Abstract: A method and apparatus for securing location information and access control using the location information are disclosed. A wireless transmit/receive unit (WTRU) includes a location sensing entity and a subscriber identity module (SIM). The location sensing entity generates location information of the WTRU and the location information is embedded in a message in an SIM. A trusted processing module in the WTRU verifies integrity of the location information. The trusted processing module may be on the SIM. The location information may be physical location information or contextual location-related information. The trusted processing module is configured to cryptographically secure and bind the location information to the WTRU, and verify trust metrics of an external entity prior to granting an access to the location information or accepting information from the external entity. The trusted processing module may be a trusted computing group (TCG) trusted platform module (TPM) or mobile trusted module (MTM).

Abstract: There is provided an information processing apparatus, including a data generation section generating a specified data stream, and also generating a plurality of segment data sets by segmenting the generated specified data stream and by adding authentication data to each of the segmented data streams, and a data transmission section transmitting the plurality of segment data sets generated by the data generation section to respective apparatuses.

Abstract: Scalable session management is achieved by generating a cookie that includes an encrypted session key and encrypted cookie data. The cookie data is encrypted using the session key. The session key is then signed and encrypted using one or more public/private key pairs. The encrypted session key can be decrypted and verified using the same private/public key pair(s). Once verified, the decrypted session key can then be used to decrypt and verify the encrypted cookie data. A first server having the private/public key pair(s) may generate the cookie using a randomly generated session key. A second server having the same private/public key pair(s) may decrypt and verify the cookie even if the session key is not initially installed on the second server. A session key cache may be used to provide session key lookup to save public/private key operations on the servers.

Abstract: A method of communicating over a communications system includes determining that a communication event at a user terminal of the communications system requires use of a feature for processing data, the communication event being over the communications system and determining that the feature required by the communication event is not enabled for use at the user terminal when the communication event is initiated. Following the step of determining that the feature is not enabled, the method further includes retrieving a certificate enabling the use of the feature at the user terminal and using the feature at the user terminal to process data of the communication event.

Abstract: A particular method includes storing, at a mobile device, at least one security credential that is specific to the mobile device. The method also includes transmitting the at least one security credential to a secure user plane location (SUPL) location platform (SLP) to authenticate the mobile device as associated with a SUPL user based on a comparison of the device identifier to a stored device identifier.

Abstract: A public key infrastructure comprises a client side to request and utilize certificates in communication across a network and a server side to administer issuance and maintenance of said certificates. The server side has a portal to receive requests for a certificate from a client. A first policy engine to processes such requests in accordance with a set of predefined protocols. A certification authority is also provided to generate certificates upon receipt of a request from the portal. The CA has a second policy engine to implement a set of predefined policies in the generation of a certificate. Each of the policy engines includes at least one policy configured as a software component e.g. a Java bean, to perform the discreet functions associated with the policy and generate notification in response to a change in state upon completion of the policy.

Abstract: The invention relates to a method for reading at least one attribute stored in an ID token, wherein, where the ID token is associated with a user, having the following steps: the user is authenticated to the ID token, a first computer system is authenticated to the ID token, following successful authentication of the user and the first computer system to the ID token, the first computer system effects read access to the at least one attribute stored in the ID token in order to transmit the at least one attribute, when it has been signed, to a second computer system, where the authentication of the first computer system to the ID token is performed because of an attribute specification, which is received by the first computer system from a third computer system.

Abstract: The systems, methods and apparatuses described herein provide a computing environment that manages private key storage. An apparatus according to the present disclosure may comprise a first non-volatile storage for storing a private root key for signing digital certificates, an input device for receiving manual input from an operator, a communication interface consisting of a one-way transmitter for transmitting information from the apparatus, and a processor. The processor may be configured to retrieve the private root key from the first non-volatile storage, receive information for a new digital certificate through the input device, generate the new digital certificate according to the received information, sign the new digital certificate using the private root key and transmit the new digital certificate from the apparatus using the transmitter.

Abstract: In various embodiments, a computerized method includes receiving electronic content to be archived. The electronic content comprises a digital signature. The method also includes archiving the digital signature, wherein archiving of the digital signature comprises determining a validity status of the digital signature and storing the validity status in the electronic content. The method includes archiving the electronic content after the validity status has been stored in the electronic content. The method includes storing the archived electronic content and the attestation signature into a machine-readable medium.

Abstract: A system provides for fuzzy classification in comparisons of scanner responses. A web application test suite performs tests against a web application by sending client requests from a testing computer to the server running the web application and checking how the web application responds. A thorough web application security scan might involve thousands of checks and responses. As a result, some sort of programmatic analysis is needed. One such evaluation involves comparing one response against another. Response matching that compares two HTTP responses might use fuzzy classification processes.

Abstract: A cloud computing system for real-time streaming of drilling data from a drilling rig using satellites, wherein the system includes client devices for transmitting the drilling data. Radio boxes disposed around the drilling rig to form a local area network for connecting with the client devices. A router and switch connected to the local area network for receiving and transmitting the drilling data. A processor and data storage configured to receive the drilling data and form well logging data for transmission to the router and switch. A modem in communication with the router and switch used to send the drilling data to satellite dishes. A server positioned apart from the drilling rig used to receive drilling data and from well logs and executive dashboards. The server can stream the drilling data, well logs, and executive dashboard in real-time to remote client devices.

Abstract: A cloud computing system for real-time streaming of drilling data from a drilling rig using satellites, wherein the system includes client devices for transmitting the drilling data. Radio boxes disposed around the drilling rig to form a local area network for connecting with the client devices. A router and switch connected to the local area network for receiving and transmitting the drilling data. A processor and data storage configured to receive the drilling data and form well logging data for transmission to the router and switch. A modem in communication with the router and switch used to send the drilling data to satellite dishes. A server positioned apart from the drilling rig used to receive drilling data and from well logs and executive dashboards. The server can stream the drilling data, well logs, and executive dashboard in real-time to remote client devices.

Abstract: Disclosed herein is a certificate authority server configured to provide multi-factor digital certificates. A processor readable medium may include a plurality of instructions configured to enable a certificate authority server of a certificate authority, in response to execution of the instructions by a processor, to receive a request to provide a multi-factor digital security certificate by digitally signing a certificate request having a plurality of factors and a cryptographic key, wherein a first of the plurality of factors is an identifier of a device and a second of the plurality of factors is an identifier of a user of the device. The instructions are also configured to enable the certificate authority server to associate the cryptographic key with the plurality of factors and issue the digital security certificate based on the certificate request. Also disclosed is a method of using a multi-factor digital certificate as part of the authorization process to implicitly bind the plurality of factors.

Abstract: An apparatus in a system which includes at least a high-level apparatus and a plurality of low-level apparatuses, said apparatus being one of the low-level apparatuses. The apparatus includes a storage unit configured to store an individual certificate set and a common certificate set and a communication unit configured to transmit own authentication information to the high level apparatus to allow the high level apparatus to perform decryption to authenticate the validity of the apparatus.

Abstract: In one embodiment, a method for securely transferring entitled data from one or more devices in a customer's network to a vendor's network via a public network is described. The data is obtained from a collection module communicatively coupled to the devices. The obtained data is transformed into a format that is recognized by a backend server present in the vendor's network. The transformed data is then assorted by associating the transformed data with corresponding one or more devices. Finally, the assorted data is then encrypted and sent to the backend server securely via the public network along with entitlement attributes corresponding to the one or more devices.

Abstract: Described are a system and method for presenting security information about a current site or communications session. Briefly stated, a browsing software is configured to receive a certificate during a negotiation of a secure session between a local device and a remote device. The certificate includes security information about a site maintained at the remote device. The security information is displayed to a user of the browsing software in a meaningful fashion to allow the user to make a trust determination about the site. Displaying the security information may include presenting a certificate summary that includes the most relevant information about the certificate, such as the name of the owner of the site and the name of the certificating authority of the certificate.

Abstract: A scanned document management system for managing a paper document in a state in which the paper document is scanned and transformed into electronic data, registers an attribute of the document by a manager; when printing out the document, registers identification information of the document with correspondence to the attribute, issues a document authentication representing certificate including the identification information, coding the document authentication representing certificate and prints out the same with including the same in a document image; and, when scanning the document, extracts the coded document authentication representing certificate from the document, obtains the attribute from the identification information included in the document authentication representing certificate to determine whether or not authentication is possible therewith, and allows transfer of the document image thus scanned, when the authentication is possible.

Abstract: Systems and methods for secure e-mail message processing. A device is configured to receive a secure electronic message. The message may then be processed to determine whether the sender's address provided in the message is indicative of the sender's address provided in a sender's security-related certificate. A message's recipient can be notified based upon the determination.

Abstract: A method for increasing the security of private keys is provided that includes generating transaction data at a device operated by a user and processing the transaction data. Moreover, the method includes determining whether the user permits using a private key that is associated with the user and with a public-private key pair of the user. The private key is stored in a computer system different from the device. Furthermore, the method includes authenticating the user when the user permits using the private key, applying the private key to other data after successfully authenticating the user, and transmitting the other data to the device. The method also includes conducting a transaction with the transaction data.

Abstract: In a first embodiment of the present invention, a method for registering a new device to a control point in a home network is provided, the method comprising: generating a first self-certified identification at the control point, the generation using a pseudo-random generated number and using an identification of the control point; and sending a secure message to the new device containing the first self-certified identification.

Abstract: Provided are a method for authenticating a user terminal in an interface server, and an interface server and a user terminal using the same. The method includes receiving authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server, authenticating the user terminal according to the authenticating request information using an authentication method selected by the interface server or a user of the user terminal, and transmitting authentication response information including an authentication result of performing the authentication method to the application service providing server. The interface server provides an interface for a network to the application service providing server.

Abstract: A method and system that facilitates power management over an IPv6 network connection is described. A first host having an application creates a power management option for managing power management settings of one or more second hosts, which is in network communication with the first host. A neighbor solicitation request is sent with the power management option to the one or more second hosts, wherein the power management option requests the power management settings of the one or more second hosts. A table of the power management settings for each of the one or more second hosts is generated from the responses received from the neighbor solicitation request, and the power management settings are applied to the one or more second hosts.

Abstract: The invention comprises a method of creating a certificate based on the contents of another certificate. The certificate is then automatically installed and configured on the server where it will be used. A further enhancement automatically requests and installs the certificate prior to an existing certificate's expiration.

Abstract: The invention relates to a method for generating a certificate for signing electronic documents by means of an ID token (106), having the following steps: —sending (201) a transaction request for a user to carry out a transaction, —as a result of the sending of the transaction request, a check is carried out as to whether the certificate (519) is available and if this is not the case, carrying out the following steps: generating (206) an asymmetrical key pair consisting of a private key and a public key using an ID token, said ID token (106) being assigned to the user; storing (207) the generated asymmetrical key pair on the ID token, wherein at least the private key is stored in a protected memory region of the ID token; transmitting (208; 509) the generated public key (518) to a first computer system, and generating (209) the certificate (519) by means of the first computer system for the public key.

Abstract: The invention concerns a method for managing content on a secure element connected to an equipment, this content being managed on the secure element from a distant administrative platform. According to the invention, the method consists in: establishing, at the level of the administrative platform a secure channel between the equipment and the administrative platform, thanks to session keys generated by the secure element and transmitted to the equipment; transmitting to the administrative platform a request to manage content of the secure element; and verifying at the level of the administrative platform that this request originates from the same secure element that has generated the session keys and, if positive, authorizing the management and, if negative, forbid this management.

Abstract: On-demand protection and authorization of playback of media assets includes receiving digital media at a server computer, storing intermediary data in a data store, and receiving a request from a client for the digital media. The method also includes generating a protected copy of the digital media from the digital media and the intermediary data. The method also includes storing a description of the protected copy in a database and sending the protected copy to the client. The method also includes receiving a request from the client to access the digital media and reading the description from the database based on information in the request. The method also includes sending a response to the client, the response indicating whether the client is authorized to access the digital media, and the response including cryptographic data to decrypt the protected digital media if the client is authorized to access the digital media.

Abstract: A communication system is configured to operate in an ad hoc wireless network. The communication system includes a transmission device configured to send and receive a message, a signing module configured to generate a hierarchical signature using the message, and a verifying module configured to hierarchically verify a predetermined portion of a hierarchically signed message.

Abstract: A certificate enrolment assistant module may be provided to inject a challenge password into a certificate signing request to be sent, to a Certificate Authority, from a computing device. The certificate enrolment assistant module, thereby, acts as a trusted proxy to assist the computing device in building a valid certificate signing request without the computing device having access to the challenge password.

Abstract: The present invention provides safe and secure application distribution and execution by providing systems and methods that test an application to ensure that it satisfies predetermined criteria associated with the environment in which it will execute. Furthermore, by using rules and permission lists, application removal, and a modification detection technique, such as digital signatures, the present invention provides mechanisms to safely distribute and execute tested, or untested, applications by determining whether the application has been modified, determining if it has permission to execute in a given wireless device environment, and removing the application should it be desirable to do so.

Abstract: An approach is provided to receive a request at a first computer system from a second system. The first system generates an encryption key, modifies retrieved source code by inserting the generated encryption key into the source code, and compiles the modified source code into an executable. A hash value of the executable program is calculated and is stored along with the encryption key in a memory area. The executable and the hash value are sent to the second system over a network. The executable is executed and it generates an encrypted result using the hash value and the embedded encryption key. The encrypted result is sent back to the first system where it is authenticated using the stored encryption key and hash value.

Abstract: Systems and methods for generating credentials are described. A subject private key that has been encrypted with a session key and a subject public key are received. A storage session key is generated and the subject private key is encrypted with the storage session key. A storage private key is retrieved and the storage session key is encrypted with the storage private key. The subject private key encrypted with the storage session key and the encrypted storage session key are stored in a memory.

Abstract: Trust is established between a service provider (20) and a client (10) of the service provider (20). The client (10) is associated with a party that is known by an identity provider (50), and the identity provider (50) is trusted by the service provider (20). The identity provider (50) contacts (70) the party (80) via a predetermined medium, and requests the party to identify itself. The identity provider (50) determines whether the identity of the identifying party (80) corresponds to an identity held by the identity provider (50) for the party and shares a secret (100) with the identifying party (80) in the event that the identity provider (50) has determined that the identity of the identifying party (80) is the same as said identity held by the identity provider (50).

Abstract: Access to content may be administered by storing content, the content comprising one or more selections, accessing a passive optical out-of-band token associated with the content, determining an access right for the content based on the passive optical out-of-band token, and enabling access to the content in accordance with the access right.

Abstract: One or more user service tickets are obtained (i.e. pre-fetched) from an authentication server and stored in a ticket cache. The user service tickets facilitate a login device communicating with one or more users or group members associated with the login device. Login credentials for the users or group members may be subsequently authenticated against the user service tickets within the ticket cache thereby eliminating the need for immediate access to the authentication server or a previous login session by the users or group members. The user service tickets within the ticket cache may be refreshed as needed. In one embodiment, the user service tickets are refreshed daily and also in response to login attempts if the authentication service is readily accessible.

Abstract: Providing malware-free web content to a user is disclosed. The web content is any type of web content that may potentially be infected by any type of malware. Upon receiving a request for a piece of web content from the user, the requested piece of web content is obtained from the appropriate source, and a dynamic template for the piece of web content is retrieved. The dynamic template indicates whether the requested piece of web content includes any malware and what actions are to be performed if any malware is included in the piece of web content. The requested piece of web content is cleaned up by performing the actions indicated in the dynamic template. Thereafter, the piece of web content is provided to the user. The dynamic template is updated from time to time based on the currently available information regarding the piece of web content.

Abstract: [Problem] Provided is an anonymous authentication system which can issue an anonymous authentication certificate that can hold any number of attributes.

Abstract: The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied.

Abstract: Methods and systems for secure electronic data communication over public communication networks. A secure data communication component may be utilized to implement a communication protocol. New versions of the data communication component may be generated, with each version containing a different communication protocol. Source code of the data communication component may be modified using a polymorph engine to create a functionally-equivalent component having a different code structure. An anti-phishing component may intercept a link in an electronic communication activated by a user, analyze the link and the electronic communication, determine a phishing risk to the user posed by the link, and direct the user to a location indicated by the link or redirect the user to a valid location. A server authentication component may detect and prevent DNS attacks, injections, and defacing activities.

Abstract: Object To provide a technique for authenticating a communication partner using an electronic certificate containing personal information. Solving Means When a client apparatus receives a request for an electronic certificate from a server apparatus, the server apparatus reads a client certificate containing personal information and a server public key of the server apparatus from a storage unit and encrypts the client certificate using the server public key. The client apparatus also creates a temporary electronic certificate by setting, in a basic field of an electronic certificate, a predetermined item indicating that the electronic certificate is a temporary electronic certificate and by setting the client certificate having been encrypted in an extension field of the electronic certificate. Then, the client apparatus sends the temporary electronic certificate to the server apparatus.

Abstract: A system is provided for employing an orchestrator to deploy and implement changes to a system. A change request may be a system build, upgrade, and patches for updating a subset of files within the system. The orchestrator may initially perform a security check and a validation check on a received change request. Upon receiving validation and approval, the change request may be deployed and propagated through a series of deployment scopes. The deployment scopes may become increasingly larger to extensively test the applied change before fully implementing the change on the target system. The orchestrator may submit the applied change to a validation component for getting validation of the change within the deployment scope after each applied change within a deployment scope. After the change request has been deployed through the deployment scopes and validated, the change request may be deployed to the target system and fully implemented.

Abstract: In a method for use in a data storage system which applies high safety requirements for the storage of data on a server in a telecommunications network and for the retrieval of the files by the local computers linked with the server via the network, the applicant is provided with a user certificate and public and secret keys, preferably on a chip card. Once the server is dialed up via the Internet, a client program is forwarded to the user which controls authentication of the user and the transmission of additional safety-relevant features of proof such as biometrical systems, geographical positioning, time-dependent data, network and computer data, etc., to the server. The storage system on the server is provided with a locker-type characteristic by establishing folders comprising a specific file for the safety requirements related thereto. The lockers are distinguished by their specific function and are only displayed to the user when the safety requirements are met.

Abstract: An embodiment relates generally to a method of selecting certificates. The method includes invoking a send option for an email client and displaying a send mail user interface for the email client. The method also includes displaying a default certificate in a graphical user element in the send mail user interface.

Abstract: In an example embodiment, an apparatus comprising a transceiver configured to send and receive data and logic coupled to the transceiver. The logic is configured to determine from a signal received by the transceiver whether an associated device sending the signal supports a protocol for advertising available services. The logic is configured to send a request for available services from the associated device via the transceiver responsive to determining the associated device supports the protocol. The logic is configured to receive a response to the request via the transceiver, the response comprising at least one service advertisement and a signature. The logic is configured to validate the response by confirming the signature.

Abstract: A method and system for use in managing secure communications with software environments is disclosed. In at least one embodiment, the method and system comprises maintaining, in a Java operating environment, a regulatory compliant communications facility that is accessible to a Flex operating environment. The Flex and Java operating environments are caused to use the regulatory compliant communications facility for network communications with a data storage system.

Abstract: Disclosed is a method for configuring an internal entity of a WiFi-enabled remote station with a certificate. In the method, the remote station receives the certificate in at least one message from a registrar acting as a certificate authority. The remote station provides the certificate to the internal entity. The internal entity securely communicates with an external entity based on the certificate.

Abstract: A system and method for client-side authentication for secure Internet communications is disclosed. In one embodiment, an intermediate device receives a web browser secure socket layer certificate from a web browser, authenticates the web browser using the secure socket layer certificate, and then re-signs the secure socket layer certificate with an intermediate device public key and an intermediate device certificate authority signature. The intermediate device sends the re-signed secure socket layer certificate to a web server and the web server authenticates the intermediate device using the re-signed secure socket layer certificate. In another embodiment, an intermediate device receives a web browser secure socket layer certificate from a web browser, inserts the web browser secure socket layer certificate into a HTTP header of a packet, and sends the packet to a web server.

Abstract: A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one broad aspect, certificate identification data that uniquely identifies a certificate associated with a message is generated. The certificate identification data can then be used to determine whether the certificate is stored on a computing device. Only the certificate identification data is needed to facilitate the determination alleviating the need for a user to download the entire message to the computing device in order to make the determination.

Abstract: Described herein are systems and methods for fallback operation within WLANs that rely on remote authentication procedures. When a primary network node authentication process fails, fallback access control parameters associated with a secondary network node authentication process are exchanged between a network node and an authentication server, wherein the secondary network node authentication process allows the network node to access other resources of a computer network.

Abstract: Modern network communications often require a client application requesting data to authenticate itself to an application providing the data. Such authentication requests can be redundant, especially in the case of stateless network protocols. When a full authentication is performed, a conversation identifier and one or more encryption keys can be agreed upon. Subsequent authentication requests can be answered with a fast reconnect token comprising the conversation identifier and a cryptographically signed version of it using the one or more encryption keys. Should additional security be desirable, a sequence number can be established and incremented in a pre-determined or a random manner to enable detection of replayed fast reconnect tokens. If the recipient can verify the fast reconnect token, the provider can be considered to have been authenticated based on the prior authentication. If an aspect of the fast re-authentication should fail, recourse can be had to the original full authentication process.

Abstract: In general, the invention is directed to techniques for enabling single sign-on (SSO) for a client seeking access to multiple resources protected by a certificate-based authentication scheme. For example, as described herein, a secure gateway comprises a certificate repository to store a digital certificate as well as a policy that includes one or more policy rules. A network interface of the secure gateway receives a message from a client device, wherein the message comprises a request to access a protected resource and an identifier for the requesting agent. The secure gateway also comprises a resource authentication module to map the identifier and the protected resource to the digital certificate based on the policy. The resource authentication module retrieves the digital certificate from the certificate repository and sends the digital certificate to the protected resource to authenticate the secure gateway to the protected resource.