Abstract: A management device configured to communicate with at least one second management device and at least one terminal device via a network includes an acquiring system configured to acquire first management information managed by the management device, a receiving system configured to receive second management information managed by each of the at least one second management device from each of the at least one second management device, a management information request receiving system configured to receive a management information request for the first management information and the second management information from the at least one terminal device, and a sending system configured to send, to the at least one terminal device, the first management information acquired by the acquiring system and the second management information received by the receiving system in response to the management information request being received by the management information request receiving system.

Abstract: A system and method for processing certificates located in a certificate search. Certificates located in a certificate search are processed at a data server (e.g. a mobile data server) coupled to a computing device (e.g. a mobile device) to determine status data that can be used to indicate the status of those certificates to a user of the computing device. Selected certificates may be downloaded to the computing device for storage, and the downloaded certificates are tracked by the data server. This facilitates the automatic updating of the status of one or more certificates stored on the computing device by the data server, in which updated status data is pushed from the data server to the computing device.

Abstract: An audio/video content delivery system having a network content source linked by an internet data connection to a content receiver that receives content from the network content source via the internet data connection, and also receives access-controlled encoded broadcast content from the network content source or another content source via a separate broadcast data path. The network content source requests a client certificate from the content receiver. The content receiver includes a host module to store a network client certificate and send it to the network content source, and a conditional access module (CAM) with an access control unit for decoding the access-controlled encoded broadcast content. The host module and the CAM provide an encrypted communication link for decoded access-controlled encoded broadcast content. The broadcast content source transmits a client certificate to the CAM. The CAM transmits the client certificate to the host module via the encrypted communication link.

Abstract: Method and apparatus for generating cryptographic credentials certifying user attributes and making cryptographic proofs about attributes encoded in such credentials. Attributes are encoded as prime numbers E in accordance with a predetermined mapping and a cryptographic credential is generated encoding E. To prove that an attribute encoded in a cryptographic credential associated with a proving module of the system is a member of a predetermined set of user attributes, without revealing the attribute in question, the proving module determines the product Q of respective prime numbers corresponding to the attributes in the set in accordance with the predetermined mapping of attributes to prime numbers. The proving module demonstrates to the receiving module possession of a cryptographic credential encoding a secret value that is the prime number E, and then whether this secret value divides the product value Q.

Abstract: A system and method of providing on-line verification of various credentials without requiring second site authentication utilizes protocols and cryptography to assure customers (generally referred to hereinafter as “users”) that they are dealing with a person (or organization) that can present multiple, non-repudiable proof of their identification. The system is launched directly from the user's browser such that certificate verification is performed “locally”, without needing to go out and obtain information from a second web site. The system is based upon the creation of a new MIME (i.e. Multipurpose Internet Mail Extensions) type that is employed by the user's browser and utilizes public keys associated with the credentialing organizations in combination with a public key of the verification organization.

Abstract: A method for receiving/sending multimedia message uses a wireless LAN, and communicates with a gateway via the wireless LAN so as to send and receive multimedia messages. Furthermore, the gateway of the invention detects whether the user device is located within the wireless LAN. If yes, then multimedia messages are sent and received via the wireless LAN; and if not, then via conventional telecom network. The invention also discloses a corresponding gateway and a corresponding user device.

Abstract: A method, apparatus and a data storage device are provided for implementing data confidentiality and integrity of data stored in overlapping, shingled data tracks on a recordable surface of a storage device. A unique write counter is stored for each zone written to the recordable surface of the storage device. An encryption key is used together with the write counter information and a logical block address to encrypt each sector being written, and to decrypt all sectors being read. An individual sector is decrypted, obtaining the write counter information and reading the data sector. A message authentication code is stored for each zone. All sectors of the zone are read to perform integrity check on a sector.

Abstract: One or more methods of generating a pseudonymizable document are described. A method comprises receiving a set of subdocuments and generating a first set of random values wherein each subdocument in the document corresponds to a first set random value. A second set of values is generated based on a subdocument and a corresponding value of the first set random value. A set of pseudonyms is generated wherein each subdocument in the document corresponds to at least one pseudonym of the pseudonym set. A third set of values is generated based on the second set of values and the pseudonym set and a summary value is generated based on the third set of values.

Abstract: A service providing system is provided, which includes a client device capable of accessing a tamper-resistant secure memory, an area management server managing memory area of the secure memory and a service providing server providing service that uses the secure memory to the client device, and which improves the security at the time of sending an access control list provided by the area management server and an instruction set provided by the service providing server to the client device by using a digital signature and a certificate.

Abstract: A certificate credential is generated based on a user device's private key securely stored, or accessible, by a certificate authority. When the certificate authority has been compromised, the credential, which typically includes information encrypted with the device's private key and the corresponding unencrypted information, is sent to the device. The device receives the information in encrypted and unencrypted form and decrypts the encrypted information. If the result of the decryption matches the unencrypted information, the device trusts the signer of the credential.

Abstract: The subject matter of the invention relates to a system (1) and to a method for securely processing information, particularly sensitive information by means of a signature and/or encryption principle, comprising at least the following: a mobile passive first storage unit (1) for retrievably storing first information, a processing device (3) which is adapted for interacting with the first storage unit (2) in order to process information, comprising: a decryption-protected second storage unit (6) for retrievably storing second information corresponding to the first information, a computer unit (5) for (cryptographically) processing information, an information transmission unit (4), for transmitting the information of the first and/or the second storage unit (2, 6) to the computer unit (5).

Abstract: A multifunctional apparatus control system includes a multifunctional apparatus an authentication information input device, an I/F converter, and a control server.

Abstract: A system and method for managing a digital certificate associated with a remote device is provided. The method includes providing a Web Service Application Programming Interface (API) and communicating digitally between the Web Service API and a remote device, including one of requesting the remote device to perform a task associated with managing digital certificates, and responding to a request from the remote device for performing a task associated with managing digital certificates.

Abstract: A system and method authenticates a user if the user is associated with a certificate on a device the user is using to communicate, even if other users are also associated with the same certificate and/or the user is associated with other certificates on other devices.

Abstract: Parties involved in a transaction in an E-marketplace identify characteristics of a transaction that they are willing to accept and/or that they can provide. To do this, an attribute certificate is created for each party that contains the attributes of a buyer, seller, or third-party participant who will be transacting business in the particular E-marketplace. The attributes pertain to specifics of the transaction. The party submitting the attribute also identifies alternative conditions which, if they exist would be acceptable for conducting the transaction. Once these criteria, in the form of the attribute certificates, are received by the E-marketplace, the E-marketplace verifies the attributes. A server in the E-marketplace is configured to determine various combinations of participants that can match the deal criteria. In this manner, the E-marketplace “choreographs” the transaction to meet the needs of all.

Abstract: Embodiments of the present invention enable a user to engage in secure communications using digital certificates and other cryptographic technologies in an easy way with a minimum of distracting interaction. In some embodiments of the present invention, webmail is enabled to allow users to obtain and use S/MIME certificates to secure his or her e-mails. Embodiments of the present invention can also be implemented to other forms of messaging, such as text messages, instant messages, etc.

Abstract: A method is provided to perform network access control. A computing device utilizing Online Certificate Status Protocol responder functionality determines whether attempted communication should be allowed between other computing devices appropriately configured with Internet Protocol Security (IPsec), digital certificates and OCSP client software. This determination is based on a set of rules considering the role or roles of the computing devices attempting to communicate, and whether the computing devices attempting to communicate have previously exhibited suspicious or undesirable behavior.

Abstract: In a communication control method for wireless communication between a first communication device and a second communication device through a wireless communication unit, identification information is notified from the second communication device to the first communication device by using a communication unit other than the wireless communication unit. Wireless communication between the first and second communication devices is performed by the wireless communication unit using the first communication parameter shared in advance, and authentication processing based on identification information is performed. When authentication is acquired by this authentication processing, the second communication parameter to be set with respect to a wireless communication unit is shared by the first and second communication devices through the above wireless communication.

Abstract: The invention relates to methods and apparatuses for acquiring a physical measurement, and for creating a cryptographic certification of that measurement, such that its value and time can be verified by a party that was not necessarily present at the measurement. The certified measurement may also include corroborative information for associating the actual physical measurement process with the certified measurement. Such corroborative information may reflect the internal or external state of the measurement certification device, as well as witness identifiers of any persons that may have been present at the measurement acquisition and certification. The certification may include a signal receiver to receive timing signals from a satellite or other external source. The external timing signals may be used to generate the time included in the certified measurement, or could be used to determine the location of the measurement certification device for inclusion in the certified measurement.

Abstract: Host devices present both the host certificate and the pertinent certificate revocation lists to the memory device for authentication so that the memory device need not obtain the list on its own. Processing of the certificate revocation list and searching for the certificate identification may be performed concurrently by the memory device. The certificate revocation lists for authenticating host devices to memory devices may be stored in an unsecured area of the memory device for convenience of users.

Abstract: An authentication method is provided in which a first portable device generates and transmits a first random number and a first timestamp to a first USIM in the first portable device; the first USIM calculates a first sign for the first portable device; the first portable device requests authentication for authenticated communication from a second portable device through transmission of the first random number, the first timestamp, and the first sign to the second portable device; the second portable device generates a second random number and a second timestamp and transmits the information to a second USIM in the second portable device; the second USIM generates a second sign for the second portable device and a second personal key which the second portable device transmits to the first portable device; the first portable device then transmits the information to the first USIM which generates a first personal key for authenticated communication.

Abstract: A device-bound certificate authority binds a certificate to one or more devices by including digital fingerprints of the devices in the certificate. A device only uses a device-bound certificate if the digital fingerprint of the device is included in the certificate and is verified. Thus, a certificate is only usable by one or more devices to which the certificate is explicitly bound. Such device-bound certificates can be used for various purposes served by certificates generally such as device driver authentication and authorization of access to secure content, for example.

Abstract: This invention relates to a method of processing rights relating to content, that can be communicated between devices. Typically, a Digital Rights Management (DRM) system imposes limitations of use and distribution, imposed by the service provider, content provider or distributor. The method of the invention renders it possible for a user who has received DRM rights to restrict the right further. The invention is more particularly related to the receipt of DRM rights to Authorized Domain Digital Rights Management (AD-DRM) systems and the introduction of user attributed rights in the form of further restrictions introduced to the received DRM rights. The invention further relates to a Rights Program Template (RPT) facilitating the introduction of such further restrictions in a user friendly way. Finally, the invention relates to a system supporting the method of the invention.

Abstract: An anonymous authentication-based private information management (PIM) system and method are provided. The PIM method includes receiving an anonymous certificate not including user information from an anonymous certification authority; generating an anonymous document including the anonymous certificate and some of the user information; and providing the anonymous document to a web service provider so as to be authenticated and thus provided with a web service by the web service provider. Thus, only a minimum of user information may be provided to the web service provider. In addition, it is possible to strengthen a user's right to self-determination and control over the exposure and use of his or her personal information by allowing a user to manage his or her own personal information or entrusting the PIM server to manage user information. Moreover, it is possible to protect the privacy of a user by preventing the exposure of user information.

Abstract: In an embodiment, a method includes registering applications and network services for notification of an out-of-band introduction, and using the out-of-band introduction to bootstrap secure in-band provisioning of credentials and policies that are used to control subsequent access and resource sharing on an in-band channel. In another embodiment, an apparatus implements the method.

Abstract: An information processing apparatus for controlling use of a content recorded on a disc. The information processing apparatus includes: in reference to a certificate revocation list including invalidation information of a content owner providing the content, a data verification section verifying whether content-owner identification recorded in a content-owner certificate recorded on the disc as a certificate corresponding to the content owner is included in the certificate revocation list, and if included, the data verification section comparing a content-certificate time stamp which is stored in the content certificate recorded on the disc as a certificate corresponding to the content and a CRL time stamp which is invalidation date-and-time information corresponding to the content owner stored in the certificate revocation list; and a content-use control section prohibiting or restricting use of the content if the content-certificate time stamp has date-and-time data not earlier than the CRL time stamp.

Abstract: When a client apparatus receives a request for an electronic certificate from a server apparatus, the server apparatus reads a client certificate containing personal information and a server public key of the server apparatus from a storage unit and encrypts the client certificate using the server public key. The client apparatus also creates a temporary electronic certificate by setting, in a basic field of an electronic certificate, a predetermined item indicating that the electronic certificate is a temporary electronic certificate and by setting the client certificate having been encrypted in an extension field of the electronic certificate. Then, the client apparatus sends the temporary electronic certificate to the server apparatus.

Abstract: Digital content protection can be effectively implemented through use of an anchor point and binding records in a user domain. An anchor point domain may include a secure anchor point, and data storage to store digital property instances and rights objects. The secure anchor point may be configured to receive a title pre-key from the rights object and use a binding key to decrypt the title pre-key to yield a title key. The binding key may include data uniquely associating the encrypted digital property instance with the secure anchor point.

Abstract: A public key certificate issuing system is disclosed which comprises a certificate authority for issuing a public key certificate for an entity, the certificate authority including a plurality of signature modules each executing a different encryption algorithm and a registration authority that receives a public key certificate issuance request from the entity.

Abstract: A method that facilitates exchange multifunction job security using IPv6 Neighbor Discovery, which includes generating a job on a first node, the first node having a software module, which creates at least one security option for the job; sending a neighbor solicitation request with the at least one security option to a second node; receiving the neighbor solicitation request on the second node, the second node having a software module for processing the neighbor solicitation request with the at least one security option; sending a neighbor advertisement to the first node; receiving the neighbor advertisement from the second node to obtain a job identifier for the job; and if the job identifier for the job is obtained, processing the job on the first node.

Abstract: A single validity proof (ci(F)) may be provided to certificate owners for a set (F) of the certificates via a multicast transmission if a multicasting group (2010) is formed to correspond to the set.

Abstract: A method for verifying a software application to a user of a device such as a mobile phone. The device receives (102) the software application, for example a Java ME MIDIet, and checks (104) a signature associated with the software application. Where the signature is recognized, the phone indicates (108) this status to the user, for example by displaying the familiar padlock icon. The mobile phone then establishes (110) a secure code known only to the user and a trusted entity, the entity being for example the manager of the Java ME environment. The device identifies (114) the software application to the trusted entity which then checks (116) the status of the software application. If the status is verified, the entity sends (118) the status to the device; which in turn indicates (120) the secure code to the user, for example as an additional displayed number, pictogram or the like.

Abstract: A method for storing and updating digital certificates in a flash memory, a flash memory, and an electronic apparatus exploiting the method are disclosed. The method is applicable for a flash memory having predefined erase-write blocks and write-read blocks, for enhancing the tampering proof characteristics of the flash memory. The certificates may be used to authenticate a computer program and may be verified by a verification program associated with the computer program. The method may include defining a plurality of memory slots within at least one erased erase-write block wherein each memory slot have a commencing address comprising a binary “0”- or a binary “1” bit pattern, writing a first and second digital certificate in a first and second one of the memory slots, defining a certificate slot address pointer, and updating the certificate slot address pointer by replacing said “0”- or “1”-bit pattern of the pointer with a “1”- or a “0” bit pattern, respectively.

Abstract: A secure distributed single-login authentication system comprises a client and a server. The client collects authentication credentials from a user and tests credentials at a variety of potential authentication servers to check where the login is valid. It combines a password with a time-varying salt and a service-specific seed in a message digesting hash, generating a first hash value. The client sends the hash value with a user name and the time-varying salt to a selected server. The server extracts the user name and looks up the user name in the server's database. If an entry is found, it retrieves the password, performing the same hash function on the combination of user name, service-specific seed, and password to generate a second hash value, comparing the values. If the values match, the user is authenticated. Thus, the system never reveals the password to authentication agents that might abuse the information.

Abstract: Consumer computers that are not properly configured for safe access to a web service are protected from damage by controlling access to web services based on the health of the client computer. A client health web service receives health information from the client computer, determines the health status of the consumer computer, and issues a token to the consumer computer indicating its health status. The consumer computer can provide this token to other web services, which in turn may provide access to the consumer computer based on the health status indicated in the token. The client health web service may be operated as a web service specifically to determine the health of consumer computers or may have other functions, including providing access to the Internet. Also, the health information may be proxied to another device, such as a gateway device, that manages interactions with the client health web service.

Abstract: The user device includes: a recording unit which stores system parameters as respective parameters given in advance, a disclosure public key, a user public key, a user private key, a member certificate, and an attribute certificate; an input/output unit which receives input of the document from the user and an attribute the user intends to disclose; a cryptograph generating module which generates a cryptograph based on the inputted document, the attribute to be disclosed, and each of the parameters; a signature text generating module which generates a zero-knowledge signature text from the generated cryptograph; and a signature output module which outputs the cryptograph and the zero-knowledge signature text as the signature data. The user public key and the attribute certificate are generated by using a same power.

Abstract: The present invention is directed towards systems and methods for maintaining Certificate Revocation Lists (CRLs) for client access in a multi-core system. A first core may generate a secondary CRL corresponding to a master CRL maintained by the first core. The CRLs may identify certificates to revoke. The first core can store the secondary CRL to a memory element accessible by the cores. A second core may receive a request to validate a certificate. The second core can provisionally determine, via access to the secondary CRL, whether the certificate is revoked. The second core may also determine not to revoke the certificate. Responsive to the determination, the second core may request the first core to validate the certificate. The first core can determine whether to revoke the certificate based on the master CRL. The first core may send a message to the second core based on the determination.

Abstract: A system and method for client-side authentication for secure Internet communications is disclosed. In one embodiment, an intermediate device receives a web browser secure socket layer certificate from a web browser, authenticates the web browser using the secure socket layer certificate, and then re-signs the secure socket layer certificate with an intermediate device public key and an intermediate device certificate authority signature. The intermediate device sends the re-signed secure socket layer certificate to a web server and the web server authenticates the intermediate device using the re-signed secure socket layer certificate. In another embodiment, an intermediate device receives a web browser secure socket layer certificate from a web browser, inserts the web browser secure socket layer certificate into a HTTP header of a packet, and sends the packet to a web server.

Abstract: A method of managing keys is provided. According to one exemplary method, digital content data encrypted with a first encrypting key is decrypted using a first decrypting key, and re-encrypted using a second encrypting key. A second decrypting key is encrypted using a third encrypting key to produce an encrypted second decrypting key. In some embodiments, an encrypted first decrypting key that was encrypted using a fourth encrypting key is received, and the encrypted first decrypting key is decrypted using a fourth decrypting key to reproduce the first decrypting key. An application for use on a computer system is also provided.

Abstract: An intermediate certificate authority (ICA) for a hierarchical certificate authority structure (HCAS), the HCAS having a plurality of levels, the levels including a root level, at least one intermediate level, and a leaf level, the root level having a root certificate authority, the ICA being in the at least one intermediate level, the ICA including a certificate receiving module to receive a first certificate signed by a certificate authority in a level above the level of the ICA, the first certificate certifying an aspect of the ICA, the first certificate having an expiration time, and a certificate signing module to sign a second certificate for a member of the HCAS, prior to the expiration time of the first certificate, such that the second certificate expires after the expiration time of the first certificate, the member being in a level below the level of the ICA, the second certificate certifying an aspect of the member. Related apparatus and methods are also described.

Abstract: A method for authenticating an operator of an AP includes: registering the operator's identity with a CA, by providing the operator's identification information and public key; creating a certificate including the foregoing; signing the certificate with the CA's private key; provisioning the AP with the signed certificate; provisioning a client with the CA's public key; sending a request from the client to the AP; generating a signature with the operator's private key; returning a reply to the client, including the AP provisioned certificate signed with the generated signature; using the client provisioned CA's public key to obtain the operator's public key from the certificate received in the reply; and, using the operator's public key obtained from the certificate received in the reply to verify the signature generated with the operator's private key and used by the AP to sign the certificate received in the reply.

Abstract: Described herein is a technique of protecting users against certain types of Internet attacks. The technique involves obtaining certificates from visited web sites and qualifying communications with those web sites based on the content of the certificates.

Abstract: The present invention advantageously provides a system and method for management of cryptographic keys and certificates for a plurality of vehicles. Each vehicle of the plurality of vehicles generates public/private key pairs, requests multiple time-distributed certificates, creates an encrypted identity, and surrenders expired certificates. An assigning authority receives the public/private key pairs, the request for multiple time-distributed certificates, the encrypted identity, and the expired certificates from said vehicle. The assigning authority authorizes the vehicle with an authorizing authority, validates the expired certificates, proves ownership, and distributes the requested time-distributed certificates to said vehicle. Validation can comprise checking expired certificates against misused, compromised and/or previously surrendered certificates.

Abstract: A method, system, and apparatus for authenticating transactions and records is disclosed. A method for authenticating an information-based indicium includes receiving an article bearing a first identifier, wherein the first identifier substantially prevents a single user from accumulating multiple articles bearing the same first identifier, receiving a first digital certificate that is derived in part by encoding the first identifier, and comparing the first digital certificate and the first identifier to authenticate the information-based indicium.

Abstract: The present invention discloses a method for implement real time data service and a real time data service system. After starting to forward data messages to an accessed user terminal, an access point (AP) of the real time data service system verifies the user terminal, and continues forwarding the data messages to the user terminal after the verification is successful.

Abstract: The invention relates to a method and device for authenticating a user of an electronic device in usage contexts being able to use in said electronic device by using a usage context identifier, wherein in the method, a usage context being used in the device is selected by the user. The method comprising maintaining a centralized register of the usage contexts available for the user in the device and the user profiles associated to said usage contexts, the device identifying an usage context selected by the user, selecting at least one user profile in response to the identified service, and authenticating the user in the selected usage context on the basis of the selected user profile.

Abstract: An embodiment of the disclosure can receive a composite resource document containing at least one resource. An updated manifest resource can be obtained. The updated manifest resource can list all resources in the composite resource document. A set of zero or more (0 . . . N) resources can be indicated. Each indicated resource is one that is to be subtracted from the list of resources in the updated manifest resource in order to create a generated signature reference list of identified resources to be signed. A hash token can be generated using the resources identified in the generated signature reference list to form a signature hash token. The signature hash token can be encrypted with a secret key.

Abstract: In a sensor network system, a transmitter device uses a message authentication key generated by a message generator to transmit a message with authenticator to plural receiver devices, which in reply produce a certification by a certification generator from a message with authenticator held by a message holder to transmit the certification to the transmitter device. An information generator of the transmitter device uses an identification from a reception checker and the message authentication key thus generated to generate an authentication key notification, which will be transmitted to receiver devices having transmitted the certification. In the receiver devices, the message holder holds the authentication key notification, from which an authentication key acquirer acquires the message authentication key, which a message authenticator uses to compare the message with authenticator generated with the message with authenticator held in the message holder to confirm the received message.

Abstract: Pre-authentication information of devices is used to securely authenticate arbitrary peer-to-peer ad-hoc interactions. In one embodiment, public key cryptography is used in the main wireless link with location-limited channels being initially used to pre-authenticate devices. Use of public keys in the pre-authentication data allows for the broadening of types of media suitable for use as location-limited channels to include, for example, audio and infrared. Also, it allows a range of key exchange protocols which can be authenticated in this manner to include most public-key-based protocols. As a result, a large range of devices, protocols can be used in various applications. Further, an eavesdropper is forced to mount an active attack on the location-limited channel itself in order to access an ad-hoc exchange. However, this results in the discovery of the eavesdropper.

Abstract: A distributed certificate authority includes a CA and a number of Sub-CAs (2610). The Sub-CAs have secret certificate validation data, but different data are provided to different Sub-CAs for each certificate. If a Sub-CA is compromised, the Sub-CA validity proof will be withheld by the CA to alert the verifiers not to use the data from this Sub-CA. Also, the secret data are encrypted when distributed to the Sub-CAs. A decryption key (DK.j.k) for each “partition” of time is distributed to each Sub-CA at or shortly before the start of the partition. A compromised Sub-CA can be reactivated at the end of the partition because the adversary does not get the decryption keys for the future partitions.