Abstract: Federated systems for issuing playback certifications granting access to technically protected content are described. One embodiment of the system includes a registration server connected to a network, a content server connected to the network and to a trusted system, a first device including a non-volatile memory that is connected to the network and a second device including a non-volatile memory that is connected to the network. In addition, the registration server is configured to provide the first device with a first set of activation information in a first format, the first device is configured to store the first set of activation information in non-volatile memory, the registration server is configured to provide the second device with a second set of activation information in a second format, and the second device is configured to store the second set of activation information in non-volatile memory.

Abstract: A system for managing security certificates on a plurality of remote computers comprises a certificate manager that can determine in accordance with at least one preestablished criterion whether a security certificate on a remote computer is to be managed. The system also includes an installer module that can access an account of the remote computer to manage the security certificate. Methods of using the system are also provided.

Abstract: A system can control whether a recipient of an electronic message (e.g., a text message, a multimedia message, an e-mail message, etc.) with a forwarding-restricted attachment is permitted to forward the attachment to third parties can be implemented on the network without specialized hardware or software for the client devices. The sender of a text message may limit the downstream distribution of that text message through text message forwarding by associating a forwarding restriction flag with the message.

Abstract: Executable applications on a gaming machine are verified before they can be executed, for security purposes and to comply with jurisdictional requirements. Unlike in prior systems for authenticating the executable applications, embodiments allow for new executable applications to be provided and verified over time with different private and public key pairs, even after the operating code of the gaming machine is certified by the jurisdiction and deployed in the field.

Abstract: A communication system includes a plurality of nodes, the communication system being arranged to assign each of the plurality of nodes a certificate by means of which it can authenticate itself to other nodes in the communication system. The communication system further includes an authentication node arranged to determine that a certificate should be revoked and to, responsive to that determination, write an indicator of that certificate's revocation to a location in the communication system that is external to the authentication node and to which the node assigned the revoked certificate is not permitted to write.

Abstract: A method is provided for obtaining a certificate revocation list (CRL) for a vehicle in a vehicle-to-vehicle communication system. A portable security unit is provided to access secured operations for the vehicle. The portable security unit is linked to a device having access to a communication network. The communication network is in communication with a certificate authority for issuing an updated CRL. The updated CRL is downloaded from the certificate authority to the portable security unit. At a later time, when a user enters the vehicle, a communication link is established between the portable security unit and a vehicle processor unit. Mutual authentication is exchanged between the portable security unit and the vehicle processing unit. The updated CRL stored in the portable security unit is downloaded to a memory of the vehicle communication system in response to a successful mutual authentication.

Abstract: A communication system includes a certificate authority for performing authentication, a roadside device, a vehicle-mounted terminal, a first server, and a second server. The vehicle-mounted terminal transmits position information to the first server. The certificate authority acquires information about a vehicle-mounted terminal likely to appear according to place and time from the first server. The certificate authority allows the second server to verify validity of a certificate for a vehicle-mounted terminal acquired from the first server. The certificate authority generates a first list of vehicle-mounted terminals having valid certificates and a second list of vehicle-mounted terminals having invalid certificates according to place and time based on a verification result. The certificate authority transmits the first and second lists to the roadside device and the vehicle-mounted terminal.

Abstract: A method and a terminal device for making multi-system constraint of a specified permission in a digital rights. A rights object related to content object is obtained by an executing device. The specific permission descriptions of the rights object include system constraint descriptions of a plurality of systems of the same type. The executing device obtains a corresponding system information in the device according to the system constraint descriptions and compares the system information in the device with the system information in the system constraint descriptions, so as to judge whether there is any system permitted in system constraint descriptions. If yes, it determines to permit executing the specific permission for the content object; otherwise, it determines not to permit executing said specific permission for the content object.

Abstract: A method includes storing creating a smart card with an expiration date and renewing the smart card after the expiration date. The smart card may be created with data stored upon the smart card for use in the renewal process. The data may comprise a certificate. The smart card may be issued at the information technology department of an organization and may be renewed at a user workstation of the organization. The renewal process may include a renewal environment for authenticating the holder of the smart card. The card holder may be required to provide a personal identification number in order to enter into the renewal environment. The rights conferred by the renewed smart card may be more limited than the rights conferred by the original smart card, both in duration and access to data within the organization.

Abstract: A method and system for communicating between a user network device and a server includes a first server and a user network device that requests an electronic token (eToken) from the first server. The first server communicates the eToken, a signature key, and a server time. The user network device determines a signature using the server time and signature key and communicates a request for data to a second server. The request for data includes a signature. The second server communicates data to a user network device.

Abstract: Methods and apparatus for integrating digital rights management (DRM) systems with native HTTP live streaming. Several methods for integrating a DRM system with HTTP live streaming on an operating system (OS) platform are described. In each of these methods, a manifest is delivered to an application on a device; the application then accesses a remote DRM server to obtain a license and one or more keys for the content. The DRM server enforces the rights of the client in regard to the indicated content. The application may modify the manifest to indicate a method for obtaining the key. The application delivers the manifest to the OS, which uses the indicated method (e.g., a URL) to obtain the key. While similar, the methods primarily differ in the manner in which the OS is directed to obtain the key.

Abstract: Various embodiments are disclosed that relate to security of a computer accessory device. For example, one non-limiting embodiment provides a host computing device configured to conduct an initial portion of a mutual authentication session with an accessory device, and send information regarding the host computing device and the accessory device to a remote pairing service via a computer network. The host computing device is further configured to, in response, receive a pairing certificate from the remote pairing service, the pairing certificate being encrypted via a private key of the remote pairing service, and complete the mutual authentication with the accessory device using the pairing certificate from the remote pairing service.

Abstract: An information terminal device is provided that may use the input functionality of a touch panel to remove the restriction on the use thereof, for example, release the key lock. The information terminal device (1) is an information terminal device including a display (11) and a touch panel (12), including: a pattern storage memory (43) configured to store a release pattern that is to be entered into the touch panel (12) to remove the restriction on the use of the information terminal device, the release pattern being designated by a user as a graphic pattern; a comparison unit (44) configured to determine whether an entered pattern entered into the touch panel matches the release pattern; and a controller (34) configured to remove the restriction on the use of the information terminal device if the comparison unit (44) determines that the entered pattern matches the release pattern.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for accessing services from a virtual machine. One of the methods includes receiving requests for long-term security tokens from a host machine, each request comprising authentication information for a respective service account. The method include providing long-term security tokens to the host machine, wherein the long-term security tokens can be used to generate short-term security tokens for a virtual machine executing on the host machine. The method also includes generating by a process executing in a host operating system of the host machines a short-term security token based on a long-term security token of the long-term security tokens for use by a virtual machine executing on the host machine to access one of the respective service accounts, wherein the short-term security token is useable for a pre-determined amount of time.

Abstract: Techniques for managing a secure communication session are provided. A non-browser application utilizes a browser to establish a secure communication session with a server. The session cookie set in the browser is mapped by the server to a secret token that is supplied via the browser to the non-browser application. The browser is then closed and the secure communication session between the server and the non-browser application continues unabated via the secret token.

Abstract: Methods for anonymous authentication and key exchange are presented. In one embodiment, a method includes initiating a two-way mutual authentication between a device and a remote entity. The device remains anonymous to the remote entity after performing the authentication. The method also includes establishing a mutually shared session key for use in secure communication, wherein the initiating and the establishing are in conjunction with direct anonymous attestation (DAA).

Abstract: A computerized authorization system configured to authorize electronically-made requests to an electronic entity. The computerized authorization system comprises a store configured to store an indication of at least one predetermined electronic authorization device configured to authorize each electronically-made request. The computerized authorization system is further configured such that: in response to receiving an electronically-made request to the electronic entity, an indication of the request is output to the at least one predetermined electronic authorization device configured to authorize the request as indicated in the store; and in response to receiving an indication of authorization from the at least one predetermined electronic authorization device, an indication of authorization of the request is output to the electronic entity.

Abstract: Systems and methods for provisioning and managing of certificates in a network are described. In one implementation, a signing certificate is generated by a network device based on a root certificate of the network device. Based on the signing certificate of the network device, a client-device certificate is signed for a client device. The signed client-device certificate is provided to the client device for allowing the client device to access a secure service provided by the network device.

Abstract: A public key infrastructure comprising a participant that issues digital certificates. Each digital certificate can be relied upon in at least two different trust domains. The public key infrastructure does not employ policy mapping between or among the trust domains. Furthermore, the public key infrastructure does not link any pair of trust domains via cross-certificates. Just one trust domain is bound to the digital certificate at any given moment. The current trust domain that is to be bound to the digital certificate is elected by a relying party at the time of reliance, based upon a specific certificate validation methodology selected by the relying party.

Abstract: A method and system for server-side key generation for non-token clients is described.

Abstract: The current application is directed to computationally efficient attribute-based access control that can be used to secure access to stored information in a variety of different types of computational systems. Many of the currently disclosed computationally efficient implementations of attribute-based access control employ hybrid encryption methodologies in which both an attribute-based encryption or a similar, newly-disclosed policy-encryption method as well as a hierarchical-key-derivation method are used to encrypt payload keys that are employed, in turn, to encrypt data that is stored into, and retrieved from, various different types of computational data-storage systems.

Abstract: Instrumented networks, computer systems and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Methods and systems are disclosed for calculating security risks by determining subject reputation scores. In an embodiment, a system receives a query for a reputation score of a subject, initiates directed queries to external information management systems to interrogate attributes associated with the subject, and analyzes responses. The system receives a hierarchical subject reputation score based on a calculus of risk and returns a reputation token.

Abstract: The successful authenticating of a Network Access Identifier (NAI) process is enabled by an authenticating method and a mobile terminal for a Code Division Multiple Access (CDMA) EVolution to packet Data Optimized (EVDO) network.

Abstract: Methods for automatically verifying and populating an encryption keystore are provided. Pursuant to these methods, the keystore may be automatically checked to determine if it is missing a required digital certificate; if so, the missing required digital certificate may be automatically inserted into the keystore. The methods may also include automatically obtaining the required digital certificates and a list of the required digital certificates, and automatically comparing the list of required digital certificates with the digital certificates in the keystore to determine if the keystore is missing a required digital certificate. The methods may further include sending an informational alert if a missing required digital certificate was automatically inserted into the keystore, and may include checking the keystore to determine if any required digital certificates have expired, will expire within a predetermined time period, or are inoperative.

Abstract: Certain embodiments provide a user notification such as a cue in a media content player. The notification or cue indicates that there is additional content available for a piece of media being played or about to be played. The notification or cue may be superimposed on content or provided separate from the media content being provided. In certain embodiments, the notification may provide a link for accessing the additional content the notification identifies. For example, the user may click on a notification to link to a dynamically-generated webpage comprising information retrieved about the media content being presented.

Abstract: A technique that enables a portable device to be automatically associated with a plurality of computers. Information that a computer can use to authenticate a portable device and establish a trusted relationship prior to creating an association with the portable device is created and stored in a data store that is accessible by a plurality of computers and is associated with a user of the portable device. When a computer discovers such a portable device with which it is not yet associated, the computer can identify a user logged into the computer and use information identifying the user to retrieve authentication information that is device independent and is expected to be presented by the portable device to authenticate it and allow automatic association.

Abstract: Tampering monitoring system can detect whether protection control module is tampered with even if some of detection modules are tampered with. Tampering monitoring system includes protection control module detection modules, and management device. Protection control module includes: generation unit generating d pieces of distribution data from computer program, n and d being positive integers, d smaller than n; selection unit selecting d detection modules; and distribution unit distributing d pieces of distribution data to d detection modules. Each detection module judges whether received piece of distribution data is authentic to detect whether protection control module is tampered with, and transmits judgment result indicating whether protection control module is tampered with. Management device receives judgment results from d detection modules and manages protection control module with regard to tampering by using received judgment results.

Abstract: According to an embodiment of the present invention, a method for using information in conjunction with a data repository includes encrypting data associated with the information with an encryption key, sending at least the encrypted data to the data repository, and possibly deleting the information. The method also includes receiving a request for the information from a remote device, and sending a request for the encrypted data to the data repository. The method further includes receiving the encrypted data from the data repository, decrypting the encrypted data using the encryption key, and sending the information to the remote device.

Abstract: A group signature system includes: a key issuer server for generating a first parameter of a group public key, generating a corresponding master issuing key, and issuing a signature key to a user when a user device joins; an opener server for generating a second parameter of the group public key, and a corresponding master opening key and master linking key; and a linker server for checking whether two valid signatures have been linked by using the master linking key when the two signatures corresponding to a group public key are given. The group signature system further includes: a signature verifying unit for confirming a validity of the given signatures and a signer information confirming unit for confirming a validity of singer confirming information generated by the opener server.

Abstract: A method and system for updating and using a digital certificate, and the method comprises: a first terminal establishing a secure link with an access point and using the secure link to send a certificate updating request to the access point, where the certificate updating request includes a digital certificate to be updated which is currently used by the first terminal; and the access point sending the digital certificate to be updated to a local Authentication Service Unit which issues the certificate to be updated; and the local Authentication Service Unit which issues the digital certificate to be updated verifying the digital certificate to be updated, and after the digital certificate is verified to be valid, a local Authentication Service Unit corresponding to the access point generating a new digital certificate of the first terminal and sending the new digital certificate to the first terminal through the access point.

Abstract: A memory device includes: a storage section configured to store public key information of a certificate authority for verifying a certificate and revocation information for revoking illegal devices and to include a secret area for storing data of which the confidentiality is to be guaranteed; and a control section configured to have a function of communicating with an external device and to control access to the secret area of the storage section at least in accordance with the revocation information.

Abstract: A method and system for checking a revocation status of a biometric reference template previously generated for an individual. A hash value of the biometric reference template is computed. A reference template revocation object for the biometric reference template is created, which includes inserting into the reference template revocation object: (i) a location for checking the revocation status of the biometric reference template and (ii) a unique biometric reference template identifier that uniquely identifies the biometric reference template. The revocation status of the biometric reference template is ascertained through use of the reference template revocation object. The ascertained revocation status of the biometric reference template is returned to a relying party that had requested the status of the biometric reference template.

Abstract: The present inventions provide an integrated, modular array of administrative and support services for electronic commerce and electronic rights and transaction management. These administrative and support services supply a secure foundation for conducting financial management, rights management, certificate authority, rules clearing, usage clearing, secure directory services, and other transaction related capabilities functioning over a vast electronic network such as the Internet and/or over organization internal Intranets. These administrative and support services can be adapted to the specific needs of electronic commerce value chains. Electronic commerce participants can use these administrative and support services to support their interests, and can shape and reuse these services in response to competitive business realities. A Distributed Commerce Utility having a secure, programmable, distributed architecture provides administrative and support services.

Abstract: A portable license for licensed content is obtained by a user along with a regular license in a local network, such as a home network or other private network. The portable license may be stored in a license server on a portable device, such as a smart phone or a tablet, which functions as a portable license server. The user may take the portable device to another location where it joins another local network. A device in the second network, which does not have a license to play the licensed content, may use the portable license on the portable device to execute the content, enabling the user to enjoy it in multiple environments. The device (e.g., a TV) in the second network may continue to play the content as long as the portable license or another valid license is present in the network.

Abstract: A method and device for confirming authenticity of a public key infrastructure (PKI) transaction event between a relying node and a subject node in a communication network enables improved network security. According to some embodiments, the method includes establishing at a PKI event logging (PEL) server a process to achieve secure communications with the relying node (step 705). Next, the PEL server processes reported PKI transaction event data received from the relying node (step 710). The reported PKI transaction event data describe the PKI transaction event between the relying node and the subject node. The reported PKI transaction event data are then transmitted from the PEL server to the subject node (step 715). The subject node can thus compare the reported PKI transaction event data with corresponding local PKI transaction event data to confirm the authenticity of the PKI transaction event.

Abstract: A method and system for pre-encoding a cached CRL is described.

Abstract: Various embodiments of systems and methods for providing a secure communication are described herein. A client application generates a Distributed Ruby (DRb) request based on a request received from a user. The obtained DRb request is wrapped to obtain an HTTPS request, which includes the DRb request and one or more authentication information. The generated HTTPS request is forwarded to an HTTPS server, which verifies the HTTPS request based on the authentication information. The HTTPS request is then unwrapped to obtain the DRb request, which is executed by a DRb server to obtain a result of execution of the DRb request.

Abstract: A network system includes a management apparatus and multiple apparatuses. The management apparatus includes a preparation instruction unit to transmit an instruction to prepare a certificate request to the apparatuses; a collection unit to collect the certificate requests; a request unit to request issuance of certificates to a certificate authority; a resetting instruction unit to transmit the issued certificates to the apparatuses and to instruct resetting of certificates. The apparatus includes a storing unit including an operation area for storing a first certificate and a provisional operation area; a provisionally operating unit to transfer the first certificate to the provisional operation area, and to generate a certificate request, and to transmit the certificate request to the management apparatus; a setting unit to store a second certificate, issued by the certificate authority, in the operation area, and to instruct a communication unit to conduct the communication by switching a certificate.

Abstract: A computer-implemented method for verifying the trustworthiness of code prior to issuing code-signing certificates may include (1) receiving a request from a software publisher to sign code, the request including a copy of the code and a digital signature that verifies the integrity of the code, (2) prior to signing the code, verifying the trustworthiness of the code based at least in part on an analysis of the copy of the code included within the request, (3) upon verifying the trustworthiness of the code, signing the code by generating a digitally signed trustworthiness certificate for the code that certifies that the code is trustworthy, and then (4) providing the trustworthiness certificate to the software publisher to enable the software publisher to attest that the code is trustworthy. Various additional methods, systems, and encoded computer-readable media are also disclosed.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for authorizing actions of a service provider. In one aspect, a method includes providing a user security key to a mobile device of a user. A request is received from a client device distinct from the mobile device to perform an action. A challenge token including a security signature matched to a service security key is generated, and the challenge token is provided to the mobile device. An approval value is received from the client device. The approval value is determined to be valid in reference to the challenge token and the user security key previously provided to the mobile device and to indicate approval to perform the action for the user. The action is performed in response to receiving the approval value.

Abstract: With the help of a key management protocol, the transmitted key information is authenticated by at least one certificate signed by the terminals, and at least one fingerprint of the public keys or certificate, which were used for authenticating the key information, is added to the useful part of an SIP message. The identity information present in the header of an SIP message is additionally copied into a region of the header or the useful part, and a signature is produced by way of the fingerprint, the datum information presented in the header of an SIP message, the copied identity information, and optionally the certificate reference information, and is inserted into a further region of the header of the SIP message. The additional signature that is produced and inserted can remain uninfluenced during a transmission across several networks of different network operators.

Abstract: A networked computer device can be customized to contain provisioning and/or authorization logic in its firmware or the firmware of one of its subcomponents. The computer device is thus configured to provision itself from a provisioning server that is identified within the firmware, and to periodically query an operations authority for continued authorization to operate with the received provisioning. Upon failure to receive authorization, the firmware may implement various security measures, such as storage protection, boot protection, communications protection, and so forth. The firmware may also implement remote reporting, to assist an investigator when a device has been lost or stolen.

Abstract: On the basis of revocation information of a certificate, information of a certification authority and of the certificate issued by the certification authority from a terminal device, and information of a cryptographic algorithm, validity of the certificate from the terminal device is determined.

Abstract: An information processing apparatus of the present invention converts user authentication information based on a second one-way function into a second converted value if authentication with a first converted value obtained by converting the user authentication information based on the first one-way function is successful.

Abstract: End-to-end authentication capability based on public-key certificates is combined with the Session Initiation Protocol (SIP) to allow a SIP node that receives a SIP request message to authenticate the sender of request. The SIP request message is sent with a digital signature generated with a private key of the sender and may include a certificate of the sender. The SIP request message my also be encrypted with a public key of the recipient. After receiving the SIP request, the receiving SIP node obtains a certificate of the sender and authenticates the sender based on the digital signature. The digital signature may be included in an Authorization header of the SIP request, or in a multipart message body constructed according to the S/MIME standard.

Abstract: Managing a digital certificate includes a landlord providing a digital certificate, a secure hardware device generating a series of n hash values, the secure hardware device providing an nth hash value to the landlord, wherein other hash values are not readily available to the landlord, the landlord placing the nth hash value in the certificate, the landlord digitally verifying the certificate containing the nth hash value to obtain a digitally signed certificate, a tenant obtaining the digitally signed certificate, the tenant obtaining the n hash values and the tenant managing the certificate by periodically issuing a previous hash value in the series of n hash values in response to the certificate being valid when the previous hash value is issued.

Abstract: An unauthorized connection detecting device which detects an unauthorized charge/discharge device includes: a time information obtaining unit obtaining, as time information, information from a first charge/discharge device, the information indicating at least one of an issuing date of a first certificate which is a public key certificate and an issuing date of a certificate revocation list held by the first charge/discharge device; an expiration date obtaining unit obtaining expiration date information from a second charge/discharge device, the expiration date information indicating an expiration date of a second certificate which is a public key certificate held by the second charge/discharge device; and an unauthorization detecting unit detecting whether or not the second charge/discharge device is the unauthorized charge/discharge device by comparing the time information with the expiration date information.

Abstract: A method of generating a pre-authenticated link to access a private feed and providing access to the private feed using the pre-authenticated link. A request to access the private feed is received and a first user sending the request is authenticated. A token for the first user is generated when the first user is authorized to access the private feed. The token may identify the first user, the private feed and an owner of the private feed. The token may be embedded within a link and transmitted to the first user. A user is automatically authorized to access the private feed when the token is sent by the user using the link. The link automatically authenticates the first user and allows access to the private feed. The private feed may become inaccessible to the first user when the owner of the private feed revokes access of the first user.

Abstract: A server, method and/or computer-readable medium system for secure communication includes a certificate authority for generating certificates signed by the certificate authority and associated public and private keys for a client. The server further includes a directory of client attributes and client virtual attributes. At least one of the client virtual attributes is for, when receiving a query for a client that cannot be located in the directory, requesting the certificate authority to dynamically generate a certificate and associated public and private key for the client, and for storing the dynamically generated certificate and public key as a client attribute in the directory.

Abstract: A method and system for Certificate management and transfer between messaging clients are disclosed. When communications are established between a first messaging client and a second messaging client, one or more Certificates stored on the first messaging client may be selected and transferred to the second messaging client. Messaging clients may thereby share Certificates. Certificate management functions such as Certificate deletions, Certificate updates and Certificate status checks may also be provided.