communication device from the device, which conduct the authentication process by using the public key encryption and sends the public key certificate used for the authentication process only to a specific communication partner. The acquisition part acquires information showing the public key certificate corresponding to the identification information, from a location other than the device based on the identification information. And, the examination part examines the device based on whether or not the public key certificate received by the receiving part is proper, by referring to the information acquired by the acquisition part.

Abstract: A computer-implemented method for generating a hierarchical set of certifiers nodes for a public key infrastructure within an ad-hoc network. The method includes determining at least one potential certifier node that is eligible to become certifier nodes from a set of nodes in an ad-hoc network, creating a new certifier node from the at least one potential certifier node based on a selection criteria, and creating a parent-child relationship with the new certifier node.

Abstract: A method and system enable robust and scalable propagation of trust between a first organization and a second organization, both operating in an ad hoc wireless communication network. The method includes establishing at a first member node of the first organization pair-wise trust with a first member node of the second organization using a predetermined inter-organizational trust establishment device (step 505). Next, the first member node of the first organization generates a credential for the second organization using the pair-wise trust (step 510). The credential is then distributed from the first member node of the first organization to a second member node of the first organization (step 515). The second member node of the first organization then establishes pair-wise trust with a second member node of the second organization using the credential received from the first member node of the first organization (step 520).

Abstract: A partial revocation list and a system and method for using the partial revocation list for tracking the authenticity of replacement cartridges in a manufactured device to inhibit cloning of the cartridges is provided. A revocation pool is maintained by a manufacturer who chooses a partial revocation list from the revocation pool to store in the memory of the cartridge. The device stores its own revocation list, informs the manufacturer of cartridges which have been used and checks when a new device is installed to ensure a cloned replacement is not being used. The partial revocation list distributes enough revocation information to devices to statistically impair the cartridge yield of a cloning operation.

Abstract: Methods and systems for handling on an electronic device a secure message to be sent to a recipient. Data is accessed about a security key associated with the recipient. The received data is used to perform a validity check related to sending a secure message to the recipient. The validity check may uncover an issue that exists with sending a secure message to the recipient. A reason is determined for the validity check issue and is provided to the mobile device's user.

Abstract: A slide customization system, comprising an administrator, wherein at least one information presentation is received at the administrator, at least one database, wherein the at least one information presentation is stored, a validator, wherein validation of the at least one information presentation is performed by the validator by validating the at least one information presentation with at least one validation attribute selected by the administrator from a plurality of validation attributes, and wherein the validation of the selected ones of the validation attributes against the at least one information presentation is stored to said at least one database, and a compiler, wherein the compiler manipulates the selected ones of the validation attributes and the information presentation associated therewith in accordance with an output request, and in accordance with unique limitations of one or more of the selected ones of the validation attributes, and wherein the manipulation is in accordance with at least on

Abstract: The invention is directed to a method for applying a certificate suitable for a portable telephone belonging to a user, wherein the portable telephone comprises a telephone number. The method comprises steps of generating a user key pair in the portable telephone, wherein the key pair comprises a user public key information and then transmitting an applying packet from the portable telephone to a certificate authority through a switching center by using a short message service, wherein the applying packet comprises at least the user public key information. The user is verified according to the telephone number received by the certificate authority from the switching center. A certificate packet is generated by the certificate authority, wherein the certificate packet comprises at least a serial number and a certificate authority signature. The certificate packet is transmitted to the portable telephone according to the telephone number by using the short message service.

Abstract: A system, method and program product for checking the revocation status of a biometric reference template. The method includes creating a revocation object for a reference template generated for an individual, where the revocation object contains first plaintext data providing a location for checking revocation status of the reference template and containing ciphertext data identifying the unique reference template identifier and a hash of the reference template. The method further includes providing the revocation object to a relying party requesting revocation status and sending a request to an issuer of the reference template for checking the revocation status of the reference template, without revealing identity of the individual. The method further includes returning results of the revocation status check to the relying party. In an embodiment, a random value is added to the ciphertext data for preserving privacy of the reference template holder.

Abstract: Methods, systems, and data stores generate and manage temporarily assigned identities. A requestor issues a request for a service. The request includes an identity used for authenticating the requestor. The identity is used for generating an identity configuration and for generating a temporarily assigned identity that is updated to a protected identity directory. The request and the temporarily assigned identity are transmitted to the service. The service uses the temporarily assigned identity to access the protected identity directory for purposes of authenticating the request. The service uses the authenticated request to access attributes associated with the temporarily assigned identity.

Abstract: A method for using an update engine to promulgate a transaction tool to a recipient. The method may include the steps of: generating a transaction tool operation request signal wherein the transaction tool operation request signal includes a request for a new transaction tool and/or an updated transaction tool, transmitting the transaction tool operation request signal to a transaction tool issuer, receiving a transaction tool update signal from the transaction tool issuer wherein the transaction tool update signal includes a new transaction tool and/or an updated transaction tool, determining the recipient, and transmitting the transaction tool update signal to the recipient.

Abstract: One embodiment of the present invention provides a system that can expire encrypted-data. During operation, the system receives an expiry-request that includes object-identifying information, which can be used to identify a set of database objects that contain the encrypted-data, wherein a database object can be a table, a partition, a row, or a column in a row. Furthermore, a database object can have an expiration time, and it can be stored in an archive, which is typically used to store large amounts of data for long periods using a slower, but cheaper storage medium than the storage medium used by the database. The system then identifies a set of keys for the encrypted-data using the object-identifying information. Next, the system deletes the set of keys, thereby expiring the encrypted-data. Note that, deleting the set of keys ensures that the secure key repository does not contain any stale keys associated with expired encrypted-data.

Abstract: A system and method for supporting operations with multiple certification authorities (CAs) on a communication device. A common CA interface is provided between a plurality of secure communication applications and a plurality of CA-specific components, each of which interacts with a particular CA. A further common interface may also be provided for operatively coupling the secure communication applications to cryptographic components in the device.

Abstract: In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using a symmetric cipher, in a manner that allows only one or more target programs to be able to obtain the data from the ciphertext. In accordance with other aspects, a bit string is received from a calling program. An identifier of the calling program is checked to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string. The integrity of the data is also verified, and the data is decrypted using a symmetric key. The data is returned to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified.

Abstract: A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.

Abstract: The invention relates to a device (250) and a method for key block based authentication. In order to overcome the problems of known devices and method for authentication and to allow for an effective key block and/or application revocation wherein it is ensured that valid and new revocation information reaches said device and is used for authentication, a device (250) for a key block based authentication is proposed comprising authentication means (252) for authenticating between said device (250) having revocation information (254) and an application unit to be authenticated having a key block (AKB) by means of said revocation information (254) and said key block (AKB), and internal trigger means (256) for triggering a process of renewing of said revocation information (254).

Abstract: A Certificate Status Service that is configurable, directed, and able to retrieve status from any approved Certification Authority (CA) is disclosed. The CSS may be used by a Trusted Custodial Utility (TCU) and comparable systems or applications whose roles are validating the right of an individual to perform a requisite action, the authenticity of submitted electronic information objects, and the status of authentication certificates used in digital signature verification and user authentication processes. The validity check on authentication certificates is performed by querying an issuing CA. Traditionally, to create a trusted Public Key Infrastructure (PKI) needed to validate certificates, complex relationships are formed by cross-certification among CAs or by use of PKI bridges.

Abstract: A system and method can include comparing entities associated with public certificates and private keys in a keystore to detect compromised private keys. This increases security of systems implementing public key cryptography over a network. The comparison can be triggered by a trigger event in one embodiment. If a private key belonging to a certificate authority is detected, a notification can be generated. Alternatively or in addition, a revocation request can be generated for public certificates corresponding to the compromised private key.

Abstract: Authentication of elements (e.g. digital certificates 140) as possessing a pre-specified property (e.g. being valid) or not possessing the property is performed by (1) assigning a distinct integer pi to each element, and (2) accumulating the elements possessing the property or the elements not possessing the property using a P-th root u1/P (mod n) of an integer u modulo a predefined composite integer n, where P is the product of the integers associated with the accumulated elements. Alternatively, authentication is performed without such accumulators but using witnesses associated with such accumulators. The witnesses are used to derive encryption and/or decryption keys for encrypting the data evidencing possession of the property for multiple periods of time. The encrypted data are distributed in advance. For each period of time, decryption keys are released which are associated with that period and with the elements to be authenticated in that period of time.

Abstract: A security module is provided in a data recording medium, data to be written to the data recording medium is encrypted with an content key different from one data to another, and the content key is safely stored in the security module. Also, the security module makes a mutual authentication using the public-key encryption technology with a drive unit to check that the counterpart is an authorized (licensed) unit, and then gives the content key to the counterpart, thereby preventing data from being leaked to any illegal (unlicensed) unit. Thus, it is possible to prevent copyrighted data such as movie, music, etc. from being copied illegally (against the wish of the copyrighter of the data).

Abstract: Exemplary embodiments disclosed herein may include a method and system for creating an attendance marker and establishing consistent recognition of an ongoing digital relationship, including receiving an identity key about a server, creating an attendance marker, associating the attendance marker with the server. Other embodiments relate to systems and methods for recognizing a server, website, and/or other system for a client, such as a computer system for a user. Such authentication involves receiving an identity key about a web server or other system, creating an attendance marker, associating the attendance marker with the server, requesting an attendance marker associated with a server, and recognizing the server based at least in part on the attendance marker.

Abstract: A method, apparatus and system for employing a secure content protection system is disclosed. In one embodiment, a certificate having a unique device identification associated with a first device is received, and, at a second device, a revocation list having unauthorized device identifications is received. The unique device identification is incrementally compared with the unauthorized device identifications of the revocation list, and media content is transmitted from the second device to the first device, if the unique device identification is not matched with the unauthorized device identifications of the revocation list.

Abstract: This application generally describes techniques for dynamically updating trusted certificates and CRLs, generally referred to herein as certificate information. That is, techniques are described for updating trusted certificates and CRLs without terminating existing communication sessions. An exemplary method includes the steps of receiving an initial configuration that includes a trusted certificate authority, receiving certificate information that includes a certificate revocation list (CRL) and a first certificate from the trusted certificate authority, storing the certificate information in the configuration, initiating a communication session for an application, receiving an update to the certificate information, and updating the configuration to reflect the update to the certificate information without terminating the communication session.

Abstract: Host devices present both the host certificate and the pertinent certificate revocation lists to the memory device for authentication so that the memory device need not obtain the list on its own. Processing of the certificate revocation list and searching for the certificate identification may be performed concurrently by the memory device. The certificate revocation lists for authenticating host devices to memory devices may be stored in an unsecured area of the memory device for convenience of users.

Abstract: A method of operating a computer system comprises the following steps: installing an executable main module of a program on the computer system, storing module data for the main module and/or for an additional module (A, B, C, D) of the program in the computer system, said stored module data comprising a license part required to determine the presence of the use authorization of the main module and/or of the additional module, and preferably also comprising an information part, evaluating the stored module data for acquisition of a further use authorization for the additional module (A-D) or for a further additional module (A-D), and providing information for the acquisition of a use authorization as a function of the result of evaluation.

Abstract: Methods and systems for handling on an electronic device a secure message to be sent to a recipient. Data is accessed about a security key associated with the recipient. The received data is used to perform a validity check related to sending a secure message to the recipient. The validity check may uncover an issue that exists with sending a secure message to the recipient. A reason is determined for the validity check issue and is provided to the mobile device's user.

Abstract: A communication apparatus with a memory (418) holding CA information A(301a) including (i) a CA certificate A(106a) indicating that an AP server certificate A(402a) (that indicates the validity of an application server (401)) is valid and (ii) a URL B(302b) indicating the URL of a download server B(406b) where CA information B(301b) including the next valid CA certificate B(106b) is stored. The communication apparatus also having a server authentication unit (416) verifying the AP server certificate A(402a) using the CA certificate A(106a), and having a CA information update unit (417) obtaining the CA information B(301b) from the download server B(406b) indicated by the URL B(302b), wherein, when the CA certificate A(106a) becomes revoked, the server authentication unit (416) authenticates the application server (401) using the CA certificate B(106b) included in the CA information B(301b) obtained by the CA information update unit (417).

Abstract: Methods, components and systems for implementing secure and efficient broadcast encryption schemes with configurable and practical tradeoffs among a pre-broadcast transmission bandwidth t, a key storage cost k, and a key derivation cost c, in which the schemes use subtree difference and key decomposition to generate secondary keys, use the secondary keys to encrypt the broadcast and generate ciphertexts, and use the RSA encryption scheme to implement derivability between the primary keys and the secondary keys. To decrypt the broadcast, a privileged user uses one of its primary keys to derive a secondary key, which is used to decrypt the broadcast. The product of key derivation costc and the key storage cost k is at most (2a?log a?2)loga n, when n is the number of users, 1?b?log n, a=2b, and revoked users r<n/3.

Abstract: Apparatus and storage media for auto-configuration of an internal network interface are disclosed. Embodiments may install an internal VLAN manager in a logically partitioned computer system along with network agents in each of the partitions in the logically partitioned system to facilitate configuring an internal communications network and the corresponding internal network interfaces in each participating partition. In particular, an administrator accesses internal VLAN manager, selects an internal VLAN ID, selects each of the participating partitions, and configures the communications network with global parameters and ranges. The internal VLAN manager then generates partition parameters and incorporates them into messages for each of the partitions selected to participate in the internal network.

Abstract: In response to a validation request that includes second information identifying the certificate authority, key information of the certificate authority at issuance of the public key certificate, and information identifying the public key certificate, if the second information identifying the certificate authority included in the validation request corresponds to the first information identifying the certificate authority included in the authority certificate, and the information identifying the public key certificate included in the validation request does not exist in the revocation information, the validation server creates a validation result indicating that the public key certificate corresponding to the information identifying the public key certificate included in the validation request is valid.