Abstract: A server, method and/or computer-readable medium system for secure communication includes a certificate authority for generating certificates signed by the certificate authority and associated public and private keys for a client. The server further includes a directory of client attributes and client virtual attributes. At least one of the client virtual attributes is for, when receiving a query for a client that cannot be located in the directory, requesting the certificate authority to dynamically generate a certificate and associated public and private key for the client, and for storing the dynamically generated certificate and public key as a client attribute in the directory.

Abstract: According to an embodiment, an information processing device offering various APIs stores, for every application program, a WSDL file which indicates definition information of an API which is permitted to be used by an application program, and developer information which specifies a developer of an application program. The information processing device releases to an application program a WSDL file corresponding to the application program, receives, through a web service, a request that is a request for use of a first API, determines whether or not the definition information of the first API is indicated in a first WSDL file corresponding to the first application program, and determines whether or not the first WSDL file is leaked, using developer information.

Abstract: Operations or functions on a device may require an operational certificate to ensure that the user of the device or the device itself is permitted to carry out the operations or functions. A system and a method are provided for providing an operational certificate to a device, whereby the operational certificate is associated with one or more operations of the device. A manufacturing certificate authority, during the manufacture of the device, obtains identity information associated with the device and provides a manufacturing certificate to the device. An operational certificate authority obtains and authenticates at least a portion of the identity information associated with the device from the manufacturing certificate and, if at least the portion of the identity information is authenticated, the operational certificate is provided to the device.

Abstract: Transformations of digital records are used as lowest level inputs to a tree data structure having a root in a core system and having nodes computed as digital combinations of child node values. A combination of root values is published in a permanent medium. Signature vectors are associated with the digital records and have parameters that enable recomputation upward through the tree data structure to either a current root value or to the published value. Recomputation yields the same value only if a candidate digital record is an exact version of the original digital record included in the original computation of the value.

Abstract: The invention relates to a method of secure broadcasting of encrypted digital data of a proprietary entity, these data being stored in a storage module (6) of a server (5), comprising: the encryption of the digital data by means of an encryption key for the broadcasting of the digital data to the authenticated third party, and the broadcasting of these digital data to the authenticated third party.

Abstract: Systems and methods for providing an email certificate for an email message. In some aspects, a method includes receiving a request from a user for providing an email certificate for an email message, generating an email certificate by encrypting the email message, and sending the email certificate to the user.

Abstract: Methods for anonymous authentication and key exchange are presented. In one embodiment, a method includes initiating a two-way mutual authentication between a first entity and a second entity. The first entity remains anonymous to the second entity after performing the authentication. The method also includes establishing a mutually shared session key for use in secure communication between the entities, wherein the initiating and the establishing are in conjunction with direct anonymous attestation (DAA).

Abstract: A method and apparatus for automatically configuring and provisioning cryptographic certificates is described. A certificate management sensor receives instructions from a first computing device to analyze a second computing device to identify an application on the second computing device associated with cryptographic network traffic on the second computing device, generates an application fingerprint based on application characteristics of the application, transmits the application fingerprint and a certificate signing request (CSR) to a certificate management system (CMS), and receives second instructions from the CMS to automatically install a cryptographic certificate on the second computing device based on the application fingerprint and CSR.

Abstract: A system for providing communication between one or more clients (50) and one or more service providers (70) is disclosed. The system comprises an access gateway (10) for maintaining transport-specific connections for one or more connections between the client (50) and the access gateway (10), an application level router (20) for routing messages between clients (50) and service providers (70), an authentication provider (40) for verifying the identity of users of clients (50), and a look-up service (30) for keeping a registry of currently available services. Various methods related to the system are also disclosed.

Abstract: A method of generating a public key in a secure digital communication system, having at least one trusted entity CA and subscriber entities A. The trusted entity selects a unique identity distinguishing each entity A. The trusted entity then generates a public key reconstruction public data of the entity A by mathematically combining public values obtained from respective private values of the trusted entity and the entity A. The unique identity and public key reconstruction public data of the entity A serve as A's implicit certificate. The trusted entity combines the implicit certificate information with a mathematical function to derive an entity information ƒ and generates a value kA by binding ƒ with private values of the trusted entity. The trusted entity transmits the value kA to the entity to permit A to generate a private key from kA, A's private value and A's implicit certificate.

Abstract: The preferred embodiments involve a mechanism to bootstrap Kerberos from EAP in which EAP is used for initial network access authentication and Kerberos is used for provisioning session keys to multiple different protocols. The preferred embodiments make use of an EAP extension method (EAP-EXT) to realize the mechanism.

Abstract: Disclosed is a system and method for authenticating a communications channel between a mobile handset associated with a user and an application server, for uniquely identifying the mobile handset and for encrypting communications between the mobile handset and the application server over the communication channel is provided. The system includes a certificate authority configured to issue digital certificates to the handset and the application server, as well as software applications operating on both the handset and application server. The digital certificates may be used by the handset and application server to uniquely identify one another as well as to exchange encryption keys by means of which further communication between them may be encrypted.

Abstract: A communication apparatus makes a request to issue an electronic certificate of a first instrument to a certificate authority and acquires the electronic certificate from the certificate authority. The communication apparatus communicates with a second instrument using the electronic certificate of the first instrument in response to reception of a request for communication with the second instrument from the first instrument. Therefore, the communication apparatus mediates information communication between the second instrument and the first instrument.

Abstract: Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein.

Abstract: Systems and methods for providing privacy of file synchronization with sharing functionality are presented. In embodiments, a file synchronization system comprises one or more folders associated with one or more non-shared encryption keys, which may be a managed key shared across an organization, and/or a personal key that is not shared or has limited third-party sharing. The one or more non-shared encryption keys are not known to the data storage service. The file synchronization system may also contain one or more folders associated with a shared encryption key that is shared with the data storage service, and in embodiments, with a set of users of the service. The system may include a mapping correlating folders to encryption type so items in each folder can be handled appropriately. The system may have additional folders, such as one or more public folders that may be available with limited or no restrictions.

Abstract: A method to verify a geographic location of a virtual disk image executing at a data center server within a data center. One embodiment includes a cryptoprocessor proximate the data center server, a hypervisor configured to send a disk image hash value of the virtual disk image, a digital certificate issued to the cryptoprocessor, an endorsement key to a data center tenant and a location provider. The method includes sending a disk image hash value of the virtual disk image, an endorsement key unique to a cryptoprocessor proximate the data center server to a data center tenant, and a digital certificate to a data center tenant. Next, the location provider sends the geographic location of the cryptoprocessor matching the endorsement key to the data center tenant.

Abstract: A method and apparatus are disclosed for using a single credential request (e.g., registered public key or ECQV certificate) to obtain a plurality of credentials in a secure digital communication system having a plurality of trusted certificate authority CA entities and one or more subscriber entities A. In this way, entity A can be provisioned onto multiple PKI networks by leveraging a single registered public key or implicit certificate as a credential request to one or more CA entities to obtain additional credentials, where each additional credential can be used to derive additional public key-private key pairs for the entity A.

Abstract: Systems and methods for providing sensitive data protection in a virtual computing environment. The systems and methods utilize a sensitive data control monitor on a virtual appliance machine administering guest virtual machines in a virtual computing environment, wherein each of the guest virtual machines may include a local sensitive data control agent. The sensitive data control monitor generates encryption keys for each guest virtual machine which are sent to the local sensitive data control agents and used to encrypt data locally on a protected guest virtual machine. In this manner the data itself on the virtual (or physical) disc associated with the guest virtual machine is encrypted while access attempts are gated by a combination of the local agent and the environment-based monitor, providing for secure yet administrable sensitive data protection.

Abstract: The process of acquiring SSL certificates for enterprise SSL customers is improved by reducing the number of steps used to acquire the SSL certificate and streamlining the process. An on-line CSR generator on the certificate enrollment form is used to submit the customer information (i.e. Common Name, Organizational Unit, Organization, City/Locality, State/Province, and Country Code) and generate the CSR. By making the CSR generation part of the enrollment process, the administrator can use the same enrollment form to submit the customer information along with the contact information pertinent to the enterprise.

Abstract: A device may include a trusted component. The trusted component may be verified by a trusted third party and may have a certificate of verification stored therein based on the verification by the trusted third party. The trusted component may include a root of trust that may provide secure code and data storage and secure application execution. The root of trust may also be configured to verify an integrity of the trusted component via a secure boot and to prevent access to the certain information in the device if the integrity of the trusted component may not be verified.

Abstract: Methods and apparatus to certify digital signatures are disclosed. An example method includes receiving a request to certify a digital signature from a user, receiving information about a physical characteristic of the user, comparing the information about the physical characteristic to stored physical characteristic information, and based on the comparison, at least one of certifying the digital signature based on the comparison or requesting certification of the digital signature based on the comparison.

Abstract: The present invention provides a system and method for providing certified voice and/or multimedia mail messages in a broadband signed communication system which uses packetized digital information. Cryptography is used to authenticate a message that has been compiled from streaming voice or multimedia packets. A certificate of the originator's identity and electronic signature authenticates the message. A broadband communication system user may be provisioned for certified voice and/or multimedia mail by registering with a certified mail service provider and thereby receiving certification. The called system user's CPE electronically signs the bits in received communication packets and returns the message with an electronic signature of the called system user to the calling party, along with the system user's certificate obtained from the service provider/certifying authority during registration. The electronic signature is a cryptographic key of the called party.

Abstract: System and method for creation and use of an agreement object having content packages and a transportable agreement, including both the content of the agreement and data used to validate the signatories and an audit trail for the agreement.

Abstract: An invention for certifying a virtual entity in a virtual universe is disclosed. A virtual business may opt to register with a security certificate administration center to obtain a security certificate. A user of another virtual entity is provided with an ability to initiate a verifying process to check whether a security certificate symbol or a graphic resembling a security certificate symbol represents a valid security certificate. Virtual universe client and server software may be modified to enable a secured connection between the user and the security certificate administration center for the verification.

Abstract: A method and system for distributed security for a plurality of devices in a communication network, each of the devices being responsible for generating, distributing and controlling its own keys for access to the communication network and using the keys to establish a trusted network, each device's membership to the communication network being checked periodically by other devices by using a challenge response protocol to establish which devices are allowed access to the communication network and the trusted network.

Abstract: A method begins by a processing module determining whether a data access request is requesting access to data stored in a plurality of dispersed storage networks (DSNs). The method continues with the processing module determining whether one of the plurality of DSNs is a home DSN to a requesting entity when the data access request is requesting access to data stored in the plurality of DSNs. The method continues with the processing module utilizing a local signed certificate to access one or more dispersed storage (DS) units of the home DSN, validating a global signed certificate with one or more DS units of a non-home DSN of the plurality of DSNs to produce a valid global signed certificate, and utilizing the valid signed certificate to access the one or more DS units of the non-home DSN when the plurality of DSNs includes the home DSN.

Abstract: A boot method an apparatus are described which reduce the likelihood of a security breach in a mobile device, preferably in a situation where a reset has been initiated. A predetermined security value, or password, is stored, for example in BootROM. A value of a security location within FLASH memory is read and the two values are compared. Polling of the serial port is selectively performed, depending on the result of such comparison. In a presently preferred embodiment, if the value in the security location matches the predetermined security value, then polling of the serial port is not performed. This reduces potential security breaches caused in conventional arrangements where code may be downloaded from the serial port and executed, which allows anyone to access and upload programs and data in the FLASH memory, including confidential and proprietary information.

Abstract: Exemplary embodiments provide various techniques for managing groups of authenticated entities. In one exemplary computer-implemented method, an entity accesses a group roster that includes a first group identifier identifying a first group, a first group digital certificate associated with the first group, and a first entity identifier identifying the entity being a member of the first group. The entity also receives a request to update the group roster. Here, the request includes a second group identifier identifying a second group and a second group digital certificate associated with the second group. In response to the request, the entity replaces the first group identifier in the group roster with the second group identifier. Additionally, in response to the request, the entity replaces the first group digital certificate with the second group digital certificate. The replacements change a membership of the entity from the first group to the second group.

Abstract: A software system and method for executing secure commercial transactions online is disclosed. A user's password is received to initiate secure socket layer (SSL) communications with a transaction site on a server. A web session associated with the SSL communications is encrypted by associating a domain name of the transaction site with its SSL public key. Then, the user's password is added to a hypertext markup language (HTML) header of a message within the web session. When added, the password is invisible to a hypothetical man-in-the-middle (MITM) attacker, who cannot read the encrypted message nor mimic the user. The MITM is thus unable to compromise the user's account as the MITM is unable to provide the correct password into any fraudulent message.

Abstract: A method of managing a domain, a method of extending a domain, and a method of selecting a reference point controller are provided. The method of operating the domain includes: receiving a request for authenticating a reference point controller from a reference point controller candidate; invalidating a membership of the stored reference point controller; generating a unique reference point controller membership for verifying that the reference point controller candidate is a new reference point controller; and transmitting the generated reference point controller membership to the reference point controller candidate. Accordingly, even when an error occurs in the reference point controller, the function of the reference point controller can be rapidly replaced by using the reference point controller candidate.

Abstract: Protection systems and methods provide for protecting one or more personal computers (“PCs”) and/or other intermittently or persistently network accessible devices or processes from undesirable or otherwise malicious operations of Java TN applets, ActiveX™ controls, JavaScript™ scripts, Visual Basic scripts, add-ins, downloaded/uploaded programs or other “Downloadables” or “mobile code” in whole or part. A protection engine embodiment provides for monitoring information received, determining whether received information does or is likely to include executable code, and if so, causes mobile protection code (MPC) to be transferred to and rendered operable within a destination device of the received information. An MPC embodiment further provides, within a Downloadable-destination, for initiating the Downloadable, enabling malicious Downloadable operation attempts to be received by the MPC, and causing (predetermined) corresponding operations to be executed in response to the attempts.

Abstract: Embodiments are directed to securely filtering trust services records. In one scenario, a client computer system receives at least one of the following trust services records: a trust services certificate, a principal certificate, a group certificate and a trust services policy. The client computer system performs a time validity check to validate the trust services record's timestamp, performs an integrity check to validate the integrity of the trust services record and performs a signature validity check to ensure that the entity claiming to have created the trust services record is the actual creator of the trust services record. The client computer system then, based on the time validity check, the integrity check and the signature validity check, determines that the trust services record is valid and allows a client computer system user to perform a specified task using the validated trust services record.

Abstract: A system, method, and device comprising a virtual badge are disclosed. A virtual badge can be displayed on a cell phone or in another linked portable device, and for security purposes, has images which can be scanned, and the capability to alternate colors and/or self-destruct on a pre-set schedule. Whether for after a disaster or for daily use, the system uses cell phones or mobile devices loaded with specialized software. Using plugin technologies, the system optionally can enable field collected photos and notes on customizable forms to be mapped, tracked, and time/date stamped—including in a 100% disconnected environment. A modifiable virtual badge can aid in inventory, accountability, organization, and efficiency. The system can be employed by the “Whole Community”—citizens, businesses, not-for-profits, and government agencies—for social media, business, cleanup, insurance adjusters, or personnel focused on day to day operations or on mitigation, preparedness, response, and recovery.

Abstract: In one embodiment, a traffic encryption key is generated based on a count value associated with a mobile. The count value is indicative of network accesses by a mobile, and the traffic encryption key is for encrypting communication traffic between the mobile and a base station. Generation of the traffic encryption key at a base station may be triggered by receipt of a message indicating that the mobile may handoff to the base station. In this embodiment, the message includes the count value. In another embodiment, the traffic encryption key is generated based on the count value and a key count. The mobile may trigger updating the traffic encryption key by changing the key count, and sending the new key count to the base station in a traffic encryption key update request message.

Abstract: Described herein is a technique of protecting users against certain types of Internet attacks. The technique involves obtaining certificates from visited web sites and qualifying communications with those web sites based on the content of the certificates.

Abstract: A method and apparatus for client authentication using a pseudo-random number generation system. The pseudo-random number generation utilizes a secret key as well as state information as input into the hash function to generate a pseudo-random number. The state information that is part of the input can be any number of prior generated pseudo-random numbers. The authentication allows for synchronization of the client and server by exchanging state information. The authentication is not dependent on any absolute time and consequently the client and servers are not required to maintain a reliable shared time base.

Abstract: An information operating device has a first connection unit, a second connection unit, a machine operating command for operating the information output device and a usage certificate certifying that the machine operating web application, a domain name attacher to attach a domain name of the first communication device, when the connection is established by the second connection unit to transmit the machine operating command for operating the information output device using the connection, an application executing unit to execute the PIN code input web application acquired from the first communication device through the first connection unit, an encryption information generator to generate encryption information and transmit it to the information output device, and a client processing unit to transmit the usage certificate and the encryption information to the information output device through the second connection unit.

Abstract: An architecture for a multimedia search system is described. To perform similarity matching of multimedia query frames against reference content, reference database comprising of a cluster index using cluster keys to perform similarity matching and a multimedia index to perform sequence matching is built. Methods to update and maintain the reference database that enables addition and removal of the multimedia contents, including portions of multimedia content, from the reference database in a running system are described. Hierarchical multi-level partitioning methods to organize the reference database are presented. Smart partitioning of the reference multimedia content according to the nature of the multimedia content, and according to the popularity among the social media, that supports scalable fast multimedia identification is also presented.

Abstract: A method and apparatus for safe and secure access to dynamic domain name systems. In one embodiment a method comprises transmitting a DNS query to a dynamic DNS server. The DNS query comprises a domain name. A DNS answer is received from the dynamic DNS server in response to transmitting the DNS query. The DNS answer comprises an IP address. A request is transmitted to a host at the IP address in response to receiving the DNS answer. A digital certificate is received in response to transmitting the request. The received digital certificate is then compared with each of a plurality of digital certificates stored in memory. The IP address is transmitted to a client computer system if the received digital certificate compares equally with one of the plurality of digital certificates.

Abstract: Digital certificate public information is extracted using a processor from at least one digital certificate stored within at least one digital certificate storage repository. The extracted digital certificate public information is stored to at least one dynamically-created certificate public information directory. At least a portion of the digital certificate public information stored within the at least one dynamically-created certificate public information directory is provided in response to a digital certificate public information request.

Abstract: A system for monitoring order fulfillment of telecommunication services is disclosed. An apparatus that incorporates teachings of the present disclosure may include, for example, a monitoring system having a controller element that submits a correlation ID to a service orchestration system (SOS) that manages one or more order fulfillment systems (OFSs) that collectively fulfill a select one of a plurality of telecommunication service orders according to a plurality of intermediate fulfillment steps, receives from the SOS information associated with the plurality of intermediate fulfillment steps tagged with the correlation ID, records said information according to the correlation ID, and collects correlated fulfillment activity for the plurality of telecommunication service orders from a plurality of iterations of the foregoing steps. Additional embodiments are disclosed.

Abstract: A mobile communications device having a digital certificate authenticating the device itself is proposed. A server for authenticating the device and a method of authenticating the device are also disclosed. The device comprises a transmitter, a processor, a memory and a computer readable medium. The memory includes a certificate certifying the authenticity of the mobile communications device, the certificate comprising device-specific data and a digital signature signed by an authority having control of the authenticity of the mobile communications device. The computer readable medium has computer readable instructions stored thereon that when executed configure the processor to instruct the transmitter to transmit a copy of the certificate to a service provider in response to a request to authenticate the mobile communications device with the service provider.

Abstract: An apparatus and a method for authenticating a secure communication is described. A server receives a request from a client for an original SSL certificate. The server embeds a message in a common name (CN) of a new SSL certificate directing the client to another server. The client is transparently reconfigured and establishes a secure communication with the other server using the new SSL certificate.

Abstract: An optical article for playback in a player includes a first file comprising a first control logic; and a second file comprising a second control logic. The first file is configured to direct the player to play a first content data stored on the optical article, when the first control logic is read by the player. The player is directed to read the second file if the player cannot read the first file. The second file is configured to direct the player to play a second content data stored on the article when the second control logic is read by the player. The optical article includes a mark containing an optical state change material disposed on at least a portion of the first file, wherein the mark is in one of a first optical state or a second optical state, and wherein the first control logic can be read only when the mark is in the second optical state.

Abstract: An apparatus and methods are disclosed for performing peer authentication without the assistance of a human “guard.” In accordance with the illustrative embodiments, a peer is selected from a non-empty set of candidates at authentication time based on one or more of the following dynamic properties: the current geo-location of the user to be authenticated; the current geo-locations of the candidates; the current time; the contents of one or more directories (e.g., a telephone directory, an organizational chart or directory, etc.), the contents of one or more call logs; and the candidates' schedules.

Abstract: A mechanism for creating secure storage for firmware for a computing device. A designated secure storage area holding firmware that is executable prior to a loading of an operating system for the computing device is created during a build of a ROM image. The creating marks one or more files as requiring encrypted storage and the one or marked files are combined during the build into the designated secure storage area. The designated secure storage area is located outside the ROM image and includes, during the build of the ROM image, a reference to the designated secure storage area in a build of firmware placed in the ROM image. The reference includes a flag indicating a current encrypted status of the designated secure storage area.

Abstract: An embodiment relates generally to a method of assigning roles to a token. The method includes determining a first role for a first participant on a token and providing exclusive access to a first section of the token for the first participant base on the first role. The method also includes determining a second role for a second participant on the token and providing exclusive access to a second section of the token for the second participant based on the second role.

Abstract: An object known as an identity object comprises a public key and a private key pair and at least one certificate issued by a certificate authority that certifies that the public key of the pair is genuine. In one embodiment, this object may be used as proof of identification by using the private key to sign data provided to it or signals derived from the data. An identity object may be stored in a non-volatile memory as proof of identity, where the memory is controlled by a controller. Preferably, a housing encloses the memory and the controller.

Abstract: The invention proposes a method for personalizing a first secure element comprised in a first terminal, said method consisting in: Providing the user of the first terminal with a second secure element; Linking the first and second secure elements in or through the first terminal; Personalizing securely the first secure element with data comprised in the second secure element, security being based on certificate verification and asymmetric encryption between the secure elements.

Abstract: An improved compression scheme for compressing an ECDSA signature is provided. The scheme substitutes the integer s in a signature (r, s) by a smaller value c. The value c is derived from s and another value d, d being small enough such that c is smaller than s. The compressed signature (r, c) is verified by computing a value using r and e, e being a hash of a message m, and using this value with a value R recovered from r to derive the value d. The value s can then be recovered and the full signature then recovered and verified.