Abstract: A license-data transmitter (in a case of recording, a recording device 100 serves as a license-data transmitter, and in a case of readout, a storage device 200 serves as a license-data transmitter) verifies a certificate C[KPdx] (the license-data receiver and the license-data transmitter will be represented by “x” and “y”, respectively) of a license-data receiver (in a case of recording, a storage device 200 serves as a license-data receiver, and in a case of readout, a reproducing device 300 serves as a license-data receiver), following which the license-data transmitter transmits a certificate C[KPdy] thereof to the license-data receiver in the form of challenge information E(KPdx, Kcy)//C[KPdy]. Then, the license-data receiver verifies the certificate C[KPdy] of the license-data transmitter.

Abstract: Methods and systems for providing secure access to network resources are disclosed. A method includes defining in a provisioning utility one or more communities of interest, each community of interest including one or more users and associated with a key. The method includes providing a service key to a client computing device that is useable to establish a secure connection to a service enclave including an authorization server. The method also includes transmitting from the authorization server, for each community of interest including an identified user of the client computing device, an identity of a customer enclave and a key associated with a community of interest including the user of the client computing device, the community of interest including computing resources included in the customer enclave.

Abstract: Provided is a method of transmitting content processed according to first digital rights management (DRM) to a device that uses second DRM. The method includes generating a ticket using a first license server and a second license server, the first license server issuing a first license for use in the first DRM and the second license server issuing a second license for use in the second DRM; the second device obtaining a second content key required to process the content using the ticket and the second DRM; and the second device receiving the content from the first device and processing the content using the second content key and the second DRM. The ticket includes use control information that specifies a restriction of use of the content, and the second content key required to process the content using the second DRM.

Abstract: A system and method comprising a computer useable medium having computer readable program code means embodied therein for authenticating and encrypting and decrypting information transferred over a public network between a client application program running in a client computer and a server application program running in a server computer and a directory service application program running in a server computer. A method for obtaining a session master key by an application from a server includes sending an open request to the server for the session master key and receiving a first reply by the application from the server with a first portion of the session master key. The first reply identifies a directory server from which a second portion of the session master key may be obtained. The application sends an open request to the directory server specified by the server in the first reply for the second portion of the session master key and receives it from the directory server.

Abstract: A system and method comprising a computer useable medium having computer readable program code embodied therein for authenticating and encrypting and decrypting information transferred over a public network between a client application program running in a client computer and a server application program running in a server computer and a directory service application program running in a server computer. A method for secure communication by a processor with a server includes generating a message to the server by employing a one pass key generation probabilistic authentication process using a predetermined session master key and sending the message to the server. A method for secure communication between an application executable on a computer and a web server coupled to the computer includes participating by the application in an initial authentication process with the server and wrapping every GET and POST request message to the server in an SSLX-EA exchange after the initial authentication process.

Abstract: An online file lodging system or digital safe, which comprises plural safes or safe user accounts, is disclosed for securely storing highly confidential files. A user of the system can create an individual safe by using account management tool. The system has a web-based use interface, from which the user can upload files for storage with detailed tracking information, grant the right of access to the owner of another safe, and generate authenticity certificate for proving the uploading time and the substance of the file in a future time.

Abstract: A server, e.g., a client (105, 107, 109), receives a request for a digital signature to be applied to digital information, obtains a representation of the information, determines a designation of key pair(s) to be applied thereto; and transmits a request for the digital signature to a front end server (103a, 103b). The front end server determines one or more of whether the client is authentic and authorized, the user identifier is authentic, and the user identifier is permitted to make the request. If so, the front end server transmits a request to generate a digital signature to a back end server (101). The back end server determines one or more of whether the front end server is authentic and the designated key pair correspond to the requesting front end server. If so, the back end server generates the digital signature based on the information and the key pair(s).

Abstract: To install a black box on a computing device, an administrator has access to the computing device and queries same for machine properties thereof. The administrator sends the machine properties of the computing device to a black box server as part of a request for a new black box for the computing device. The black box server in response constructs the new black box based in part on the machine properties so as to tie the new black box to the computing device, and delivers the new black box to the administrator. The administrator thereafter installs the new black box on the computing device. The administrator may include an activation provider running on the computing device and an activation manager in communication with the activation provider. The administrator may also deactivate the black box if it determines that the black box is no longer trustworthy.

Abstract: Method and apparatus for managing digital certificates are described herein. In one embodiment, an encryption certificate is extracted from an email received from an owner of the encryption certificate, where the encryption certificate being issued from a trusted party other than the owner. Then the encryption certificate is associated with an entry of a directory based on an identity (ID) of the owner, where the directory provides directory services to one or more email servers. Other methods and apparatuses are also described.

Abstract: A method for authenticating a multiple interface accessory device is provided. The method includes receiving enumeration information identifying the multiple interfaces supported by the accessory. The enumeration information includes information about a master interface supported by the accessory. A host device obtains authentication information from the accessory in accordance with a protocol associated with the master interface. Based on the authentication information, the host device determines whether the accessory is authorized to communicate with the host device. In the event that the accessory is authorized, the host device permits communication with the accessory using one or more of the multiple interfaces supported by the accessory.

Abstract: Architecture that facilitates validation of a data mapping of data from a data source to a data target. There is included a signature generation component that generates a source signature of all or a portion of the data source and a target signature of all or a corresponding portion of the data target, and a sampling component that obtains a sample of the source data a corresponding sample of the target data. The data signatures and data samples are compared respectively and processed with a processing component to determine the status of the validation process.

Abstract: An Instant Messaging security system that encrypts Instant Messages sent by a Instant Messaging user to an Instant Messaging server by intercepting the messages, negotiating a preferred security algorithm and forwarding the encrypted messages to the server. The security system intercepts and decrypts encrypted messages sent by the server to the user. The security system is able to determine whether a receiving user is equipped with a similar security system without prior knowledge of network addresses, configuration or capability. The security system is transparent to the Instant Message service provider and may provide one or more indicators to users that messages are encrypted during forwarding.

Abstract: A method and a system of customization and authentication of an electronic circuit for an application implementing an asymmetrical algorithm and using a certification authority, including use of an authentication channel of another application implementing the same asymmetrical algorithm and using another certification authority.

Abstract: A requester requests a secure certificate for a domain name from a validating entity, such as a certification authority. To verify that the requestor has control over the domain name, the validating entity generates a pass string. The requestor enters the pass string into a domain zone. The validating entity determines if the pass string was entered in the domain zone. If the pass string is present in the domain zone, the validating entity may issue the secure certificate. If the pass string is not in the domain zone, the validating entity may deny issuing the secure certificate to the requestor.

Abstract: A method for measuring trust in a transaction over a public key certificate network includes associating each edge KA?KB of an public key certificate network connecting two public keys KA and KB with a probability p that information about KB is reliable, and a confidence c that is a total dollar amount of transactions which have involved using edge KA?KB. One or more authentication paths are formed in the public key certificate network starting from public key KS and ending with a target public key KT. A limit l of an amount of insurance that an owner of KS is willing to provide to a user interested in a transaction with an owner of KT is calculated, and for each amount m<l, a premium for which the owner of KS is willing to sell insurance to the user for an amount of m is calculated.

Abstract: In a system where a communication device performs secure communication by using a digital certificate, to enable a device of a communication party to verify that a self certificate is certainly generated by a device indicated on the self certificate even if the self certificate is not delivered offline in advance. Based on a master key and a public parameter, a communication device generates an ID-based encryption private key for which a device unique ID is used as a public key. Then, the communication device generates the digital signature of an RSA public key as a ID-based encryption signature by using the ID-based encryption private key. Then, the communication device generates an RSA self signature for the RSA public key, an expiration date, a host name, the device unique ID, and the ID-based encryption signature as the target. Then, the communication device generates a self-signed certificate to include the ID-based encryption signature and the RSA self signature.

Abstract: A first data processing system, which includes a first cryptographic device, is communicatively coupled with a second data processing system, which includes a second cryptographic device. The cryptographic devices then mutually authenticate themselves. The first cryptographic device stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the second data processing system. The second cryptographic device stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the first data processing system.

Abstract: The present invention provides safe and secure application distribution and execution by providing systems and methods that test an application to ensure that it satisfies predetermined criteria associated with the environment in which it will execute. Furthermore, by using rules and permission lists, application removal, and a modification detection technique, such as digital signatures, the present invention provides mechanisms to safely distribute and execute tested, or untested, applications by determining whether the application has been modified, determining if it has permission to execute in a given wireless device environment, and removing the application should it be desirable to do so.

Abstract: The process of acquiring SSL certificates for enterprise SSL customers is improved by reducing the number of steps used to acquire the SSL certificate and streamlining the process. An on-line CSR generator on the certificate enrollment form is used to submit the customer information (i.e. Common Name, Organizational Unit, Organization, City/Locality, State/Province, and Country Code) and generate the CSR. By making the CSR generation part of the enrollment process, the administrator can use the same enrollment form to submit the customer information along with the contact information pertinent to the enterprise.

Abstract: A method of controlling presentation of content on a media storage device is described. The method is comprised of verifying the presence of a media presentation mechanism and a usage compliance mechanism on a computer system operated by a recipient to whom the media storage device is distributed. The usage compliance mechanism includes a file system filter driver for controlling data reads associated with the computer readable media. The media presentation mechanism is communicatively coupled with the usage compliance mechanism. The present method further includes the file system driver performing a first decryption of the computer readable media. The present method further includes the media presentation mechanism performing a second decrypting of the computer readable media concurrent with presenting the computer readable media to the recipient.

Abstract: A system and method for marking and controlling the transfer of information between several users (2i, 9i). An authority (3) marks information to be transmitted. A directory (4) or device containing the certificates of all users as well as the certificates of all the components of the architecture. A security office (5) is used to, a key management device (6a) and a privilege management device (6b).

Abstract: An image forming apparatus for attaching an electronic signature to image data read from a paper document is disclosed. Validity of a first public key certificate that certifies a first signature key is determined. A first electronic signature-for the image data is generated by using the first signature key. The first electronic signature is prevented from being generated in response to an event that it is determined that the first public key certificate is invalid.

Abstract: A method for handling digital certificate status requests between a client system and a proxy system is provided. The method includes the steps of receiving at the proxy system digital certificate status request data transmitted from the client system and generating query data for the digital certificate status in response to receiving the digital certificate status request data. The query data is transmitted to a status provider system, and status data from the status provider system in response to the query data is received at the proxy system. Digital certificate status data based on the status data received is generated and transmitting to the client system.

Abstract: A method of generating an authentication code for a consumable in an imaging device, includes the steps of: an identification number assigned to the consumable; processing an indemnification number assigned to the consumable using a first algorithm to generate a preliminary number different from the identification number; and compressing the preliminary number using a compression algorithm that utilizes the identification number to generate the authentication code.

Abstract: Embodiments of methods, apparatuses, systems and/or devices for processing a certificate are disclosed.

Abstract: According to a conventional technique, in the case where a program is stored into a non-volatile memory once and then activated, authentication of the program is performed immediately before such activation. However, calculations such as decryption of encrypted values are required before the activation of the program starts, which causes the problem that responsiveness is decreased in proportion to the time required for calculations. In order to solve this problem, authentication of a program is performed immediately before such program is stored, so that no authentication is performed or only a part of the authentication is performed to verify the validity of certificates at program activation time.

Abstract: A method for installing embedded firmware is provided. The method includes generating one or more firmware file instances and generating one or more digital certificate instances that are separate instances from the firmware file instances. The method includes associating the one or more digital certificate instances with the one or more firmware file instances to facilitate updating signature-unaware modules with signature-aware firmware or to facilitate updating signature-aware modules with signature-unaware firmware.

Abstract: Image data is transmitted from a client PC to an image formation apparatus. Upon printing, an external server conducts an authentication process. A certificate indicating that the user has been authenticated is held, with its validity period provided in the image formation apparatus. Within the validity period, the time-consuming authentication process with respect to the external server is skipped. This can reduce the burden of authentication while ensuring security, so that high productivity is guaranteed.

Abstract: The frequency of reading, by users, Web sites managed by Web masters is increased. A server computer of a service provider providing a variety of services can be accessed from one of the Web sites of registered Webmasters. The server computer registers a client who has accessed it through one of the Web sites. Only when the registered client accesses the service provider through the Web site, the client can receive any one of the services.

Abstract: A system and method for assigning certificates and reducing the size of the certificate revocation lists in a PKI based architecture for a vehicle wireless communications system that includes separating a country, or other area, into geographic regions and assigning region-specific certificates to the vehicles. Therefore, a vehicle need only process certificates and certificate revocation lists for the particular region that it is traveling in. Vehicles can be assigned multiple certificates corresponding to more than one region in the vehicles vicinity as advance preparation for possible travel or transmission into nearby regions. Further, the expiration time of certificates assigned to vehicles corresponding to a given geographic region can be tailored to be inversely proportional to the distance from a registered home region of the vehicle. A scalable design for a back-end certifying authority with region-based certificates can also be provided.

Abstract: An electronic certificate issuance system comprising at least one communication device, and an electronic certificate issuing device for issuing a set of an electronic certificate and a private key corresponding to the electronic certificate as a certification set for each of the at least one communication device, is provided. The electronic certificate issuing device includes a first connecting interface, an obtaining system, which is adapted to obtain a node ID assigned to each of the at least one communication device, a generating system, and a writing system. The at least one communication device includes a second connecting interface, a judging system, and an installing system.

Abstract: A method of operating a host computer having a web-browser with the capability of executing at least one web-browser add-on to provide a web application access to a smart card to protect the smart card from security threats associated with being connected to the Internet. Prior to establishing a connection between a web application executing in the web browser, verifying that the web application has been authorized to connect to a smart care using the web-browser add-on to provide a web application access to a smart card.

Abstract: One or more user service tickets are obtained (i.e. pre-fetched) from an authentication server and stored in a ticket cache. The user service tickets facilitate a login device communicating with one or more users or group members associated with the login device. Login credentials for the users or group members may be subsequently authenticated against the user service tickets within the ticket cache thereby eliminating the need for immediate access to the authentication server or a previous login session by the users or group members. The user service tickets within the ticket cache may be refreshed as needed. In one embodiment, the user service tickets are refreshed daily and also in response to login attempts if the authentication service is readily accessible.

Abstract: A process for generating a unique, secure and printable identity document, for authenticating the use of the document, and for granting privileges based on the document, includes generating an identity certificate for an individual. This certificate incorporates a pointer to biometric and other identifying data for the individual which are stored in a reference database. The identity certificate is encoded to produce, for example, a machine-readable printable 2-dimensional barcode as an identity document. The identity document may then be used by the document holder for generation of an encoded privilege document and this, in turn, is compared with the stored reference data, including the stored biometric when the privilege is to be exercised.

Abstract: A system may publish authenticated contact information in a publicly available index store, retrieve the contact information, and validate it. The claimed method and system may provide a client-based, server optional approach to publishing. The publicly available index store may be a distributed hash table used in a peer-to-peer network. The system may be used in other secure directory service applications where a server may not be available or where server trust may be minimal.

Abstract: It is provided an apparatus, comprising property checking means configured to check whether a claimant property information received from a claimant device corresponds to a predefined claimant attribute; obtaining means configured to obtain a result, which is positive only if the claimant property information corresponds to the predefined claimant attribute as checked by the property checking means; key generation means configured to generate a first claimant intermediate key from a predefined claimant permanent key stored in the apparatus; supplying means configured to supply, to the claimant device, the first claimant intermediate key using a secured protocol, wherein at least one of the key generation means and the supplying means is configured to generate and to supply, respectively, the first claimant intermediate key only if the result is positive.

Abstract: An article identification method can comprise: determining a signature from an article based upon an intrinsic characteristic of the article; and comparing the determined signature to a stored signature. The method can also comprise splitting the determined signature into blocks of contiguous data, performing a comparison operation between each block and respective blocks of the stored signature, and comparing an attribute of a comparison result from each block comparison to an expected attribute of the block comparison to determine a compensation value for use in determining a comparison result. The method can also comprise determining a similarity result between the determined signature and the stored signature, using the compensation value to adjust the determined signature. Thus an article damaged by stretching or shrinking can be successfully identified. Also, a non-linear signature determination can be accommodated without losing identification accuracy.

Abstract: A method and apparatus of transmitting data using authentication between a first device and a second device are provided. The method includes transmitting an encrypted certificate of the first device using a shared key shared by the first device and the second device, receiving authentication key generation information for generating an authentication key, which is received when it is determined that the certificate of the first device is valid and not revoked, generating a first random number and generating an authentication key based on the first random number and the authentication key generation information, and encrypting and transmitting data using the authentication key.

Abstract: A user interacts with a client containing personal identity information operable to identify the user to a relying party when the relying party is presented with claims comprising a portion of the personal identity information. The personal identity information includes one or more claims, metadata associated with the one or more claims, and backing data associated with the one or more claims. The user may initiate use of another client and seek to be identified by the relying party while interacting with the other client by first porting the personal identity information to the other client. Porting the personal identity information includes binding the personal identity information and sending the bound personal identity information to a receiving client.

Abstract: The present invention relates to a confidential information processing device, a confidential information processing apparatus, and a confidential information processing method, and particularly to a confidential information processing device which performs multiple cryptographic computation for different target data included in a data stream. With this configuration, the context control unit outputs the stream on which the cryptographic computation is performed to an external device or other stream analysis unit. Thus, by setting the number of cryptographic computation on a correspondence table, the number of computation can be set to any number. Thus, the confidential information processing device according to the present invention can perform any number of cryptographic computations on one stream. Furthermore, without outputting the stream whenever a cryptographic computation is completed, multiple cryptographic computations can be performed with one stream input.

Abstract: Protection systems and methods provide for protecting one or more personal computers (“PCs”) and/or other intermittently or persistently network accessible devices or processes from undesirable or otherwise malicious operations of Java TN applets, ActiveX™ controls, JavaScript™ scripts, Visual Basic scripts, add-ins, downloaded/uploaded programs or other “Downloadables” or “mobile code” in whole or part. A protection engine embodiment provides, within a server, firewall or other suitable “recommunicator,” for monitoring information received by the communicator, determining whether received information does or is likely to include executable code, and if so, causes mobile protection code (MPC) to be transferred to and rendered operable within a destination device of the received information, more suitably by forming a protection agent including the MPC, protection policies and a detected-Downloadable.

Abstract: By enabling to write information which is readable only by an IC card owner on an IC card without inputting a PIN and to authenticate a creator of the written information and prevent falsification, it is guaranteed that data written on the IC card can be read only by the IC card owner, the creator of the written data can be specified, and the written data has not been falsified. A secure memory card 101 includes a card private key storing unit 208 storing a private key, a card certificate storing unit 202 storing a certificate of a public key which forms a pair with the private key, a certificate sending unit 201 sending the certificate to a PC 102, a private storing unit 203 which is readable/writable from the outside only when a correct PIN is input, a public storing unit 210 which is readable/writable from the outside without checking a PIN, a confidential data receiving unit 211 receiving confidential data from the PC 102, and so on.

Abstract: Cryptographic systems and methods are provided in which authentication operations, digital signature operations, and encryption operations may be performed. Authentication operations may be performed using authentication information. The authentication information may be constructed using a symmetric authentication key or a public/private pair of authentication keys. Users may digitally sign data using private signing keys. Corresponding public signing keys may be used to verify user signatures. Identity-based-encryption (IBE) arrangements may be used for encrypting messages using the identity of a recipient. IBE-encrypted messages may be decrypted using appropriate IBE private keys. A smart card, universal serial bus key, or other security device having a tamper-proof enclosure may use the authentication information to obtain secret key information. Information such as IBE private key information, private signature key information, and authentication information may be stored in the tamper-proof enclosure.

Abstract: A method and apparatus utilizes Layered IPSEC (LES) protocol as an alternative to IPSEC for network-layer security including a modification to the Internet Key Exchange protocol. For application-level security of web browsing with acceptable end-to-end delay, the Dual-mode SSL protocol (DSSL) is used instead of SSL. The LES and DSSL protocols achieve desired end-to-end communication security while allowing the TCP and HTTP proxy servers to function correctly.

Abstract: A magnetic disk drive is provided capable of reducing a processing load even in a mode of, for example, reproduction during recording. In one embodiment, a magnetic disk drive includes a storage unit for storing certificate information that relates to the magnetic disk drive and corresponds to a root key of a certification organization. The certificate information is used on the host side to perform authentication processing of the magnetic disk drive.

Abstract: A trusted relationship service includes a certificate authentication server and a secure file host. The certificate authentication server operates to receive requests from a supplier and a customer to register with the service, verifies the identities of the supplier and the customer and sends digital certificates to both the supplier and the customer. The supplier can send information to the trusted relationship service where it is posted in a secure file host. The supplier can solicit the customer to visit the trusted relationship service web site to view the supplier information stored there, whereupon the customer can use their digital certificate to access the trusted relationship service site and is granted permission by the site to view the supplier information.

Abstract: A system and method for controlling the execution of executable files. The executables are identified by either a cryptographic digest or a digital certificate. The crytographic digest is computed from the binary image of the executable. An executable that is attempting to execute is intercepted by a protection module that consults a database of stored rules over a secure channel to determine whether or not the executable can be identified as a permitted executable and whether or not it has permission to execute on a particular computer system under certain specified conditions. If a stored permission is available, it is used to control the execution. Otherwise, the user is consulted for permission.

Abstract: In a method and a device for transferring an e-mail by a public key cryptography between an e-mail transmission device and an e-mail reception device, a trigger message to which user authentication data and a public key are added is received from a transmitting side client, and trust is assigned to the public key within the trigger message to be transmitted to a receiving side client when the user authentication data within the trigger message are authenticated. In response thereto, a response message to which user authentication data and a public key are added is received from the receiving side client, and trust is assigned to the public key within the response message to be transmitted to the transmitting side client when the user authentication data within the response message are authenticated.

Abstract: Operations or functions on a device may require an operational certificate to ensure that the user of the device or the device itself is permitted to carry out the operations or functions. A system and a method are provided for providing an operational certificate to a device, whereby the operational certificate is associated with one or more operations of the device. A manufacturing certificate authority, during the manufacture of the device, obtains identity information associated with the device and provides a manufacturing certificate to the device. An operational certificate authority obtains and authenticates at least a portion of the identity information associated with the device from the manufacturing certificate and, if at least the portion of the identity information is authenticated, the operational certificate is provided to the device.

Abstract: A first network element receives a message from a second network element. The message is modified by the first network element by inserting a certificate into the message, wherein the certificate includes an identity of the first network element and a digital signature produced by the first network element. The modified message is sent to a third network element.