Abstract: A multifunction apparatus 21 of the present invention communicates with an information processing apparatus 51 via a communication network 50. The multifunction apparatus 21 includes an apparatus control section 7, a second web server section 8, and a web browser section 5 which communicates with a first web server section 53 or the second web server section 8. The apparatus control section 7 transmits login information entered by a user to an authentication server 91. The web browser section 5 (i) accepts, from the first web server section 53, control information for informing the second web server section 8 of a control instruction to obtain user related information from the authentication server 91 and (ii) carries out an informing process in which the second web server section 8 is informed of the control instruction. The apparatus control section 7 obtains the user related information from the authentication server 91 in accordance with the control instruction received by the second web server section 8.

Abstract: The invention relates to methods and apparatuses for acquiring a physical measurement, and for creating a cryptographic certification of that measurement, such that its value and time can be verified by a party that was not necessarily present at the measurement. The certified measurement may also include corroborative information for associating the actual physical measurement process with the certified measurement. Such corroborative information may reflect the internal or external state of the measurement certification device, as well as witness identifiers of any persons that may have been present at the measurement acquisition and certification. The certification may include a signal receiver to receive timing signals from a satellite or other external source. The external timing signals may be used to generate the time included in the certified measurement, or could be used to determine the location of the measurement certification device for inclusion in the certified measurement.

Abstract: There is provided a device for protecting a digital content. The device includes a digital content processing section that causes a digital content to be protected using security information; and an encrypting section that encrypts the security information, using a key acquired from a Digital Right Management system of an electronic ticket system.

Abstract: A secure mechanism for performing a network boot sequence and provisioning a remote device may use a private key of a public key/private key encryption mechanism to generate a command by a server and have the command executed by the device. The command may be used to verify the authenticity of the remote device, and may be used to establish ownership of the device. After authenticity and, in some cases ownership is established, bootable software may be downloaded and executed. The remote device may be provisioned with software applications. One mechanism for performing the initial encrypted commands is through a Trusted Platform Module. In many embodiments, the public key for the initial encrypted communication may be provided through a trusted second channel.

Abstract: An authentication device includes a user authentication certificate generation unit that issues to another device user authentication information on which information about a user is recorded; and a right transfer certificate/token generation unit that issues right transfer information and a token corresponding to the right transfer information to another device on the basis of information about a user to whom the right is transferred and a condition under which the right is transferred. A service proxy access device includes a token request unit that requests the issuing of the right transfer information and the token in order to access another device; and a user proxy access unit that accesses another service using the token. The service providing device includes a user authentication certificate request unit that acquires user authentication information from the authentication device using the token.

Abstract: Digital lights management (DRM) can be effectively implemented through use of an anchor point and binding records in a user domain. Furthermore, authentication of a rights object defining the scope of access allowed for a digital property instance may be achieved through use of a signing key in the anchor point. The signing key may be used to assure no tampering has occurred with the rights object since acquisition of a digital property instance. A digital property owner may gain additional functionality and control through implementation of a play counter, rental duration limit, etc., using a signing key.

Abstract: An information processing apparatus includes: an acquiring unit that acquires specific information; a preparation unit that makes out a certificate signing request based on the specific information, wherein the preparation unit makes out a first type certificate signing request including extensions and makes out a second type certificate signing request not including extensions; a display control unit that displays a selection screen on a display unit; and an output unit that is configured to output one of the first type certificate signing request and the second type certificate signing request to an outside according to selecting by a user in the selection screen.

Abstract: A technique allows software developers to develop applications for a smart phone or other terminal by unlocking the terminal so that it can run unsigned applications. A developer registers with a web-based service, agrees to registration terms, and provides authentication credentials. Data which verifies the authentication credentials is provided back to the developer's computer. The terminal is connected to the developer's computer, and via a user interface, the developer requests registration of the terminal. In response, the terminal receives the data from the developer's computer, and provides the data and a unique terminal identifier to the service. If authorized, the service returns a persistent token or license which is stored at, and used to unlock, the terminal. The service can also provide a command which enforces an expiration date. The terminal checks in with the service to determine if the account is in good standing, and is re-locked if warranted.

Abstract: An image processing apparatus capable of managing easily secret information even with detachably attaching an external memorizing device, includes an ID (plug and play ID) retrieving unit for retrieving ID from the connected memory, a user information storing unit for storing user information, an active memory information storing unit for storing the retrieved ID with corresponding to the respective users, a memory use judging unit for judging as to whether the memory is usable based on the ID retrieved from the connected memory and on the ID stored in the active memory information storing unit, and a data writing controlling unit for writing data to the memory judged as usable.

Abstract: A security device of this invention includes a nonvolatile storage unit 22 for storing a validity check unit including a counter updated every time signature function means 30 is called up, a volatile storage unit 24 for reading and storing a counter array out of an external nonvolatile storage unit storing the counter array, in which the counter array is obtained by coupling a hash value generated for each signature key with a signature number counter for counting the number of signatures performed by use of the signature key, and a hash function unit 28 for reading the counter array out of the volatile storage unit 24, generating the hash value, and transferring the hash value to the validity check unit for a validity check.

Abstract: Efficient secure password protocols are constructed that remain secure against offline dictionary attacks even when a large, but bounded, part of the storage of a server responsible for password verification is retrieved by an adversary through a remote or local connection. A registration algorithm and a verification algorithm accomplish the goal of defeating a dictionary attack. A password protocol where a server, on input of a login and a password, carefully selects several locations from the password files, properly combines their content according to some special function, and stores the result of this function as a tag that can be associated with this password and used in a verification phase to verify access by users.

Abstract: A method, and apparatus for executing the method, that includes creating a virtual account not limited to being associated with any one of a plurality of servers. The method further includes matching at least some authentication credentials of a first server of the plurality of servers with at least some authentication credentials of the virtual account.

Abstract: A method is provided for provisioning a device certificate on a device. The device is configured to communicate wirelessly with a plurality of backend servers via a communication network. The communication network includes a mobile data server. An activation request is initiated to the mobile data server for activating the device on the communication network. During activation, a device certificate request is provided to the mobile data server for the device. The device certificate request includes at least a user identifier, a device identifier and a device public key. The device certificate request is forwarded from the mobile data server to a predefined certification authority. A device certificate from the predefined certification authority is received at the device in response to the device certificate request.

Abstract: A method of managing revocation when an alternate transmission method, using an alternate transmitter identity and an alternate receiver identity, is juxtaposed into an original transmission system, the original transmission system having its own original transmitter and receiver identities that communicate via an original transmission method involves at an alternate transmission receiver (ATR), providing a digital certificate, the digital certificate cryptographically binding the ATR identity to an original transmission (OT) re-transmitter identity; at the ATR, responsive to an initiation of a communication session from an alternate transmission transmitter (ATT), sending the digital certificate to the ATT using the alternate transmission method; at the ATT, extracting the original transmission identity from the certificate and sending it to the original transmission transmitter (OTT) using the original transmission method for checking in a revocation list; and if the OT identity is found to be in the revoca

Abstract: A trusted relationship service includes a certificate authentication server and a secure file host. The certificate authentication server operates to receive requests from a supplier and a customer to register with the service, verifies the identities of the supplier and the customer and sends digital certificates to both the supplier and the customer. The supplier can send information to the trusted relationship service where it is posted in a secure file host. The supplier can solicit the customer to visit the trusted relationship service web site to view the supplier information stored there, whereupon the customer can use their digital certificate to access the trusted relationship service site and is granted permission by the site to view the supplier information.

Abstract: A system and a method are disclosed for managing applications on a mobile computing device. A command message is received at the mobile computing device specifying a command and a target application. The command message may have been sent by a application provider server. The command may be a removal command, an enable command, or a disable command. A removal or disable command may be used to remove or disable a problematic target application. The specified command is performed on the target application.

Abstract: A node device provides secure communication services over a data network, such as the Internet or another public or private packet switched network, to multiple computers that are coupled through the node device and multiple other node devices. The node device includes a network communication interface for coupling the node device to the data network. The node device includes a data storage containing cryptographic information including information that is unique to the node device. The node device also includes a tunneling communication service coupled to the network interface configured to maintaining an encrypted communication tunnel with each of multiple other node devices using the cryptographic information. For example, the encrypted communication tunnels are implemented using the IPsec or PPTP protocols. The node device includes a routing database for holding routing data and a router coupled to the tunneling communication service and to the routing database.

Abstract: The invention relates to a method for reading at least one attribute stored in an ID token (106, 106?) using first (136), second (150) and third (100) computer systems, wherein the third computer system comprises a browser (112) and a client (113), and wherein a service certificate (144) is assigned to the second computer system, wherein the service certificate comprises an identifier which is used to identify the second computer system, wherein the ID token is assigned to a user (102), having the following steps: a first cryptographically protected connection (TLS1) is set up between the browser of the third computer system and the second computer system, wherein the third computer system receives a first certificate (176), the first certificate is stored by the third computer system, the third computer system receives a signed attribute specification (182) via the first connection, a second cryptographically protected connection (TLS2) is set up between the browser of the third computer system and the first

Abstract: A method for providing authentication credentials to a server over a communications network includes initiating communication with a server over a communications network. The communication is to be established using a secure connection. A message is received from the server over the communications network as well as a request for a digital certificate associated with a first user account accessible to the server. An encrypted private key is decrypted in a secure hardware module to obtain a decrypted private key. The decrypted private key is associated with the first user account. The message received from the server is passed to the secure hardware module. The message is digitally signed in the secure hardware module using the decrypted private key. The digital certificate and the digitally signed message are sent to the server over the communication network.

Abstract: A method includes receiving an authentication certificate of a voice mail account holder and/or an authentication certificate of a caller wanting to leave a voice mail message the holders' voice mail account. A voice mail apparatus that provides voice mail service for the voice mail account holder performs such receiving. The account holder and/or the caller are authenticated after receiving the authentication certificate of the party being authenticated. Authenticating the account holder and/or the caller is performed using authentication information contained within the respective certificate. After such authentication is successfully performed, a voice mail message record can be created in the account of the account holder. Such creating includes allowing the caller to store the message in the account of the account holder in addition to associating authenticated identification information of the caller with the message and/or providing authenticated identification of the account holder to the caller.

Abstract: We present technology that allows layman computer users to simply create, provision, and maintain secured infrastructure—an instant PKI. This technology can be used in a wide variety of applications including wired and wireless networks, secure sensor networks (such as medical networks), emergency alert networks, as well as simply and automatically provisioning network devices whether secure or not.

Abstract: A validation authority for certificates searches for and verifies paths and certificate revocation lists periodically, and classifies the paths into valid paths and invalid paths in accordance with the results of the validations, so as to register the paths in databases beforehand. Besides, in a case where a request for authenticating the validity of a certificate has been received from an end entity, the validation authority judges the validity of the public key certificate by checking in which of the valid-path database and the invalid-path database a path corresponding to the request is registered. On the other hand, in a case where the path corresponding to the validity authentication request is not registered in either of the databases, the validity of the public key certificate is authenticated by performing path search and validation anew.

Abstract: Current MAC algorithms impose a significant system performance requirement in order to process messages in real time. According to an exemplary embodiment of the present invention, a hardware implemented generator for generating a MAC is provided, that results in a significant improvement in hardware performance requirements for processing messages in real time. The engine is based on linear feedback shift registers which are adapted to generate secure MACs.

Abstract: In a system which attaches update information required to create a content key used for content encryption/decryption to encrypted content and transmits the encrypted content, there is used an authorized content verification method including a verification request step of, by a receiver, transmitting an authorization verification request including update information received from a transmitter, an update information check step of, by the transmitter, checking whether the update information included in the received authorization verification request is predetermined update information, a message-of-acceptance transmission step of creating a message of acceptance using the update information and an exchange key shared between the transmitter and the receiver and transmitting the message of acceptance if the update information matches the predetermined update information, and an authorized content determination step of, by the receiver, determining that content is authorized content on the basis of reception of

Abstract: A communication apparatus includes: a first storage unit storing a certification authority certificate; a verification unit verifying an electronic signature attached to a first electronic mail received by a receiving unit from a mail server based on the certification authority certificate; an output unit outputting the first electronic mail when a verification result of the verification unit is positive; a deletion unit deleting the first electronic mail from the mail server; a notification unit notifying a user of information regarding a specific certification authority when a specific certification authority certificate is not stored in the first storage unit; an acquiring unit acquiring the specific certification authority certificate; and a storage control unit storing the acquired specific certification authority certificate. The receiving unit again receives the first electronic mail.

Abstract: A certification system connected to a radio communication system which includes a device configured to perform a first certification based on first information received via the radio communication system from a radio terminal. A first access server is connected to a first network and to the radio network and the first access server is configured to acquire the first information and to perform a second certification based on second information received via the radio network from the radio terminal. The first access server also selectively provides information requested by the radio terminal to the radio terminal based on the second information.

Abstract: An online file storage system having secure file drawer and safe is disclosed for securely storing and sharing confidential files. The system comprises a web-based user interface, tools for setting up server-side encryption method and client-side encryption method, tools for synchronizing encryption between different computers, tools for uploading files, tools for tracking files, tools for granting the right of access to files to the owner of other safes, and tools for generating authenticity certificate for proving the upload time and the substance of the files in a future time.

Abstract: A device setting apparatus performs setting operation with respect to a counterpart apparatus using secure communication even when the counterpart apparatus is not previously provided with information required for secure communication. The device setting apparatus detects an error when the error occurs during the setting operation, and executes a browser to request a user to correct the error during the setting operation.

Abstract: Methods and apparatus are provided for establishing a secure connection with a mobile device that is configured to store a first private key that mathematically corresponds to a first public key. The method comprises receiving a quasi-public key from a trusted entity, wherein the quasi-public key mathematically corresponds to a quasi-private key that is stored on the mobile device, receiving a first digital certificate from the mobile device, the first digital certificate comprising the first public key and a first digital signature generated with the quasi-private key, and authenticating the first digital certificate using the first digital signature and the quasi-public key.

Abstract: A system and method for enhancing spam avoidance efficiency by automatically identifying a phishing website without human intervention. The system receives a stream of suspect Internet urls for potential phishing websites and uses a comparison strategy to determine whether the potential phishing website has already be labeled as a bonefid phishing website. A comparison system is utilized in which similarity data is calculated on various elements of the potential phishing website and then compared to similarity data of known phishing websites. Various types of similarity measure methodologies are potentially incorporated and a similarity threshold value can be varied in order to respond to phishing threats.

Abstract: Methods and systems for secure channel initialization between a client network element and a server network element are disclosed. In accordance with one embodiment of the present disclosure, the method includes: sending a secure channel initialization request from the client network element to the server network element; receiving the secure channel initialization request at the server network element; creating a server credential and a client credential at the server network element; and sending a secure channel initialization response from the server network element to the client network element, the secure channel initialization response including the server credential and the client credential, wherein said server credential and said client credential are used to establish a secure session.

Abstract: This invention provides a simple and secure PIN unblock mechanism for use with a security token. A set of one or more passphrases are stored on a remote server during personalization. Likewise, the answers to the passphrases are hashed and stored inside the security token for future comparison. A local client program provides the user input and display dialogs and ensures a secure communications channel is provided before passphrases are retrieved from the remote server. Retrieval of passphrases and an administrative unblock secret from the remote server are accomplished using a unique identifier associated with the security token, typically the token's serial number. A PIN unblock applet provides the administrative mechanism to unblock the security token upon receipt of an administrative unblock shared secret. The remote server releases the administrative unblock shared secret only after a non-forgeable confirmatory message is received from the security token that the user has been properly authenticated.

Abstract: A method for installing embedded firmware is provided. The method includes generating one or more firmware file instances and generating one or more digital certificate instances that are separate instances from the firmware file instances. The method includes associating the one or more digital certificate instances with the one or more firmware file instances to facilitate updating signature-unaware modules with signature-aware firmware or to facilitate updating signature-aware modules with signature-unaware firmware.

Abstract: This invention relates to a system and method for providing secure reliable expansion of a mobile network. The system includes one or more portable communications devices (PCDs) which incorporate routing, authentication and encryption capabilities and are adapted to provide a connection between a peripheral device and a base-station either directly or indirectly via other similarly configured PCDs. The PCDs also incorporate tamper-proofing features to provide added security.

Abstract: In a data transmission method for a tachograph system, digital messages are transmitted between a speed transmitter (MS) and a recording unit (RU). The digital messages contain a pair of keys including a public key (KMP, KRP) and a private key (KMS, KRS), as well as a certificate (ZM, ZR) derived from the respective pair of keys. The public keys (KMP, KRP) and the certificates (ZM, ZR) are mutually verified between the recording unit (RU) and the speed transmitter (MS). If the verification is positive, the speed transmitter (MS) detects sensor data, and a digital message is generated therefrom. In addition, the speed transmitter (MS) generates authentication data for the message in accordance with the pair of keys (KMP, KMS) thereof. The message and the authentication data are transmitted to the recording unit and are processed there in accordance with a validity of the authentication data verified by the recording unit (RU).

Abstract: A digital right management method, including: generating, by a first user equipment having access right to shared digital contents, a common public key based on one or more public keys of one or more second user equipments intended to share the digital contents, respectively; encrypting, by the first user equipment, a key of the digital contents with the common public key to generate a ciphertext of the key of the digital contents; generating, by the first user equipment, from the ciphertext a new authorization certificate corresponding to the digital contents; and transmitting, by the first user equipment, the new authorization certificate and the digital contents to the second user equipments to instruct the second user equipments to share the digital contents in accordance with the new authorization certificate.

Abstract: A monitoring device is provided on a LAN to which a communication device that is a target of a denial-of-service attack is connected, and monitors a packet transmitted to the communication device via an ISP network. A restricting device is provided on the ISP network, and restricts a packet to the LAN. The monitoring device detects an attack by the packet on the communication device, and transmits protection request information indicating a request for protection against the attack to the restricting device. The restricting device restricts a packet transmitted to the communication device via the ISP network based on the protection request information.

Abstract: In a system where a communication device performs secure communication by using a digital certificate, to enable a device of a communication party to verify that a self certificate is certainly generated by a device indicated on the self certificate even if the self certificate is not delivered offline in advance. Based on a master key and a public parameter, a communication device generates an ID-based encryption private key for which a device unique ID is used as a public key. Then, the communication device generates the digital signature of an RSA public key as a ID-based encryption signature by using the ID-based encryption private key. Then, the communication device generates an RSA self signature for the RSA public key, an expiration date, a host name, the device unique ID, and the ID-based encryption signature as the target. Then, the communication device generates a self-signed certificate to include the ID-based encryption signature and the RSA self signature.

Abstract: A method and apparatus for processing digitally signed messages in which address mismatch errors are detected. In at least one aspect, the number of address mismatch errors reported to a user for a message may be minimized for messages that properly incorporate message portions signed by someone other than the sender of the message, as may be the case where the message contains a conversation thread for example, by performing at least one pre-determined action for digital signatures corresponding to signed data appearing after a message separator. The message separator may indicate that the message contains data from an older forwarded message or from an older message that has been replied to, for example. The at least one-predetermined action may comprise bypassing verification of address matches for those digital signatures, or verifying address matches for those digital signatures but suppressing user notification of any address mismatch errors, for example.

Abstract: A system and method for non-real-time validation of an electronically signed message transmitted via an asynchronous communications link is provided. The method includes creating an electronic message comprising an electronically signed data entry created by executing a secure data application first portion (SDA1) module hosted by a mobile system. The method additionally includes passing the message to a communications management function first portion (CMF1) module via a synchronous interface. The CMF1 module is hosted by the mobile system. The method further includes transmitting the message from the CMF1 module to a communications management function second portion (CMF2) module in a temporally delayed manner using an asynchronous communications link. The CMF2 module is hosted by a central computer system (CCS) located remotely from the mobile system. The method further yet includes validating the electronically signed entry in a temporally delayed manner utilizing a user database.

Abstract: An electronic certificate issuance system comprising at least one communication device, and an electronic certificate issuing device for issuing a set of an electronic certificate and a private key corresponding to the electronic certificate as a certification set for each of the at least one communication device, is provided. The electronic certificate issuing device includes a first connecting interface, an obtaining system, which is adapted to obtain a node ID assigned to each of the at least one communication device, a generating system, and a writing system. The at least one communication device includes a second connecting interface, a judging system, and an installing system.

Abstract: This authentication device includes: a volatile memory; a non-volatile memory which stores a plurality of electronic certificate files; a unit which refers to the non-volatile memory upon start-up, and which stores a hierarchical relationship between the plurality of electronic certificate files in the volatile memory; a unit for searching for a desired electronic certificate file based upon the hierarchical relationship between the plurality of electronic certificate files in the volatile memory; and an authentication unit which performs authentication using the electronic certificate file which has been found by the search unit.

Abstract: A method of managing a digital certificate by a computer system can include the steps of receiving, the at the computer system, a business request for a digital certificate from a requester and transmitting, by the computer system, the request to a first approver. The method can further include, upon approval by the first approver, transmitting, by the computer system, the request to a second approver, upon approval by the second approver, transmitting, by the computer system, the request to a certificate manager, transmitting, by the computer system, the request to an implementer and receiving, by the computer system, from the implementer, technical information related to the request and transmitting, by the computer system, a certificate to a certificate supplier.

Abstract: An apparatus comprising a processor configured to implement an anti-replay check for a plurality of received packets and a plurality of corresponding sequence numbers; and a circular buffer coupled to the processor and comprising a bitmap, wherein the bitmap is slided in a circular manner by updating a low index that points to a first sequence number for a first received packet and a high index that points to a last sequence number for a last received packet without bit-shifting, and wherein, when the update results in the new value of one of the low index and the high index exceeding the end of the circular buffer, the one of the low index and the high index wraps around from the beginning of the circular buffer.

Abstract: A method for protecting a digital document and user data typed into a digital document is presented. The method comprises computation of an authentication tag when the document is sent from a server. A similar authentication tag is computed when the document is shown on a client. When another document referenced in the document is requested by the client from the server, the authentication tag computed by the client is attached to the request for that other document. The server receiving the request compares the authentication tag it computed with the one it received to verify if the request came from an authentic copy of the document. The method is suitable for protection of online banking, online investment, online shopping, and other electronic applications.

Abstract: A valid duration period for a digital certificate is established by a process that includes assigning numeric values to certificate term. The numeric value assigned to each certificate term is representative of the valid duration period. The method continues by identifying one certificate term, which may include requesting a user to select a certificate term. The method may include transmitting the requested certificate term to a server. The certificate term requested is sent via a certificate request. The server is configured to convert the numeric value associated with the requested certificate term into a duration counter value. The method may also include a certificate server receiving from the server, the certificate request including the duration counter value. The method may conclude with transmitting the signed certificate request to a client device capable of generating the digital certificate with the requested certificate term.

Abstract: A system and method for enhancing spam avoidance efficiency by automatically identifying a phishing website without human intervention. The system receives a stream of suspect Internet urls for potential phishing websites and uses a comparison strategy to determine whether the potential phishing website has already be labeled as a bonefid phishing website. A comparison system is utilized in which similarity data is calculated on various elements of the potential phishing website and then compared to similarity data of known phishing websites. Various types of categorization structures and notification strategies are utilized in the system.

Abstract: A method for authentication authorization and accounting (AAA) in an interworking between at least two networks. The at least two networks are capable of communicating with a broker and include a first network and a second network to user certificate from a user device corresponding to a user of the first network. The first network to user certificate is signed by at a first network private key and includes a broker to first network certificate and a user public key. The broker to first network certificate is signed by a broker private key and includes a first network public key. A session key is sent from the second network to the user device when the broker to first network certificate and the first network to user certificate are determined to be authentic by the second network based upon the broker public key and the first network public key, respectively. The session key is encrypted with the user public key. The session key is permitting the user device to access the second network.

Abstract: In accordance with certain embodiments of the present disclosure, a method for creating a veiled certificate is provided. The method comprises requesting a certificate from a regulator by sending a message with a digital signature of the message signed by the owner. The message comprises an owner's veiled certificate token, the veiled certificate token comprising an encrypted version of the owner's identification data and the owner's identification public key for the certificate. The message further comprises the identification public key, the whole message being encrypted using the regulator's external public key. The certificate request is validated by verifying the sender's identity through validation of the digital signature using the owner's external public key and verifying the veiled certificate token using the individual' external public key.

Abstract: Techniques for creating and using credentials for blinded intended audiences are provided. A principal desires access to a target service. An identity associated with the target service is hidden from an identity service via a random identifier. The identity service supplies an assertion with credentials and the random identifier. The principal sends the assertion and an access message, which also includes the random identifier to the target service. The target service compares the identifier included with the message to the identifier in the assertion and when a match occurs access is permitted to the target service, assuming other credentials associated with the assertion are satisfied as well.