Including Intelligent Token Patents (Class 713/159)
  • Patent number: 6748531
    Abstract: A hierarchical arrangement of revocation lists, corresponding to a hierarchy of content processing and rendering devices is used to optimize the processing and storage of revocation lists. At each level of the hierarchy, an access device provides its certification to an access device at a higher level in the device hierarchy. The higher level device compares the lower level device's certification to a revocation list corresponding to devices at the lower level. If the certificate has not been revoked, the higher level device provides a lower level revocation list to the lower level access device. The lower level access device uses this lower level revocation list to verify the status of devices to which it communicates content material. Because each list is limited to devices at each level of a conventional hierarchy of consumer devices, the lists provide an optimization at each device, by providing revocations only for devices that are expected to be used at the particular hierarchy level.
    Type: Grant
    Filed: March 28, 2000
    Date of Patent: June 8, 2004
    Assignee: Koninklijke Philips Electronics N.V
    Inventor: Michael A. Epstein
  • Patent number: 6742117
    Abstract: A private key write control unit (48) permits writing of a private key just once into a private key storage unit (36) after initialization. Similarly, a particular data write control unit (42) permits writing of particular data only once into a data storage unit (34) after initialization. Since a person other than the IC card manufacturer can write in a private key or particular data after the fabrication stage of the IC card, flexibility in the application of IC cards can be ensured. Also, improper usage of a card can be prevented since the written data is inhibited of being rewritten. The IC card manufacturer can initialize the data storage unit (34) and the private key storage unit (36) by a data initialization unit (44) and a private key initialization unit (46). Therefore, the cost of an IC card can be reduced by allowing reusage of IC cards.
    Type: Grant
    Filed: July 26, 1999
    Date of Patent: May 25, 2004
    Assignee: Rohm Co., Ltd.
    Inventors: Junichi Hikita, Yoshihiro Ikefuji, Toyokazu Komuro
  • Patent number: 6738901
    Abstract: A system for customizing individual internet access includes a server that registers a user with the system, stores information pertaining to internet sites the user is authorized to access, and controls the user's access to internet sites. A carding station is provided to enter personal identification information about the user and information regarding internet sites the user is authorized to access into the system. The carding station also generates a personal smart card for the user that includes a read only memory storing a serial number that correlates with data about the user stored in the server. An internet station is provided to allow the user to view the internet only with his or her personal smart card. While accessing the internet, the server controls the user's access to internet sites based on whether the information stored in the server indicates that the user is authorized to access the specific internet sites that are requested to be displayed.
    Type: Grant
    Filed: December 15, 1999
    Date of Patent: May 18, 2004
    Assignee: 3M Innovative Properties Company
    Inventors: Stephen L. Boyles, Richard C. Leinecker, Jochen E. Fischer, Clyde G. Moody, Jr., Troy McConnell, Ken Wilkinson
  • Patent number: 6738908
    Abstract: The present invention is directed to a facility for adapting a network security policy model for use in a particular network. The facility retrieves the network security policy model, which comprises network security rules each specified with respect to one or more aliases. Each alias represents a role in a network for one or more network elements. The facility receives, for each alias included in the network security policy model, a list of one or more network elements in the network serving the role represented by the alias. The facility replaces each alias in the network security policy model with the received list of network security devices specified for the alias to produce a network security policy adapted for use in a network.
    Type: Grant
    Filed: May 6, 1999
    Date of Patent: May 18, 2004
    Assignee: WatchGuard Technologies, Inc.
    Inventors: David Wayne Bonn, Nick Takaski Marvais
  • Patent number: 6732277
    Abstract: A method and apparatus for dynamically accessing security credentials that are used to participate in a secure communication begins by obtaining virtual credentials of an entity, where the virtual credentials include a data specifier and/or an identifier. The data specifier functions as a pointer to a particular physical security credential, its data storage location, and the format of the physical security credential. The identifier functions as a pointer to secondary virtual credentials, which include at least one data specifier. The processing continues by generating physical security credentials based on the physical security credentials retrieved via the data specifiers. The processing then continues by utilizing the physical security credentials by an individual entity (e.g., a party, a server, an administrator, etc.) such that the individual entity may participate in a secured communication.
    Type: Grant
    Filed: October 8, 1998
    Date of Patent: May 4, 2004
    Assignee: Entrust Technologies Ltd.
    Inventors: Ron J. Vandergeest, Stephen W. Hillier
  • Patent number: 6725374
    Abstract: A method for the execution of an encryption program for the encryption of data in a microprocessor-based portable data carrier is described, with the encryption program comprising several parallelisationable subprograms. According to the invention the serial order of execution of at least two subprograms is randomly permuted in the execution of the encryption program under the consideration of at least one random number.
    Type: Grant
    Filed: August 20, 1999
    Date of Patent: April 20, 2004
    Assignee: Orga Kartensysteme GmbH
    Inventors: Michael Jahnich, Guido Wueppenhorst, Werner Doppmeler
  • Publication number: 20040073787
    Abstract: A method to personalize a computer environment of a computer system. The method includes storing at least a portion of a user profile in a portable storage medium, logging onto the computer system using a user identification and validating the user identification from a relevant user list by the computer system. The method also includes retrieving the portion from the portable storage medium and at least partially configuring the computer environment of the computer system according to the retrieved portion, by the computer system. A method is also included to provide personalized services to a user. This method includes storing at least a portion of a -user profile in a portable storage medium and retrieving the portion from the portable storage medium by a web server. This method additionally includes at least partially configuring an Internet service according to the retrieved portion by said web server.
    Type: Application
    Filed: November 24, 2003
    Publication date: April 15, 2004
    Inventors: Amir Ban, Udi Weinstein
  • Patent number: 6687823
    Abstract: A system and associated method for authorizing, or withholding authorization of, user access to a selected computer application or other resource, based on the user's response to one or more user authentication tests. If the user is presented with two or more authentication tests, each with an associated test weight, the system optionally sums the weights of the tests satisfied by the user; and if this sum is greater than a selected test score threshold, the user is granted access to the resource. Alternatively, the user is granted access to selected subsets of the application, including an empty or non-empty default subset, depending upon the sum of the weights of the tests satisfied by the user. An authentication test or its associated weight may change at a selected time, and the selected time may be determined with reference to a time at which the resource changes. A smartcard may be used to respond to one or more authentication tests.
    Type: Grant
    Filed: May 5, 1999
    Date of Patent: February 3, 2004
    Assignee: Sun Microsystems, Inc.
    Inventors: Yayha Al-Salqan, Sangeeta Varma, Aravindan Ranganathan
  • Patent number: 6678733
    Abstract: A walled garden contains links to one or more servers providing network-based services. A walled garden proxy server (WGPS) controls access to the walled garden. When a user of a client wishes to access a service in the walled garden, the client sends a request to the WGPS including a plot number identifying the service and a ticket granting the client access to the service. The WGPS denies access to clients lacking a ticket or presenting invalid tickets. In response, the client contacts a gateway server (GS) having a database of users and associated access rights. The user presents authentication information to the GS. If the user positively authenticates, the GS generates a ticket containing a Box ID from the client, an expiration date, and set of bits representing the access rights of the user. The GS encrypts the ticket and gives it to the client.
    Type: Grant
    Filed: October 26, 1999
    Date of Patent: January 13, 2004
    Assignee: At Home Corporation
    Inventors: Ralph W. Brown, Robert Keller, Milo S. Medin
  • Publication number: 20030226042
    Abstract: On receiving the declaration of use of a card from a card user, a user authentication processing section executes authentication to determine whether or not the use has been declared by the valid owner of the card. On confirming that the use has been declared y the valid owner, the user authentication processing section permits the use of the card and stores this information in an owner database. On the other hand, on receiving an approval inquiry from a card-available store via a network about a card to be used for settlement, a card settlement processing section determines whether or not the use of the card is permitted, with reference to the owner database. On confirming that the use is permitted, the card settlement processing section transmits a use permission response to the card-available store through the network.
    Type: Application
    Filed: May 28, 2003
    Publication date: December 4, 2003
    Inventor: Takafumi Fukushima
  • Patent number: 6658571
    Abstract: A security framework for wrapping standard, commercially-available software applications in order to limit the amount of potential damage that a successful attacker or corrupt program can cause. The security framework includes a security master that coordinates installation and removal of kernel-based security modules and that provides a means for managing these modules. The security module are loadable kernel modules that include security information for enforcing application-specific or resource-specific policies. The security module are easy to install and require no modification to the existing operating system or to the software applications that they are monitoring. The security framework has a number of potential applications, including protecting a computing system from malicious software downloaded via a web browser, for wrapping web servers and firewalls in order to limit possible compromise and for replicating file operations.
    Type: Grant
    Filed: February 9, 1999
    Date of Patent: December 2, 2003
    Assignee: Secure Computing Corporation
    Inventors: Richard O'Brien, Raymond Lu, Terrence Mitchem, Spencer Minear
  • Patent number: 6651167
    Abstract: A method and a system for authentication whereby authentication characteristic information is not disclosed to a third party when a verifier uses a verification device of a limited scale to authenticate a user's rights or qualifications. A ticket issuing device interacts with the user's interactive device having a secret function f to calculate document secret information &mgr; based on a document m (data) to be transmitted to the interactive device, whereby the user is issued a ticket t generated from authentication characteristic information x and the document secret information &pgr;. Upon receipt of the document m, the interactive device generates the document secret information using its unique secret function f to perform an interaction based on the generated information. The interaction involves output of a commitment r, input of a challenge c, and an output of a response &sgr;.
    Type: Grant
    Filed: August 21, 1998
    Date of Patent: November 18, 2003
    Assignee: Fuji Xerox, Co., Ltd.
    Inventors: Taro Terao, Kil-ho Shin
  • Patent number: 6633981
    Abstract: A Basic Input/Output System (BIOS) device is designed to control access to a portion of BIOS code loaded in its internal memory. For example, during a boot process, an internal state machine permits access to the portion of the BIOS code in response to authentication of a portable token in communication with the BIOS device. Otherwise, the BIOS device precludes access to the portion of the BIOS code until the portable token is authenticated.
    Type: Grant
    Filed: June 18, 1999
    Date of Patent: October 14, 2003
    Assignee: Intel Corporation
    Inventor: Derek L. Davis
  • Patent number: 6564325
    Abstract: A software system provides security against unauthorized operations initiated by software code supplied by an untrusted source. The allowed operations that are associated with the software code are determined. A thinned interface is generated which permits the software code to successfully call only the allowed operations. The software code is independent of a security environment of the system. The thinned interface operates in at least one version of the security environment. The software code and the thinned interface are activated within the system.
    Type: Grant
    Filed: May 7, 1999
    Date of Patent: May 13, 2003
    Assignee: Nortel Networks Limited
    Inventors: Franco Travostino, Tal Lavian, Thomas Hardjono, Rob Duncan
  • Patent number: 6532451
    Abstract: An apparatus and method provides one or more controlled, dynamically loaded, modular, cryptographic fillers. Fillers may be loaded by a single loader, multiple independent loaders, or nested loaders. Loaders may be adapted to load other loaders, within cryptographic controls extant and applicable thereto. Integration into a base executable having one or more slots, minimizes, controls, and links the interface between the fillers and base executables. The filler may itself operate recursively to load another filler in nested operations, whether or not the fillers are in nested relation to one another. An ability of any filler to be loaded may be controlled by the base executable verifying the integrity, authorization, or both for any filler. The base executable may rely on an integrated loader to control loading and linking of fillers and submodules. A policy may limit each module's function, access, and potential for modification or substitution.
    Type: Grant
    Filed: March 23, 1999
    Date of Patent: March 11, 2003
    Assignee: Novell, Inc.
    Inventors: Roger R. Schell, Kevin W. Kingdon, Thomas A. Berson
  • Patent number: 6516412
    Abstract: A cable television system provides conditional access to services. The cable television system includes a headend from which service “instances”, or programs, are broadcast and a plurality of set top units for receiving the instances and selectively decrypting the instances for display to system subscribers. The service instances are encrypted using public and/or private keys provided by service providers or central authorization agents. Keys used by the set tops for selective decryption may also be public or private in nature, and such keys may be reassigned at different times to provide a cable television system in which piracy concerns are minimized.
    Type: Grant
    Filed: March 16, 2001
    Date of Patent: February 4, 2003
    Assignee: Scientific-Atlanta, Inc.
    Inventors: Anthony J. Wasilewski, Howard G. Pinder, Glendon L. Akins, III, Robert O. Banker
  • Patent number: 6513116
    Abstract: The invention provides an improved method and system for security information acquisition. A relatively small amount of nonvolatile storage at the client consumer electronic device is used to obtain a chain of trusted root certificates, thus providing each client consumer electronic device with a trustable technique for access to secure communication. The trusted root certificates are provided by one or more TSIPs (trusted security information providers), and are chained together so that a current root certificate can be obtained by the client consumer electronic device, even using an expired root certificate. The client consumer electronic device uses a current root certificate to obtain a SIO (security information object) from the TSIP. The SIO includes information regarding at least one trusted entity, such as a one or more trusted entity certificates, and other trust information.
    Type: Grant
    Filed: September 29, 1998
    Date of Patent: January 28, 2003
    Assignee: Liberate Technologies
    Inventor: Luis Valente
  • Patent number: 6510514
    Abstract: A device for reliably creating electronic signatures that includes a data carrier read/write device, a data generating device, and a display device. The data carrier read/write device is for receiving a portable data carrier storing a user-specific key and an algorithm used to generate an electronic signature. The data generating device is connected to the data carrier read/write device for transmitting data to the data carrier read/write device. The display device is connected to the data generating device to display the data that has been transmitted to the data carrier read/write device. The data carrier read/write device includes an actuating element operatively connected to the data carrier read/write device and operatively connected to the portable data carrier when the portable data carrier is received by the data carrier read/write device.
    Type: Grant
    Filed: February 7, 2000
    Date of Patent: January 21, 2003
    Assignee: Infineon Technologies AG
    Inventor: Holger Sedlak
  • Publication number: 20030005291
    Abstract: Intelligent hardware token processors (5) are capable of sending and receiving encrypted messages. Generic initialization with non-user-specific certificates comprising public and private keys allows a certificate authority (210) to securely communicate with the hardware token. New users enrolling with the certificate server (210) have their hardware tokens securely reprogrammed with user specific certificates.
    Type: Application
    Filed: June 14, 2002
    Publication date: January 2, 2003
    Inventor: William Burn
  • Patent number: 6490358
    Abstract: A system for creating a log of a conversation includes a convener computer and a plurality of conversation computers interconnected by a computer network. The system includes an arbiter computer and a plurality of conversation computers interconnected by a computer network. The arbiter computer creates a public key pair comprising a new public key and a new private key, and causes the new public key to be transmitted to the conversation computers. The conversation computers receive the public key and transmit messages during the conversation. The arbiter computer uses the new private key to encrypt messages transmitted by at least some of the conversation computers during a conversation among the conversation computers, and to store the encrypted messages in a message log. The conversation computers cause messages in the message log to be decrypted using the new public key.
    Type: Grant
    Filed: August 16, 2000
    Date of Patent: December 3, 2002
    Assignee: Open Market, Inc.
    Inventors: Daniel E. Geer, Jr., Henry R. Tumblin
  • Publication number: 20020178357
    Abstract: An electric lock arrangement includes a circuit board installed in the mouse of a computer, the circuit board having a plurality of interface connectors, each interface connector having an insertion slot electrically connected to the internal circuit of the mouse and two upright spring rods at two sides of the insertion slot, the upright spring rods each having a horizontally inwardly extended rounded protruding portion, and an encryption card for insertion into one interface connector to provide a code signal to the computer for enabling the computer to copy a coded software, the encryption card having two rounded retaining recesses respectively disposed in two opposite vertical sidewalls thereof and adapted to receive the horizontally inwardly rounded extended protruding portion of each of the upright spring rods of one interface connector, and a plug unit for insertion into the insertion slot of one interface connector to electrically connect the encryption card to the mouse and the computer.
    Type: Application
    Filed: May 25, 2001
    Publication date: November 28, 2002
    Inventor: Wang Ming Cheng
  • Patent number: 6484259
    Abstract: Various methods and arrangements are provided to form an interface that allows portable token devices to be used within static machine concentric cryptographic environments. One example of a portable token device is a smart card that can be read or other accessed by a computer through a smart card reader. A cryptographic API, associated with the operating system of the computer, is configured to separate the applications from the cryptographic functions that require the portable tokens. The cryptographic API accesses a smart card cryptographic server provider (SC-CSP) that is configured to work with a smart card cryptographic provider (SCCP) program as part of the interface. This SC-CSP/SCCP interface determines that the requested cryptographic function requires a specific smart card and requests that the user provide the appropriate smart card.
    Type: Grant
    Filed: November 16, 1999
    Date of Patent: November 19, 2002
    Assignee: Microsoft Corporation
    Inventor: Douglas C. Barlow
  • Publication number: 20020147907
    Abstract: A transaction system includes the use of a fixed data structure that allows multiple point-of-sale systems to recognize and access a transaction card regardless of upper level user interfaces. More specifically, a smart card includes a memory with a defined data file structure, wherein the data file structure includes at least one read only field, at least one encrypted read/write field, and at least one non-encrypted read/write field. The read only field preferably includes at least one of a manufacturer identification field, a card identification field and a theater identification field. The encrypted read/write field preferably includes at least one of a transaction log field, an issue date field, a first dollar value field, a second dollar value field, a first point value field, a second point value field and a ticket storage field.
    Type: Application
    Filed: April 6, 2001
    Publication date: October 10, 2002
    Inventor: Bruce Ross
  • Patent number: 6408388
    Abstract: A personal data/time notary device is embodied in a token device such as a “smart card”. The portable notary device includes an input/output (I/O) port, which is coupled to a single integrated circuit chip. The I/O port may be coupled to a conventional smart card reading device which in turn is coupled to a PC, lap-top computer or the like. A tamper resistant secret private key storage is embodied on the chip. The private key storage is coupled to the processor which, in turn, is coupled to a permanent memory that stores the program executed by the processor. At least one clock is embodied on the card. A second clock 14 and a random value generator 10 are also preferably coupled to the processor. The device combines digital time notarization into a digital signature operation to ensure that a time stamp is always automatically present. The user does not need to be involved in any additional decision making as to whether time stamping is necessary.
    Type: Grant
    Filed: July 30, 1999
    Date of Patent: June 18, 2002
    Inventor: Addison M. Fischer
  • Patent number: 6393126
    Abstract: A trusted time infrastructure system provides time stamps for electronic documents from a local source. The system comprises a trusted master clock, a trusted local clock, and a network operations center. The trusted master clock and network operations center are located within secure environments controlled by a trusted third party. The trusted local clock may be located in an insecure environment. The trusted master clock is certified to be synchronized with an accepted time standard, such as a national time server. The trusted local clock, which issues time stamps, is certified to be synchronized with the trusted master clock. Time stamps and certifications are signed by the issuing device using public key cryptography to enable subsequent authentication. The network operations center logs clock certifications and responds to requests for authentication of time stamps.
    Type: Grant
    Filed: February 22, 2000
    Date of Patent: May 21, 2002
    Assignee: Datum, Inc.
    Inventors: Erik H. van der Kaay, David Tyo, David Robinson, Gregory L. Dowd
  • Patent number: 6385317
    Abstract: In a method for providing a secure communication between two devices, a first device generates a random key (Ci) and transfers this key to a second device in a first message encrypted using a public key. The second device decrypts the first encrypted message by means of a corresponding secret key to obtain the random key (Ci) and this random key is used to encrypt and decrypt all transmissions between these devices. In a decoder for a pay TV system, comprising a conditional access module and a smart card, this method is applied to provide a secure communication between the control access module and the smart card and/or between the decoder and the conditional access module.
    Type: Grant
    Filed: April 2, 1999
    Date of Patent: May 7, 2002
    Inventors: Simon Paul Ashley Rix, Andrew Glasspool, Donald Watts Davies
  • Publication number: 20020032858
    Abstract: An information holding medium stores the common key of the user used in the common-key encryption method. In response to a user authentication request sent from an information processing apparatus, the user is authenticated by the common-key encryption method by using the common key stored in the information holding medium of the user. Only when the user has been authenticated, predetermined processing for making the information processing apparatus authenticate the user by the public-key encryption method is performed.
    Type: Application
    Filed: April 30, 2001
    Publication date: March 14, 2002
    Inventors: Tomoyuki Nakano, Tatsuo Itabashi
  • Publication number: 20020032859
    Abstract: A method of authentication capable of avoiding an easy copying of a module used for personal authentication of an IC card or the like and thereby raising the reliability of the personal authentication, comprising having an electronic circuit having a hardware configuration corresponding to a predetermined authentication processing provided in an IC of an IC card carry out authentication processing using a PIN and data generated at an authentication apparatus at random and having the authentication apparatus similarly carry out the authentication processing, compare the processing result received from the IC card and the processing result obtained by itself, and, when they coincide, authenticating the user of the IC card as the legitimate user.
    Type: Application
    Filed: September 10, 2001
    Publication date: March 14, 2002
    Applicant: Sony Corporation
    Inventor: Masaki Yoshizawa
  • Publication number: 20020026578
    Abstract: The present invention relates to a security token and method for secure usage of digital certificates and related keys on a security token, and more particularly, a secure import of certificates into a security token and their secure usage by applications. The root certificate of the certification authority(CA) is used during the initialization of the security token in a secure environment to transfer the certified root public key of the CA and its attributes into the data structure of the security token. The public root key is write protected. Furthermore, a verification component, preferably part of the operating system of the security token will accept, incase the certificate has to be replaced, only user certificates having a valid digital signature by the private root key of the CA.
    Type: Application
    Filed: July 31, 2001
    Publication date: February 28, 2002
    Applicant: International Business Machines Corporation
    Inventors: Ernst-Michael Hamann, Robert Sulzmann
  • Patent number: 6321281
    Abstract: A pointing device has a controllable selector for sending a version compatible signal and a newer functionality signal to a computer terminal. The pointing device has an operating unit which produces a signal which can be passed directly to the computer terminal, or can be modified with a new functionality, and then passed to the computer terminal. A controller in the pointing device monitors a protocol signal line to determine whether a version compatible signal or a new functionality signal is called for. The controller can activate a new functionality circuit and the selector to send the appropriate signal to the computer terminal. The controller can also monitor the protocol signal line in a power-on state, and execute a procedure to determine the functionality requested by the protocol signal line.
    Type: Grant
    Filed: October 13, 1998
    Date of Patent: November 20, 2001
    Assignee: NEC Corporation
    Inventor: Reiji Fujikawa
  • Patent number: 6308266
    Abstract: A single cryptographically enhanced product is capable of exposing various strengths of cryptography. When first installed, the product exposes only a low-level, exportable strength cryptography that may be used in both the U.S. or overseas with a general export license. Stronger cryptography is implemented in the product, but is not exposed to the user. To enable the stronger cryptography, the user must obtain an authorization certificate issued from a certifying authority. The authorization certificate contains an identity of the certifying authority and a token granted by the product's provider. The token contains capabilities to expose the stronger cryptography in the product and an encoded ID of the certifying authority, which binds the token to a specific certifying authority.
    Type: Grant
    Filed: March 4, 1998
    Date of Patent: October 23, 2001
    Assignee: Microsoft Corporation
    Inventor: Trevor W. Freeman
  • Patent number: 6308274
    Abstract: A method and mechanism to enforce reduced access via restricted access tokens. Restricted access tokens are based on an existing token, and have less access than that existing token. A process is associated with a restricted token, and when the restricted process attempts to perform an action on a resource, a security mechanism compares the access token information with security information associated with the resource to grant or deny access. Application programs may have restriction information stored in association therewith, such that when launched, a restricted token is created for that application based on the restriction information thereby automatically reducing that application's access. Applications may be divided into different access levels such as privileged and non-privileged portions, thereby automatically restricting the actions a user can perform via that application.
    Type: Grant
    Filed: June 12, 1998
    Date of Patent: October 23, 2001
    Assignee: Microsoft Corporation
    Inventor: Michael M. Swift
  • Patent number: 6292892
    Abstract: In one embodiment, a method to provide reliable electronic distribution of information between a first system and a second system remotely located from the first system coupled together by a communication link. The method comprises storing a public key, a private key, and signed key parameters in a semiconductor device associated with the first system. The signed key parameters are output from the semiconductor device to the second system via the communication link. Then, the first system is authenticated by the second system; and the information is transmitted from the second system to the first system, provided the first system is authenticated.
    Type: Grant
    Filed: March 15, 2000
    Date of Patent: September 18, 2001
    Assignee: Intel Corporation
    Inventor: Derek L. Davis
  • Patent number: 6279111
    Abstract: A restrict ed access token is created from an existing token, and provides less access than that token. A restricted token may be created by changing an attribute of one or more security identifiers allowing access in the parent token to a setting that denies access in the restricted token and/or removing one or more privileges from the restricted token relative to the parent token. A restricted access token also may be created by adding restricted security identifiers thereto. Once created, a process associates another process with the restricted token to launch the other process in a restricted context that is a subset of its own rights and privileges. A kernel-mode security mechanism determines whether the restricted process has access to a resource by first comparing user-based security identifiers in the restricted token and the intended type of action against a list of identifiers and actions associated with the resource.
    Type: Grant
    Filed: June 12, 1998
    Date of Patent: August 21, 2001
    Assignee: Microsoft Corporation
    Inventors: Gregory Jensenworth, Praerit Garg, Michael M. Swift, Mario C. Goertzel, Shannon J. Chan
  • Patent number: 6272639
    Abstract: A method is disclosed for mixed enclave operation of a computer network with users employing a multi-level network security interface and users without any network security interface. Either the network security user selects or the network security interface automatically selects whether communications are permissible with other unsecured users. Where a mixed enclave operation is selected, the network security user identifies when communications are being undertaken with another secured user or a non-secured user. Communications with a non-secured user at a lower security level entail securing the data residing with the secured user from transmission back to the non-secured user.
    Type: Grant
    Filed: July 31, 1998
    Date of Patent: August 7, 2001
    Assignee: Micron Technology, Inc.
    Inventors: James M. Holden, Stephen E. Levin, David W. Snow, Edwin H. Wrench
  • Patent number: 6263446
    Abstract: A roaming user needing an his authentication credential (e.g., private key) to access a computer server to perform an electronic transaction may obtain the authentication credential in an on-demand fashion from a credential server accessible to the user over a computer network. In this way, the user is free to roam on the network without having to physically carry his authentication credential. Access to the credential may be protected by one or more challenge-response protocols involving simple shared secrets, shared secrets with one-to-one hashing, or biometric methods such as fingerprint recognition. If camouflaging is used to protect the authentication credential, decamouflaging may be performed either at the credential server or at the user's computer.
    Type: Grant
    Filed: November 19, 1998
    Date of Patent: July 17, 2001
    Assignee: Arcot Systems, Inc.
    Inventors: Balas Natarajan Kausik, Rammohan Varadarajan
  • Patent number: 6256734
    Abstract: A method and apparatus are provided for compliance checking in a trust-management system A request r, a policy assertion (ƒ0, POLICY), and n−1 credential assertions (ƒ1, s1) , . . . , (ƒn−1, sn−1) are received, each credential assertion comprising a credential function ƒi and a credential source si. Each assertion may be monotonic, authentic, and locally bounded. An acceptance record set S is initialized to {(&Lgr;, &Lgr;, R)}, where A represents a distinguished null string, and R represents the request r. Each assertion (ƒi, si), where i represents the integers from n−1 to 0, is run and the result is added to the acceptance record set S. This is repeated mn times, where m represents a number greater than 1, and an acceptance is output if any of the results in the acceptance record set S comprise an acceptance record (0, POLICY, R).
    Type: Grant
    Filed: October 8, 1999
    Date of Patent: July 3, 2001
    Assignee: AT&T
    Inventors: Matthew A. Blaze, Joan Feigenbaum, Martin J Strauss
  • Patent number: 6246769
    Abstract: A system that eliminates the use and recall of multiple dedicated access codes to verify an authorized user across multiple protected resources. Fixed access codes selected by a user, or issued to a user, such as Personal Identification Numbers (PINs), passwords and passcodes are replaced by temporary codes that are valid only for the specific transaction in progress. A temporary code is randomly selected by the system and displayed to the user encoded within a completely filled geometric matrix along with other non-code characters. The user must recall a single, predetermined sequential pattern within said matrix in order to obtain the access code. Once the code is obtained, or decoded from the matrix, the user must enter that code into the system. If the entered code matches the transaction specific code in system memory, access to the protected resource is granted and the transaction is allowed to proceed.
    Type: Grant
    Filed: February 24, 2000
    Date of Patent: June 12, 2001
    Inventor: Michael L. Kohut
  • Patent number: 6243812
    Abstract: Authentication is provided for secure devices with limited cryptography, particularly for devices which do not have the capability to do public-key cryptography and generate random numbers. An initialization process is disclosed for limited-power Devices which are unable to perform public-key cryptography and generate random-numbers, as well as for full-power Devices which have the capability to do public-key cryptography and generate random numbers. A Challenge-Response procedure is also disclosed for ensuring the secure state of a device.
    Type: Grant
    Filed: August 23, 2000
    Date of Patent: June 5, 2001
    Assignee: International Business Machines Corporation
    Inventors: Stephen M. Matyas, Sean William Smith
  • Patent number: 6240517
    Abstract: An IC card processing system includes a telephone set for generating random number data, an IC card for processing value data, a secret key, and random number data by an authenticator generation function to generate authentication code, a switching unit for processing value data, a secret key, and random number data by an authenticator generation function to generate authentication code, and a comparator for comparing the authentication code generated by the IC card with the authentication code generated by the switching unit to authenticate the IC card.
    Type: Grant
    Filed: January 30, 1998
    Date of Patent: May 29, 2001
    Assignee: Kabushiki Kaisha Toshiba
    Inventor: Mitsuru Nishioka
  • Patent number: 6175921
    Abstract: A system for open electronic commerce having a customer trusted agent securely communicating with a first money module, and a merchant trusted agent securely communicating with a second money module. Both trusted agents are capable of establishing a first cryptographically secure session, and both money modules are capable of establishing a second cryptographically secure session. The merchant trusted agent transfers electronic merchandise to the customer trusted agent, and the first money module transfers electronic money to the second money module. The money modules inform their trusted agents of the successful completion of payment, and the customer may use the purchased electronic merchandise. A certificate data signed by a trusted authority is stored in a tamper proof electronic processing device, which certificate includes a unique device ID and a public key of the device, in addition to device owner ID data.
    Type: Grant
    Filed: July 16, 1997
    Date of Patent: January 16, 2001
    Assignee: Citibank, N.A.
    Inventor: Sholom S. Rosen
  • Patent number: 6076162
    Abstract: The invention relates to a procedure for the certification of cryptographic keys for use in chipcards. In this procedure, a certification key and a certificate are transferred to the chipcard. The first part of the certificate includes the cryptographic key and the second part of the certificate includes a digital signature of the first part of the certificate. The digital certificate is subsequently checked by means of the certification key on the chipcard.
    Type: Grant
    Filed: January 21, 1998
    Date of Patent: June 13, 2000
    Assignee: International Business Machines Corporation
    Inventors: Michael Deindl, Walter Hanel, Albert Schaal
  • Patent number: 6065117
    Abstract: Systems, methods and computer program products for sharing state information between a stateless server and a stateful client are provided. A client request to perform an action on the server is accompanied by an encrypted token which contains state information. The server receiving the client request decrypts the token using a symmetric key generated from variable data. The server verifies that the received token is valid and uses the state information contained therein to perform the requested action. The server also provides clients with encrypted tokens using a symmetric key generated from variable data.
    Type: Grant
    Filed: July 16, 1997
    Date of Patent: May 16, 2000
    Assignee: International Business Machines Corporation
    Inventor: John Gregg White
  • Patent number: 6055592
    Abstract: A mouse system (100) for authenticating a user and providing access to a computer (212) includes a pointing device and card reader (106) which share a computer interface port (222) of the computer (212). User information is read off the card (104), converted to pointing device codes, and provided to the computer (212). The computer reconverts the pointing device codes to user information to deny or grant access. The card reader (106) is capable of reading commercially available smart cards, credit cards, and other media having user information electronically stored on the card (104).
    Type: Grant
    Filed: February 9, 1998
    Date of Patent: April 25, 2000
    Assignee: Motorola, Inc.
    Inventor: Robert Neal Smith