Abstract: Generic session keys are pre-generated and stored in a pool of session keys for later use in communicating within a communications environment. The session keys that are stored in the pool are pre-encrypted with the private key of the entity storing those keys. To communicate between entities, a pre-encrypted session key is extracted from the pool and then further encrypted with the destination entity's public key to ensure data integrity and data confidentiality. The encrypted key is then forwarded to the destination entity and used during communications between the two entities.

Abstract: There is disclosed a method for performing secure electronic transactions on a computer network, the network comprising a buyer's computer, a vendor server, a creditor server and a security server. The buyer's computer has a fingerprint file stored in the memory thereof.

Abstract: A certificate registry system is configured to issue authentication certificates issued to each one of a plurality of information providers and to maintain a root certificate corresponding to all of the authentication certificates. Each one of the authentication certificates links respective authentication information thereof to identification information of a corresponding one of the information providers. Each one of the authentication certificates is devoid of linkage between the corresponding one of the information providers and domain name information thereof. The authentication certificates of the certificate registry are associated in a manner at least partially dependent upon at least one of a particular type of information that the information providers provide, a particular organization that the information providers are associated with, a particular type profession in which the information providers are engaged and a particular geographical region in which the information providers are located.

Abstract: A method of controlling presentation of content on a media storage device is described. The method is comprised of verifying the presence of a media presentation mechanism and a usage compliance mechanism on a computer system operated by a recipient to whom the media storage device is distributed. The usage compliance mechanism includes a file system filter driver for controlling data reads associated with the computer readable media. The media presentation mechanism is communicatively coupled with the usage compliance mechanism. The present method further includes the file system driver performing a first decryption of the computer readable media. The present method further includes the media presentation mechanism performing a second decrypting of the computer readable media concurrent with presenting the computer readable media to the recipient.

Abstract: Methods and apparatus in accordance with the present invention are operable to carry out certain functions including: receiving an encrypted program at a processing apparatus; transmitting a machine ID over a network to an administrator; receiving registration data over the network from the administrator in response to the machine ID; transmitting the registration data over the network to a distributor; receiving an encrypted decryption key and an encrypted virtual ID at the processing apparatus over the network from the distributor in response to the registration data; decrypting the encrypted decryption key using the virtual ID, and decrypting the encrypted program using the decryption key; re-encrypting the program using the virtual ID; and storing the encrypted virtual ID and the re-encrypted program in a first storage device.

Abstract: Systems and methods are disclosed for enabling a voter to vote at any single official polling place in the state (jurisdiction) even if it lies outside the boundaries of his local voting location (division of the jurisdiction). The systems and methods disclosed also prevent voter fraud, including a single voter voting more than once, at any polling place anywhere in the jurisdiction.

Abstract: A method of authenticating data transmitted in a digital transmission system, in which the method comprises the steps, prior to transmission, of determining at least two encrypted values for at least some of the data, each encrypted value being determined using a key of a respective encryption algorithm, and outputting said at least two encrypted values with said data.

Abstract: A secure user authentication system, operable over a client-server communications network to authenticate a system user. The system includes an application server which includes a site which is able to be enabled, and an authentication server, which is able to enable the application server site. The authentication server includes a core database, and receives and stores user authentication-enabling data in the core database. The system further includes a client, and a client program which is able to be actuated in the client. The client program includes the user authentication-enabling data. Upon actuation, the client program automatically directly connects to the authentication server, and sends the client authentication-enabling data to the authentication server, for secure user authentication by the authentication server.

Abstract: A method for authentication. A computer obtains a random number R generated by a hardware token. The computer forms and returns to the hardware token a signature Ck?(R) formed using the random number R with a computer secret key Ck?. The computer receiving from the hardware token authentication of the signature Ck?(R) that is performed by the hardware token using a computer public key Ck stored in the hardware token.

Abstract: Peer-to-peer authentication may be accomplished by sending a digital certificate to a responder, receiving a randomized codeword in response to the sending, creating a secure fingerprint based at least in part on the digital certificate and randomized codeword, creating a first bit sequence based at least in part on a first portion of the secure fingerprint and a second portion of the randomized codeword and indicating the first digital certificate is authenticated based upon whether the first bit sequence matches a second bit sequence received from the responder via an out-of-band communication in response to the sending. The size of the first bit sequence is less than the size of the secure fingerprint. According to another aspect, the first bit sequence is compared with a rendering of the second bit sequence, using an out-of-band communication, by associating the first bit sequence with one or more indices into an array of representations.

Abstract: The present invention provides an electronic signature method and an electronic signature tool. The method includes: outputting verification prompt information; receiving verification confirmation information inputted by a user; checking whether the verification confirmation information matches the verification prompt information, and performing the predetermined electronic signature operation if the verification confirmation information matches the verification prompt information. Through the electronic signature method and the electronic signature tool of the present invention, an attack of other users on the network can be prevented, secure transactions are realized. The method and the tool are used conveniently and can be popularized easily.

Abstract: Aspects of the present invention include a method and system for generating a secure access code at a remote device in communication with a computer system having a secure storage device; conveying the secure access code to the system secure storage device; receiving the secure access code at the system secure storage device with unique data characteristics associated with remote device; and, securely providing content to the remote device.

Abstract: Provided is a network system using diameter authentication, authorization and accounting (AAA) infrastructure to support the bootstrapping of a Mobile Internet Protocol version 6 (IPv6) mobile node. The network system includes a mobile node equipped with Mobile IPv6, an attendant which is accessed by the mobile node when the mobile node moves toward a new network, an AAA local server which supports AAA processes for the mobile node in a local network, an AAA home server which supports AAA processes for the mobile node in a home network, and supports initial settings during the bootstrapping of the mobile node, and a home agent which handles binding update (BU) and binding acknowledgement (BA) regarding the mobile node. The AAA home server can configure initial settings for the mobile node that is authenticated by the AAA local server so that the mobile node can be effectively bootstrapped.

Abstract: Apparatuses, methods, and systems pertaining to the verification of portable consumer devices are disclosed. In one implementation, a verification token is coupled to a computer by a USB connection so as to use the computer's networking facilities. The verification token reads identification information from a user's portable consumer device (e.g., credit card) and sends the information to a validation entry over a communications network using the computer's networking facilities. The validation entity applies one or more validation tests to the information that it receives from the verification token. If a selected number of tests are passed, the validation entity sends a device verification value to the verification token, and optionally to a payment processing network. The verification token may enter the device verification value into a CVV field of a web page appearing on the computer's display, or may display the value to the user using the computer's display.

Abstract: A secure mechanism for transparent key recovery for a user who has changed authentication information is disclosed. A password manager agent intercepts requests by a user to access secure resources that require user credentials. Upon detecting changed authentication information for the user, the password manager agent automatically regenerates the components of a cryptographic key associated with the user that was previously used to encrypt user credentials for the user and then destroyed. After regeneration of the original cryptographic key, the password manager agent uses the key to decrypt the user credentials necessary for the requested application. The regenerated key is then destroyed and the user credentials are re-encrypted by the password manager agent using a new cryptographic key associated with the user made up of multiple components.

Abstract: A system and method for securely authenticating a data exchange session with an implantable medical device is presented. A crypto key uniquely associated with an implantable medical device is defined to authenticate data during a data exchange session. A secure connection is established from an external source with a secure key repository securely maintaining the crypto key. Authorization to access data on the implantable medical device is authenticated by securely retrieving the crypto key from the secure key repository.

Abstract: Portal, and a method and program executed by a portal. The portal receives a data request and a public certificate from a user. The portal transmits the data request and the public certificate to a content supplier. The portal receives confidential data and non-confidential data responsive to the data request. The confidential data is received in encrypted form together with an identifier identifying the confidential data as encrypted. The non-confidential data is received in unencrypted form. The portal formats the non-confidential data in accordance with a specification previously provided by the user. The portal transmits the encrypted confidential data, the identifier and the formatted non-confidential data to the user.

Abstract: A mechanism is provided in which access to the functionality present on an integrated circuit chip is controllable via an encrypted certificate of authority which includes time information indicating allowable periods of operation or allowable duration of operation. The chip includes at least one cryptographic engine and at least one processor. The chip also contains hard coded cryptographic keys including a chip private key, a chip public key and a third party's public key. The chip is also provided with a battery backed up volatile memory which contains information which is used to verify authority for operation. The certificate of authority is also used to control not only the temporal aspects of operation but is also usable to control access to certain functionality that may be present on the chip, such as access to some or all of the cryptographic features provided in conjunction with the presence of the cryptographic engine, such as key size.

Abstract: A first terminal subscribes to at least one service using a service guide in which information necessary for reception of each service is stored, and sends the service guide and an identifier (ID) of the subscribed service to a smartcard. The smartcard stores the service guide and the ID of the subscribed service, and sends the service guide and the ID of the subscribed service to a second terminal through a response message to a request message used for acquiring TBK information, received from the second terminal. The second terminal receives the response message by sending the request message to the smartcard, acquires TBK information corresponding to a service that the second terminal intends to play back, from the service guide depending on the subscribed service's ID included in the response message, and acquires the TBK by performing an authentication process using the TBK information.

Abstract: Generating a digital signature of an entire embedded code project is provided while maintaining certain exclusion areas so that a productivity application can incorporate application-specific information into the embedded code project without hampering the digital signature. A tree structure of data may be serialized into a data stream. The tree structure may include multiple branches and one or more elements identified as an exclusion area. A digital signature of the data stream may be created and included in a document associated with the tree structure.

Abstract: The invention relates to a method for authenticating a user (1) on the basis of a mobile terminal of the cellular phone type (2), in which said user (1) views through a browser a portal for accessing a service hosted on a server (4); said user (1) requests his authentication through the browser via said portal; said portal initiates a pre-session in such a way as to display, through said browser, temporary access data (5) independent from said user (1); said user (1) inputs into his telephone (2) the data viewed; said telephone (2) automatically dispatches a request (6) to said server (4), including at least one authentication certificate (7) specific to the user (1) and said viewed data (5); said request (6) is encrypted with the aid of the public key of a certificate (8) of said server (4) and, in the event of authentication of the user (1), access to the service is authorized through a secure session in the browser.

Abstract: A method for secure identity processing using biometrics is provided. A public key and a unique serial number are received from a BIOTOKEN. A random number is generated. The random number and the unique serial number are transmitted to the BIOTOKEN. A serial number received from the BIOTOKEN is compared with the unique serial number and if there is a match, an encrypted symmetric key, transmitted by the BIOTOKEN, is decrypted using the public key. An encrypted random number and encrypted biometric data associated with a user are decrypted using the decrypted symmetric key. The decrypted random number is compared with the transmitted random number, if there is a match, the decrypted biometric data is validated and the received serial number and the public key are transmitted to a certification authority if the biometric data is validated. An authentication certificate associated with the BIOTOKEN is issued by the certification authority.

Abstract: One embodiment of the present invention provides a system that establishes a secure connection with a peer. During operation, the system obtains an identity for the peer. Next, the system looks up the identity for the peer in a local store, which contains identities for trusted peers. If this lookup fails, the system asks a user if the peer can be trusted. If the user indicates that the peer can be trusted, the system establishes a secure connection with the peer.

Abstract: A digital certificate is provided to a customer having an electronic account linked to the customer's physical address. Using the digital certificate, the customer performs electronic transactions with a third party. A proofing workstation receives a request from a third party to validate the digital certificate. The proofing workstation communicates with a proofing server that maintains a list of valid certificates and a list of revoked certificates. The proofing server sends a response to the proofing workstation, where it is received by the third party.

Abstract: In a communication system wherein a device and a client communicate data with each other through a network, the device holds a root certificate including a public key in a pair of the public key and a private key and signed with the public key. When data is sent, a certificate creator creates a second certificate including the root certificate designated as a certificate authority at a higher level and signed with the root certificate, and the second certificate is sent to the client. In the client, the root certificate has been stored beforehand, and a verifier verifies the signature of the second certificate with the root certificate.

Abstract: Software is governed by a digital license that specifies a certificate that must be present in order for the software (or certain features thereof) to be used. A root authority authorizes a license server to issue certificates that are called for in the digital license for an item of software. The software and the digital license are installed on a machine, and the machine enrolls with the license server to obtain the certificate. When the software is run, an enforcement component evaluates the license to determine what certificate is required, and then evaluates the certificate to determine whether it meets the requirements of a license. If the certificate is invalid, the enforcement component may disable the software, or may disable certain features of the software.

Abstract: There are many times when a secret needs to be used in a distributed computing system—these are often held in security tokens, such as smart cards. It may be desirable for another device, such as a computer platform, to act in place of the security token as the repository of a secret, particularly for operations within a distributed computing system. Within the distributed computing system there is located a trusted entity, physically and logically resistant to unauthorized modification—this may be a trusted device located within a specific computing platform. This contains validation information which can be communicated to the security token. The security token then carries out a validation process on this validation information—if successful, the security token then provides a secret to the trusted device for use within the distributed computing system. The trusted device may be required to use this secret only for a specified period of time, or for a specific purpose or task.

Abstract: An embodiment of the present invention includes a technique to register a client to a server for communication. A message containing an identification (ID) code is transmitted to a server. If the key is stored in the server, the key encrypted with the ID code is received from the server via a network. The encrypted key is decrypted using the identification code. Otherwise, the key is encrypted using the ID code. The encrypted key is transmitted to the server via the network. Information is exchanged with the server via the network. The information is encrypted and decrypted by the key.

Abstract: The present invention provides in a method for providing secure authentication using digital certificates, an improvement to enable the selective transfer of authentication data. The said method comprises presentation of basic authentication data certified by an accepted certifying authority, at the commencement of a secure transaction and transfer of additional individual authentication data units against specific requests, as and when required, thereby eliminating the risks associated with providing any authentication data that is not required for a particular transaction. The instant invention also provides a system and configured computer program product for carrying out the above method.

Abstract: The present invention provides in a method for providing secure authentication using digital certificates, an improvement to enable the selective transfer of authentication data. The said method comprises presentation of basic authentication data certified by an accepted certifying authority, at the commencement of a secure transaction and transfer of additional individual authentication data units against specific requests, as and when required, thereby eliminating the risks associated with providing any authentication data that is not required for a particular transaction. The instant invention also provides a system and configured computer program product for carrying out the above method.

Abstract: Storage devices can provide for hardware encryption and decryption of data stored by them. The hardware cryptographic functions can be applied with reference to cryptographic information of a communicationally, and physically, separable key device. Disconnection of the separable key device can render encrypted data inaccessible. Destruction of the separable key device can result in virtual destruction of the encrypted data. The cryptographic information on the separable key device can be provided by a storage device manufacturer, or by a provisioning computing device. The separable key device can be directly communicationally coupled to a provisioning computing device or it can establish a secure communication tunnel with the provisioning device through a computing device to which the separable key device is communicationally coupled. Cryptographic information can be provided by, and deleted from, the provisioning computing device prior to completion of the booting of that device.

Abstract: A method for communication includes coupling an information protection device (34) to communicate via a local interface (36) with a local computer (28) operated by a user (22), the information protection device having an input transducer (58) associated therewith. A communication session is initiated between the local computer and a remote computer (24) over a network (26). The information protection device receives an access code input by the user via the input transducer and encrypts the access code using an encryption key held by the information protection device. The encrypted access code is conveyed from the information protection device over the local interface to the local computer and from the local computer to the remote computer over the network in order to authenticate the user at the remote.

Abstract: Embodiments of methods and apparatus for providing an access profile system associated with a broadband wireless access network are generally described herein. Other embodiments may be described and claimed.

Abstract: A method and system for ensuring security-compliant creation and certificate generation for endorsement keys of manufactured TPMs. The endorsement keys are generated by the TPM manufacturer and stored within the TPM. The TPM manufacturer also creates a signing key pair and associated signing key certificate. The signing key pair is also stored within the TPM, while the certificate is provided to the OEM's credential server. During the endorsement key (EK) credential process, the TPM generates a signed endorsement key, which comprises the public endorsement key signed with the public signing key. The credential server matches the public signing key of the endorsement key with a public signing key within the received certificate. The EK certificate is generated and inserted into the TPM only when a match is confirmed.

Abstract: Systems and methods of providing a desktop framework. The desktop framework may include an application framework component that includes a set of core libraries that provide desktop applications access to data and services, a download component that maintains versions of the desktop applications and core libraries installed on a computer, and a license component that tracks data use and access. The application framework exposes APIs to provide the desktop applications with access to the data and services. The application framework serves as a platform upon which the desktop applications share common data and logic.

Abstract: Authentication of a hardware token connected to a computer includes storing, in the hardware token, a computer public key Ck generated in the computer; reading out, from the hardware token to the computer, a user public key Uk, registering the user public key Uk from the computer with a certificate authority, and receiving a certificate issued from the certificate authority with respect to the user public key Uk, and storing the issued certificate for the user public key Uk in the hardware token.

Abstract: A system and method for establishing secure communications between two entities, such as a server and a client, may involve the use of an intermediate gateway. Each party may establish a secure communication link with the gateway, and the gateway may provide signed certificates to each party, each certificate identifying the gateway as the other party for purposes of the communication. The gateway may then facilitate the secure communications between the two parties, and may perform data translation on the communications. The identification information may be contained within the certificates used by the gateway.

Abstract: A method for conditionally allowing fruition of broadcast contents, broadcast by a contents broadcaster (115) and received by a user by means of a receiving equipment (110), comprising: performing, locally at the receiving equipment of the user a first fruition entitlement check based on first fruition entitlement data available locally (225) at the receiving equipment; having the receiving equipment provide to the contents broadcaster the first fruition entitlement data exploiting a return communications channel (125) of the receiving equipment; having the contents broadcaster perform a second fruition entitlement check based on comparison between the received first fruition entitlement data and second fruition entitlement data available locally (320) to the contents broadcaster; conditioned on a result of the second check, having the contents broadcaster provide to the receiving equipment, exploiting the return communications channel, a fruition entitlement confirmation notification; at the receiving equipm

Abstract: A system and method for detecting exposure of an OCSP responder's session private key in a D-OCSP-KIS to verify the status of a user's certificate online are provided. The system includes: a client for requesting certificate status information from the OCSP responder; the OCSP responder for receiving the certificate status information request from the client, sending a response, producing a hash value, and delivering the hash value to a certificate authority (CA) to get a certificate issued; and the CA for receiving the hash value from the OCSP responder and issuing the certificate to the OCSP responder in response to a certificate issue request; wherein the client verifies a digital signature using a hash value contained in the OCSP responder's certificate and the hash value contained in the response, and each client stores a counter value for a hash operation in each verification and recognizes the response as valid when a current counter value is greater than a previous counter value.

Abstract: Embodiments of the present invention provide a circle of trust on a network. The circle of trust is configured by exchanging credential of a first and a second affiliated entity. The credentials of the first affiliated entity is stored in a trusted partner list of the second affiliated entity. The credentials of the second affiliated entity is stored in a trusted partner list of the first affiliated entity. Thereafter, a circle of trust session may be provided when a client device initiates use of a resource on a relying party device by providing an authentication assertion reference. The identity of the issuing party of the authentication is determined as a function of the authentication assertion reference. The relying party sends an authentication query containing its credential to the issuing party. The issuing party determines if the relying party is a trusted entity based upon whether the relying party's credential is contained in the trusted partner list of the issuing party.

Abstract: Methods and apparatuses for securely configuring the identifier information of products. In one aspect, a method of manufacturing a product, includes: establishing a connection between a data processing system and the product while the product is being manufactured; verifying that an initial set of identifier information stored within the product is valid, where a set of identifier information is capable of being used to control distribution of media which is received by the product; providing, in response to validly verifying the initial set of identifier information, a new set of identifier information for storage in the product, where the providing is secured through the verifying of the initial set of identifier information.

Abstract: A system 100 for providing credentials to a computational component in a distributed processing network is provided. The system 100 includes: (a) a plurality of crypto-tokens 150a-n, each crypto-token 150a-n comprising a unique identifier, optionally a digital certificate comprising a unique public key and the unique identifier, and a private key corresponding to the public key; (b) a provisioning system 100 comprising a certificate authority 104 operable to generate the plurality of crypto-tokens 150a-n; and (c) a computational component 128 comprising a drive operable to receive and communicate with a selected crypto-token 150. The computational component 128 uses the digital certificate and private key in any of the crypto-tokens 150a-n to establish a secured communication session with the provisioning system 100. Before the establishing operation, any of the plurality of crypto-tokens 150a-n can be engaged with the computational component 128 to establish the secure communication session.

Abstract: A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one broad aspect, a method is provided in which a certificate search request is received, a search of one or more certificate servers for certificates satisfying the request is performed, located certificates are retrieved and processed at a first computing device to determine data that uniquely identifies each located certificate, and search result data comprising the determined data is communicated to a second device (e.g. a mobile device) for use in determining whether each located certificate is already stored on the second device.

Abstract: A service is provided to allow a user, such as an API or web service, Internet input, or software or hardware client to perform a search on any one or multiple Uniform Resource Identifier (URI) and/or other protocol addresses accessible via a public or private network to establish a report in a summary and/or detailed format on the trustworthiness of the address.

Abstract: A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one embodiment, a certificate synchronization application is programmed to perform certificate searches by querying one or more certificate servers for all certificate authority (CA) certificates and cross-certificates on the certificate servers. In another embodiment, all certificates related to an identified certificate are retrieved from the certificate servers automatically by the certificate synchronization application, where the related certificates comprise at least one of one or more CA certificates and one or more cross-certificates. Embodiments of the invention facilitate at least partial automation of the downloading and establishment of certificate chains, thereby minimizing the need for users to manually search for individual certificates.

Abstract: Methods and systems for flexibly loading an application, e.g., a software application, and associated data from an application provider (101) onto a tamper resistant module (TRM) (103) having an I/O buffer (115) and a memory (119). A method embodiment of the invention comprises determining (501) the size of the TRM's I/O buffer (115), segmenting (503) the application to be loaded and its associated data into a plurality of segments, with each segment adapted to be stored in the I/O buffer (115) and the size of each segment being a function of the determined size of the I/O buffer (115), separately transmitting (505) each segment to the tamper resistant module (103), and storing (603) each separately transmitted segment in a selected one of one or more available spaces of the TRM's memory (119), said spaces selected depending upon the size of each segment and upon which of said available spaces has the smallest available area in the TRM's memory (119) in which the segment can be stored.

Abstract: A method of confirming the identity of a user includes processing biometric credentials, generating a user configurable policy including identities of a plurality of authenticating entities, storing the user configurable policy in a device, presenting the device to an authenticating entity at an authentication station, and requesting biometric and personal data of the user from the device data. The biometric data corresponds to at least one biometric feature desired for authenticating the user and the requesting operation is performed by a workstation of the authenticating entity.

Abstract: An information processing apparatus has an authentication/key exchange unit, a round trip time measuring unit, a common key transmitter, a contents key transmitter and a contents transmitter. The round trip time measuring unit sends a round trip time measuring request generated to the communication apparatus through the first communication connection to measure the round trip time, and check whether the measured round trip time is within a predetermined time and whether a transmitting source of the round trip request response is the communication apparatus sharing the first key. The common key transmitter encrypts a second key used for contents transmission by using the first key and transmits the encrypted second key through the first communication connection when the round trip time measuring unit succeeds in the checking.

Abstract: Methods and apparatuses are provided for use with optical data storage media and related devices.

Abstract: Machine instructions comprising a bootstrap code are buried within a critical component of an electronic game console where they cannot readily be accessed or modified. A preloader portion in a read only memory (ROM) is hashed by the bootstrap code and the result is compared to an expected hash value maintained in the bootstrap code. Further verification of the boot-up process is carried out by the preloader, which hashes the code in ROM to obtain a hash value for the code. The result is verified against a digital signature value that defines an expected value for this hash. Failure to obtain any expected result terminates the boot-up process. Since the bootstrap code confirms the preloader, and the preloader confirms the remainder of the code in ROM, this technique is useful for ensuring that the code used for booting up the device has not been modified or replaced.