Abstract: To prevent unauthorized access to hardware management information in an out-of-band mode, i.e., when the operating system of the hardware is not executing, a method and apparatus employ an authentication protocol. Upon receiving a request for hardware component information in a service processor that is disposed in a hardware component, which request is received as an open session request and which request passes external to an operating system controlling the hardware component, the service processor transmits a challenge string to the requesting client application. In response to a challenge response received from the requesting client application, the service processor compares the challenge response to an expected response to the challenge. The expected challenge response is calculated by the service processor. Based on the result of the comparison, the service processor transmits an authentication response to the requesting client application indicating success or failure of the authentication process.

Abstract: A method and apparatus for protecting computer software from unauthorized execution or duplication using a hardware key is disclosed. The apparatus comprises a means for communicating with the computer to receive command messages from the computer in the hardware key and to provide response messages to the computer, a memory for storing data for translating command messages into response messages enabling software execution, and a processor coupled to the communicating means for translating command messages into response messages using the data stored in the memory. The processor further comprises a memory manager, including means for logically segmenting the memory storing the data into at least one protected segment, and a means for controlling access to the protected segment.

Abstract: Method for providing database content usage. The database content can be a digital work having one or more rights associated therewith. The method can be effected within a system having at least one repository configured to enforce use of the content in accordance with the one or more usage rights. A usage right is associated with database content, the usage right specifying rights for the usage of database content and usage fees for exercise of such usage. The database content is provided in accordance with the usage right, and the usage fees are reported as a transaction.

Abstract: A secure communication channel between an open system and a portable IC device is established. An application running on the open system desiring access to the information on the portable IC device authenticates itself to the portable IC device, proving that it is trustworthy. Once such trustworthiness is proven, the portable IC device authenticates itself to the application. Once such two-way authentication has been completed, trusted communication between the open system and the portable IC device can proceed, and private information that is maintained on the portable IC device can be unlocked and made available to the application.

Abstract: An inter-equipment authentication and key delivery scheme, system, and equipment is provided which is capable of making authentication of an IC card ID signature, by comparison of a decrypted ICCID with another ICCID reproduced by dividing transmitted data. The inter-equipment authentication and key delivery scheme, system, and equipment can be used, for example, when an automobile passes by roadside equipment at a tollbooth, and the roadside equipment transmits a random digit (RND) generated therein as challenge data to an IC card via onboard equipment, and the IC card transmits back to the roadside equipment the random digit after encrypting it with a secret key Kicc. The IC card also transmits its ID (ICCID) and a certificate of individual IC card key CERT-Kicc together with the random digit. The roadside equipment divides the transmitted data into a response data E(Kicc, RND), the ICCID, and the certificate of individual IC card key CERT-Kicc.

Abstract: Smart cards and other such devices with limited memory capacity function as hosts for services on a distributed computing network. The information to be deployed in the distributed computing system to provide access to those services is separated into two categories. One category consists of the information that is generic to all instances of the service. The second category constitutes that information which is specific to one instance of the application which provides a service. The specific information is stored on the smart card, whereas the generic information is stored elsewhere on the distributed computing network, for example on a server. In addition to the specific information, the card stores the address at which the generic information can be located on the network. When a card is inserted in a terminal connected to the network, the terminal retrieves the specific deployment information, along with the address for the generic information.

Abstract: This system for executing a program to which access by a user is controlled by credentials includes a terminal (T), first memory means (F) associated with said program for storing at least first credentials specific to said user, access control means for authorizing access to said program in response to a match between said first credentials and second credentials applied via said terminal, and a security device (PSD) personal to said user, associated with said terminal and including second memory means (M) for secure storage of said second credentials. The terminal (T) includes at least some of credentials management means (CMP) including means for reading said second credentials and transmitting them to said access control means in response to presentation of a request to access said program, and credentials updating means for selectively commanding the generation and loading into said first and second memory means (F, M) of new credentials replacing the credentials previously stored.

Abstract: A trusted agent for enabling the check of the access of a user operating a first computer system controlled by a first security system to software and/or data on a second computer system controlled by a second security system. The trusted agent includes several functions, including: (a) reception of a user-id for the second computer system and transmission of the user-id to the second security system; (b) retrieval of a shared secret, which is registered in the fist security system and in the second security system, from the second security system; and (3) transmission of the shared secret from the trusted agent to the second computer system.

Abstract: The present invention relates to a digital contents selling system for selling digital contents. Identification information of digital contents selected by a customer is received. Personal digital contents are generated by setting identification information for identifying the customer in the selected digital contents as status information for permitting the customer to replay the selected digital contents. The generated digital contents are sold. Thereby, a technique is provided for preventing the illegal use of the sold digital contents.

Abstract: A method and system for strong, convenient authentication of a web user makes use, for example, of a computing device, such as a user's personal computer (PC), coupled over a network, such as the Internet, to one or more servers, such as the host server of an authenticating authority, as well as one or more databases of the authenticating authority. The authentication process is broken into three phases, namely a registration phase, an enrollment phase, and a transaction authentication phase, with each phase being less intrusive and less secure than the preceding phase. In the registration phase, an authenticating authority registers the user based upon identification of the user using a strong authentication technique and provides an authenticating token to the user, which can be used in the enrollment phase to enroll one or more user devices for the user.

Abstract: Non-contact interfaces to cryptographic modules include non-contact inputs, which may contain magnetic coupling, RF coupling, infrared coupling, optical coupling or acoustical coupling to load cryptographic data into cryptographic modules. By using non-contact methods of coupling, the physical inputs to the module can be hidden, as no external connectors to input cryptographic data are required. In addition, several non-contact inputs can be disposed within a cryptographic module, at orientations and spacings which require the specific placement of transmitting units, thereby increasing the security of the module. In addition, by having several inputs to the cryptographic module, the cryptographic function may be made to be dependent on a sequencing of data between the inputs and/or may require simultaneous inputs on two or more sensors.

Abstract: A cable television system provides conditional access to services. The cable television system includes a headend from which service “instances”, or programs, are broadcast and a plurality of set top units for receiving the instances and selectively decrypting the instances for display to system subscribers. The service instances are encrypted using public and/or private keys provided by service providers or central authorization agents. Keys used by the set tops for selective decryption may also be public or private in nature, and such keys may be reassigned at different times to provide a cable television system in which piracy concerns are minimized.

Abstract: Various embodiments pertain to an integrated circuit (IC) device, such as smart cards, electronic wallets, PC cards, and the like, and various methods for steganographically authenticating identities and authorizing transactions based on the authenticated identities.

Abstract: A certificate validity verification engine is integrated into the logic of a secure token, in turn, making the use of a private key conditional upon the determination that the certificate for the corresponding public key is valid at that particular instant in time. In this manner, the existence of a digital signature that is verified with a certificate implies that the certificate was valid at the time the signature was created. The verification of the certificate's validity by the relying party is unnecessary, as the signature could not have been created had the certificate been invalid. The validity of a certificate is communicated at the time the signature was created, rather than at the time the signature was verified.

Abstract: A transaction server for performing a transaction over a network using a virtual smart card the server comprising, a virtual smart card database having a plurality of records each record including a virtual card identification and a value corresponding to a single virtual smart card; a security module; an emulator for emulating a smart card, the emulator for receiving smart card commands and processing the commands in conjunction with the virtual smart card database and the security module; and a virtual card reader module for receiving the smart card commands and relaying the commands to the smart card emulator whereby transactions are performed over the network using one or more the records and the virtual smart card database.

Abstract: A system for customizing individual internet access includes a server that registers a user with the system, stores information pertaining to internet sites the user is authorized to access, and controls the user's access to internet sites. A carding station is provided to enter personal identification information about the user and information regarding internet sites the user is authorized to access into the system. The carding station also generates a personal smart card for the user that includes a read only memory storing a serial number that correlates with data about the user stored in the server. An internet station is provided to allow the user to view the internet only with his or her personal smart card. While accessing the internet, the server controls the user's access to internet sites based on whether the information stored in the server indicates that the user is authorized to access the specific internet sites that are requested to be displayed.

Abstract: A method for remote administration of at least one smart card via a communication network is described. The method includes the steps of associating the at least one smart card with a remote administrator by storing administrator identification information of the remote administrator in the at least one smart card, inserting the at least one smart card in at least one user unit, employing the administrator identification information stored in the at least one smart card to identify the remote administrator associated with the at least one smart card, and establishing communication between the at least one smart card and the remote administrator via the communication network in accordance with the administrator identification information. Related apparatus and methods are also described.

Abstract: A method performs biometric verifications to authenticate the identification of users using a central biometric authority (CBA). This allows parties to an electronic transaction to be assured of each other's identity. Specifically, at the sender side, a first message to a receiver is generated, wherein the first message includes a message text and a unique message identifier (UMI). At the sender side, a second message concerning a posting to the CBA is also generated, wherein the second message includes the sender's biometric sample, the UMI, and the sender's submission profile record. At a receiver side, it is decided that if a receiver wishes to verify the sender's identity and if so, the first message is automatically verified. At the receiver side, a third message concerning a receiver's posting to the CBA is issued, the third message including only the UMI, as received from the sender side.

Abstract: A method and system for providing external user interfaces is described. In one configuration a co-located external processor and a business machine negotiate a communications connection. The co-located external processor then utilizes a server to determine a shared secret in order to pair a wireless connection with the business machine in order to act as the user interface for the business machine. In another configuration, the co-located external processor is connected to a remote data center that authenticates the user and provides the user interface code and secret pairing information to the co-located external processor. In another configuration, the co-located external processor performs data processing for providing a cryptographically processed print stream to a postage meter.

Abstract: A system and method for generating a plurality of authentication tags using a plurality of authentication mechanisms is disclosed. The plurality of authentication tags can reflect different authentication strength-performance levels. It is a feature of the present invention that a receiver is afforded increased flexibility in adaptively choosing strength-performance levels. It is a further feature of the present invention that multiple authentication tags can be used in multicast environments, where different receivers may have different processor capabilities or security policies.

Abstract: Described is a mechanism for securely handling an information unit by a first information processing device (2), for instance a terminal device like a chip card reader, which interoperates with a second secure information processing device (1), for instance a portable device like a chip card, whereby the information unit is provided by an issuer. The information unit is provided from the issuer to the first device and encrypted by using a first key. The first key is also encrypted by using a second key. The second key is provided on the second secure device (1) and interconnecting the first and the second device enables to decrypt the first key by using the second key and then to decrypt the information unit by using the first key.

Abstract: A personal data/time notary device is embodied in a token device such as a “smart card”. The portable notary device includes an input/output (I/O) port, which is coupled to a single integrated circuit chip. The I/O port may be coupled to a conventional smart card reading device which in turn is coupled to a PC, lap-top computer or the like. A tamper resistant secret private key storage is embodied on the chip. The private key storage is coupled to the processor which, in turn, is coupled to a permanent memory that stores the program executed by the processor. At least one clock is embodied on the card. A second clock 14 and a random value generator 10 are also preferably coupled to the processor. The device combines digital time notarization into a digital signature operation to ensure that a time stamp is always automatically present. The user does not need to be involved in any additional decision making as to whether time stamping is necessary.

Abstract: The invention generates a temporary digital certificate with a useful life of only a few minutes to a few hours. An expiration time is attached to such temporary digital certificate by a secure computer platform that is presented with a user's smart-card. Expiration dates one or two years after the issuance of the smart-card are conventional. A digital certificate issued by a central authority is carried within the smart card and is used by the secure computer platform to generate temporary digital certificate. The temporary digital certificate functions as a proxy digital certificate that will allow the user to immediately pocket the smart card and thus avoid the possibility of forgetting it in a card reader.

Abstract: With a portable compact flash card retaining application software/database set in a portable terminal, the portable terminal performs data processing by accessing the application software/database in the CF card. First, the portable terminal reads terminal ID previously stored in the CF card. Then, the portable terminal compares the terminal ID in the CF card with its own terminal ID previously set, and determines whether or not to be able to access the application software/database in the CF card based on the comparison result.

Abstract: The present disclosure relates generally to the field of communications systems, and more particularly, to a system and method for extending secure authentication using unique session keys derived from entropy generated by authentication method. In one example, a method for utilizing a public wireless local area network for a client with a smart card includes: creating an one-time password for a client upon a successful authentication; storing the password and identification information of the client; and utilizing the password and the client identity information to authenticate the client in the public wireless local area network.

Abstract: This invention concerns a consumable authentication protocol for validating the existence of an untrusted authentication chip, as well as ensuring that the authentication chip lasts only as long as the consumable. In a further aspect it concerns a consumable authentication system for the protocol. A trusted authentication chip has a test function; and the untrusted authentication chip has a read function to test data from the trusted chip, including a random number and its signature, encrypted using a first key, by comparing the decrypted signature with a signature calculated from the decrypted random number. In the event that the two signatures match, it returns a data message and an encrypted version of the data message in combination with the random number, encrypted using the second key.

Abstract: Disclosed is a smart card device having a surface onto which are formed a plurality of user interpretable icons and electronic apparatus attached to the card portion. The electronic apparatus includes a memory in which are retained at least a plurality of character strings each associated with a corresponding one of the icons, a processor means coupled to the memory means, and communication means for coupling the processor means to a reading device configured to facilitate reading of the secure access device. The processor means is configured to relate reading signals generated from a user selection of at least one of the icons and received via the communication means with at least one of the retained character strings to thus perform a secure access checking function for enabling or rejecting user access to a desired service.

Abstract: A structured digital certificate is adapted to be certified by a digital signature of a certificate authority in an unprotected form, a first protected form, and a second protected form of the digital certificate. The digital certificate includes a first type field of authorization information relevant to a first recipient and being readable in the unprotected form and the first protected form of the digital certificate, and a first cryptographic folder containing a second type field of authorization information relevant to a second recipient and being readable in the unprotected form and the second protected form of the digital certificate, but not readable in the first protected form of the digital certificate. The digital certificate is configured to permit the subject to convert the structured digital certificate from the unprotected form to at least one of the first protected form and the second protected form.

Abstract: A method and system for processing signed data objects in a data processing system is presented. A signed data object utility allows a user to view and edit the contents of data objects embedded within a signed data object via a graphical user interface. Graphical objects represent the data objects embedded within a signed data object. A user may drag and drop objects onto other objects within the signed data object, and the signed data object utility automatically performs the necessary signing operations. Logical associations between data objects contained within the signed data object are determined, and the logical associations are displayed using visual indicators between graphical objects representing the associated data objects. As data objects are added or deleted, the visual indicators are updated to reflect any updates to the logical associations. The user may direct other operations on the signed data object through the graphical user interface.

Abstract: A certificate issuing method includes inputting individual information of a certificate issuance requester, creating electronic data of a board having a background pattern that differs from certificate to certificate on a part thereof, overwriting individual information on the background pattern in the electronic data of the board with characters, entering a relation between the background pattern and the overwritten characters onto the board, and printing the electronic data as a certificate.

Abstract: The present invention is a universal secure token scheme that provides two way authentication, credit, debit, and stored value operations. The invention permits the use of universally available networks to access corporate, private, and proprietary devices. The invention provides strong authentication, offers optional encryption of the established session, and operates without requiring special permission to reconfigure firewalls. One application of the invention provides a universal token scheme that can be used in debit and stored value transactions. In one embodiment, devices and services are treated as URLs and a smart card is configured to perform the necessary HTTP protocol to access the URL.

Abstract: A hierarchical arrangement of revocation lists, corresponding to a hierarchy of content processing and rendering devices is used to optimize the processing and storage of revocation lists. At each level of the hierarchy, an access device provides its certification to an access device at a higher level in the device hierarchy. The higher level device compares the lower level device's certification to a revocation list corresponding to devices at the lower level. If the certificate has not been revoked, the higher level device provides a lower level revocation list to the lower level access device. The lower level access device uses this lower level revocation list to verify the status of devices to which it communicates content material. Because each list is limited to devices at each level of a conventional hierarchy of consumer devices, the lists provide an optimization at each device, by providing revocations only for devices that are expected to be used at the particular hierarchy level.

Abstract: A private key write control unit (48) permits writing of a private key just once into a private key storage unit (36) after initialization. Similarly, a particular data write control unit (42) permits writing of particular data only once into a data storage unit (34) after initialization. Since a person other than the IC card manufacturer can write in a private key or particular data after the fabrication stage of the IC card, flexibility in the application of IC cards can be ensured. Also, improper usage of a card can be prevented since the written data is inhibited of being rewritten. The IC card manufacturer can initialize the data storage unit (34) and the private key storage unit (36) by a data initialization unit (44) and a private key initialization unit (46). Therefore, the cost of an IC card can be reduced by allowing reusage of IC cards.

Abstract: A system for customizing individual internet access includes a server that registers a user with the system, stores information pertaining to internet sites the user is authorized to access, and controls the user's access to internet sites. A carding station is provided to enter personal identification information about the user and information regarding internet sites the user is authorized to access into the system. The carding station also generates a personal smart card for the user that includes a read only memory storing a serial number that correlates with data about the user stored in the server. An internet station is provided to allow the user to view the internet only with his or her personal smart card. While accessing the internet, the server controls the user's access to internet sites based on whether the information stored in the server indicates that the user is authorized to access the specific internet sites that are requested to be displayed.

Abstract: The present invention is directed to a facility for adapting a network security policy model for use in a particular network. The facility retrieves the network security policy model, which comprises network security rules each specified with respect to one or more aliases. Each alias represents a role in a network for one or more network elements. The facility receives, for each alias included in the network security policy model, a list of one or more network elements in the network serving the role represented by the alias. The facility replaces each alias in the network security policy model with the received list of network security devices specified for the alias to produce a network security policy adapted for use in a network.

Abstract: A method and apparatus for dynamically accessing security credentials that are used to participate in a secure communication begins by obtaining virtual credentials of an entity, where the virtual credentials include a data specifier and/or an identifier. The data specifier functions as a pointer to a particular physical security credential, its data storage location, and the format of the physical security credential. The identifier functions as a pointer to secondary virtual credentials, which include at least one data specifier. The processing continues by generating physical security credentials based on the physical security credentials retrieved via the data specifiers. The processing then continues by utilizing the physical security credentials by an individual entity (e.g., a party, a server, an administrator, etc.) such that the individual entity may participate in a secured communication.

Abstract: A method for the execution of an encryption program for the encryption of data in a microprocessor-based portable data carrier is described, with the encryption program comprising several parallelisationable subprograms. According to the invention the serial order of execution of at least two subprograms is randomly permuted in the execution of the encryption program under the consideration of at least one random number.

Abstract: A method to personalize a computer environment of a computer system. The method includes storing at least a portion of a user profile in a portable storage medium, logging onto the computer system using a user identification and validating the user identification from a relevant user list by the computer system. The method also includes retrieving the portion from the portable storage medium and at least partially configuring the computer environment of the computer system according to the retrieved portion, by the computer system. A method is also included to provide personalized services to a user. This method includes storing at least a portion of a -user profile in a portable storage medium and retrieving the portion from the portable storage medium by a web server. This method additionally includes at least partially configuring an Internet service according to the retrieved portion by said web server.

Abstract: A system and associated method for authorizing, or withholding authorization of, user access to a selected computer application or other resource, based on the user's response to one or more user authentication tests. If the user is presented with two or more authentication tests, each with an associated test weight, the system optionally sums the weights of the tests satisfied by the user; and if this sum is greater than a selected test score threshold, the user is granted access to the resource. Alternatively, the user is granted access to selected subsets of the application, including an empty or non-empty default subset, depending upon the sum of the weights of the tests satisfied by the user. An authentication test or its associated weight may change at a selected time, and the selected time may be determined with reference to a time at which the resource changes. A smartcard may be used to respond to one or more authentication tests.

Abstract: A walled garden contains links to one or more servers providing network-based services. A walled garden proxy server (WGPS) controls access to the walled garden. When a user of a client wishes to access a service in the walled garden, the client sends a request to the WGPS including a plot number identifying the service and a ticket granting the client access to the service. The WGPS denies access to clients lacking a ticket or presenting invalid tickets. In response, the client contacts a gateway server (GS) having a database of users and associated access rights. The user presents authentication information to the GS. If the user positively authenticates, the GS generates a ticket containing a Box ID from the client, an expiration date, and set of bits representing the access rights of the user. The GS encrypts the ticket and gives it to the client.

Abstract: On receiving the declaration of use of a card from a card user, a user authentication processing section executes authentication to determine whether or not the use has been declared by the valid owner of the card. On confirming that the use has been declared y the valid owner, the user authentication processing section permits the use of the card and stores this information in an owner database. On the other hand, on receiving an approval inquiry from a card-available store via a network about a card to be used for settlement, a card settlement processing section determines whether or not the use of the card is permitted, with reference to the owner database. On confirming that the use is permitted, the card settlement processing section transmits a use permission response to the card-available store through the network.

Abstract: A security framework for wrapping standard, commercially-available software applications in order to limit the amount of potential damage that a successful attacker or corrupt program can cause. The security framework includes a security master that coordinates installation and removal of kernel-based security modules and that provides a means for managing these modules. The security module are loadable kernel modules that include security information for enforcing application-specific or resource-specific policies. The security module are easy to install and require no modification to the existing operating system or to the software applications that they are monitoring. The security framework has a number of potential applications, including protecting a computing system from malicious software downloaded via a web browser, for wrapping web servers and firewalls in order to limit possible compromise and for replicating file operations.

Abstract: A method and a system for authentication whereby authentication characteristic information is not disclosed to a third party when a verifier uses a verification device of a limited scale to authenticate a user's rights or qualifications. A ticket issuing device interacts with the user's interactive device having a secret function f to calculate document secret information &mgr; based on a document m (data) to be transmitted to the interactive device, whereby the user is issued a ticket t generated from authentication characteristic information x and the document secret information &pgr;. Upon receipt of the document m, the interactive device generates the document secret information using its unique secret function f to perform an interaction based on the generated information. The interaction involves output of a commitment r, input of a challenge c, and an output of a response &sgr;.

Abstract: A Basic Input/Output System (BIOS) device is designed to control access to a portion of BIOS code loaded in its internal memory. For example, during a boot process, an internal state machine permits access to the portion of the BIOS code in response to authentication of a portable token in communication with the BIOS device. Otherwise, the BIOS device precludes access to the portion of the BIOS code until the portable token is authenticated.

Abstract: A software system provides security against unauthorized operations initiated by software code supplied by an untrusted source. The allowed operations that are associated with the software code are determined. A thinned interface is generated which permits the software code to successfully call only the allowed operations. The software code is independent of a security environment of the system. The thinned interface operates in at least one version of the security environment. The software code and the thinned interface are activated within the system.

Abstract: An apparatus and method provides one or more controlled, dynamically loaded, modular, cryptographic fillers. Fillers may be loaded by a single loader, multiple independent loaders, or nested loaders. Loaders may be adapted to load other loaders, within cryptographic controls extant and applicable thereto. Integration into a base executable having one or more slots, minimizes, controls, and links the interface between the fillers and base executables. The filler may itself operate recursively to load another filler in nested operations, whether or not the fillers are in nested relation to one another. An ability of any filler to be loaded may be controlled by the base executable verifying the integrity, authorization, or both for any filler. The base executable may rely on an integrated loader to control loading and linking of fillers and submodules. A policy may limit each module's function, access, and potential for modification or substitution.

Abstract: A cable television system provides conditional access to services. The cable television system includes a headend from which service “instances”, or programs, are broadcast and a plurality of set top units for receiving the instances and selectively decrypting the instances for display to system subscribers. The service instances are encrypted using public and/or private keys provided by service providers or central authorization agents. Keys used by the set tops for selective decryption may also be public or private in nature, and such keys may be reassigned at different times to provide a cable television system in which piracy concerns are minimized.

Abstract: The invention provides an improved method and system for security information acquisition. A relatively small amount of nonvolatile storage at the client consumer electronic device is used to obtain a chain of trusted root certificates, thus providing each client consumer electronic device with a trustable technique for access to secure communication. The trusted root certificates are provided by one or more TSIPs (trusted security information providers), and are chained together so that a current root certificate can be obtained by the client consumer electronic device, even using an expired root certificate. The client consumer electronic device uses a current root certificate to obtain a SIO (security information object) from the TSIP. The SIO includes information regarding at least one trusted entity, such as a one or more trusted entity certificates, and other trust information.

Abstract: A device for reliably creating electronic signatures that includes a data carrier read/write device, a data generating device, and a display device. The data carrier read/write device is for receiving a portable data carrier storing a user-specific key and an algorithm used to generate an electronic signature. The data generating device is connected to the data carrier read/write device for transmitting data to the data carrier read/write device. The display device is connected to the data generating device to display the data that has been transmitted to the data carrier read/write device. The data carrier read/write device includes an actuating element operatively connected to the data carrier read/write device and operatively connected to the portable data carrier when the portable data carrier is received by the data carrier read/write device.

Abstract: Intelligent hardware token processors (5) are capable of sending and receiving encrypted messages. Generic initialization with non-user-specific certificates comprising public and private keys allows a certificate authority (210) to securely communicate with the hardware token. New users enrolling with the certificate server (210) have their hardware tokens securely reprogrammed with user specific certificates.