Abstract: Architecture that facilitates validation of a data mapping of data from a data source to a data target. There is included a signature generation component that generates a source signature of all or a portion of the data source and a target signature of all or a corresponding portion of the data target, and a sampling component that obtains a sample of the source data a corresponding sample of the target data. The data signatures and data samples are compared respectively and processed with a processing component to determine the status of the validation process.

Abstract: In one embodiment, system to manage and delivery electronic documents is disclosed.

Abstract: The invention relates to a motor vehicle electronics device comprising a first interface (116) for establishing a first connection to a first ID token (134) in order to read data from the first ID token, a memory (104) for storing a certificate, means (122) for the cryptographic authentication with respect to the first ID token using the certificate, means (130) for actuating at least one display apparatus (136, 138) for reproducing the data, and a second interface (118) for storing the certificate in the memory.

Abstract: Method for checking the signature of a message. The message, signature, and a certificate are sent by a signer having a public key to a recipient having a message storage device. The certificate is checked by a protected device connected to the message storage device and a checking result data element is sent for checking to a display device connected to the protected device. When the certificate is verified, a reduction of the message is calculated in the protected device and the message is recopied onto the display device. The signature is decrypted using the public key in the protected device, and the decrypted signature is compared with the reduction carried out. According to the comparison, a message is sent from the protected device to the display device indicating whether the signature conforms or does not conform to the message or to the public key of the signer put forward.

Abstract: A mechanism for mutual authorization of a secondary resource in a grid of resource computers is provided. When a primary resource attempts to offload a grid computing job to a secondary resource, the primary resource sends a proxy certificate request to the user machine. Responsive to a proxy certificate request, the user machine performs authorization with the secondary resource. If authorization with the secondary resource is successful, the user machine generates and returns a valid proxy certificate. The primary resource then performs mutual authentication with the secondary resource. If the authorization with the secondary resource fails, the user machine generates and returns an invalid proxy certificate. Mutual authentication between the primary resource and the secondary resource will fail due to the invalid proxy certificate. The primary resource then selects another secondary resource and repeats the process until a resource is found that passes the mutual authorization with the user machine.

Abstract: An information processing system in which information transfers between communication devices through a network is limited within a prescribed range by registering unique information obtainable within the prescribed range into each device and permitting information transfer between devices which share common unique information, where the unique information is formed by a pair of public and secret unique information, a bridge device is controlled such that, upon receiving a proxy check request from a reception device, whether a transmission device is another bridge device or not is judged when the public unique information registered by the reception device is registered in the bridge device and one public unique information registered in the bridge device is registered by the transmission device. Then, the secret unique information registered by the reception device is transmitted to the transmission device when the transmission device is not another bridge device.

Abstract: Methods and apparatus, including computer program products, related to managing specification, enforcement, or auditing of electronic health information use. In general, data characterizing a request to modify access rights to health information is received and the access rights are modified in accordance with the request, where the modifying includes modifying a property characterizing access rights of a relationship between a first user and second users, or an organization of the second users. The access rights may be independent of the health information and modification of access rights may be independent of a security of the health information.

Abstract: An electronic certificate issuance system comprising at least one communication device, and an electronic certificate issuing device for issuing a set of an electronic certificate and a private key corresponding to the electronic certificate as a certification set for each of the at least one communication device, is provided. The electronic certificate issuing device includes a first connecting interface, an obtaining system, which is adapted to obtain a node ID assigned to each of the at least one communication device, a generating system, and a writing system. The at least one communication device includes a second connecting interface, a judging system, and an installing system.

Abstract: A method for realizing network access authentication, wherein a network access authentication device pre-storing a system integrity value of a device waiting to access and a correspondence between each device waiting to access and its system integrity value. When the device waiting to access needs to access the network, it acquires its current system integrity value, and sends the current system integrity value to the network access authentication device; the network access authentication device judges whether the received current system integrity value of the device waiting to access and its stored integrity value of the device waiting to access are identical or not, and in a case where the received current system integrity value of the device waiting to access and its stored integrity value of the device waiting to access are identical, it determines that the network access is authenticated.

Abstract: Provided is a certificate transmission server transmitting a certificate stored in a fixed terminal to a mobile terminal, a system including the same, and a method using the same. The method includes forming a security channel to the mobile terminal and performing authentication of the mobile terminal, forming a security channel to the fixed terminal and performing authentication of the fixed terminal, and if the authentication of the mobile terminal and the fixed terminal is successful, receiving the certificate from the fixed terminal and transmitting the certificate to the mobile terminal. Accordingly, authentication of a mobile terminal and a fixed terminal can be performed by a certificate transmission server, and the certificate can be transmitted by establishing a safe communication channel.

Abstract: A trusted network connect handshake method based on tri-element peer authentication is provided, which comprises the following steps. An access controller (AC) sends message 1 for handshake activation to an Access Requestor (AR). The AR sends message 2 for access handshake request to the AC after receiving message 1. The AC sends message 3 for certificate authentication and integrity evaluation request to a Policy Manager (PM) after receiving message 2. The PM sends message 4 for certificate authentication and integrity evaluation response to the AC after receiving message 3. The AC sends message 5 for access handshake response to the AR after receiving message 4. The trusted network connect handshake is completed after the AR receives message 5.

Abstract: A boot method an apparatus are described which reduce the likelihood of a security breach in a mobile device, preferably in a situation where a reset has been initiated. A predetermined security value, or password, is stored, for example in BootROM. A value of a security location within FLASH memory is read and the two values are compared. Polling of the serial port is selectively performed, depending on the result of such comparison. In a presently preferred embodiment, if the value in the security location matches the predetermined security value, then polling of the serial port is not performed. This reduces potential security breaches caused in conventional arrangements where code may be downloaded from the serial port and executed, which allows anyone to access and upload programs and data in the FLASH memory, including confidential and proprietary information.

Abstract: A method and system of authenticating a public key certificate for a relying party (RP). A Certificate Authority (CA), who issued the certificate, is a member of a Public Key Infrastructure (PKI) having a Certificate Policy (CP). First quality levels required of the CA by the RP are accessed by a certificate classification service (CCS) and corresponding second quality levels possessed by the CA are ascertained by the CCS. At least one quality characteristic pertaining to the second quality levels relates to at least one element of the CP. The ascertained second quality levels are compared by the CCS with the corresponding accessed first quality levels. A result of the comparing, communicated by the CCS to the RP, is that the certificate is authenticated if the comparing has determined that each first quality level is not less than each corresponding second quality level.

Abstract: A method and an electronic apparatus for rolling over from a first to second trusted certificate in the electronic apparatus. Information containing identification data for identifying the second trusted certificate is acquired in the electronic apparatus. Also, the second trusted certificate, which is preinstalled in the electronic apparatus, is activated based on said identification data.

Abstract: A method and apparatus for communication via a computer network (102) including registering a plurality of users (206, 222, 224) with a trusted body (110, 210). The trusted body (110, 210) verifies the identity of each user (206, 222, 224) and generates a random identifier (216) for each user (206, 222, 224). A plurality of users (206, 222, 224) can enter into a dialogue with the other users by means of messages sent over the computer network (102) via the trusted body (110, 210). A user (206, 222, 224) remains anonymous through use of its random identifier (216) until such time as the user (206, 222, 224) reveals its true identity. Due to the registration of the users (206, 222, 224) with the trusted body (110, 210) a means of non-repudiation of the dialogue by the users (206, 222, 224) is provided.

Abstract: A system and method are provided for facilitating the playing of a watermarked video having the “birthday problem”. Consumers send the problem disc to an authorization center where the disc is analyzed to determine if it is a legitimate disc. The authorization center generates a digital certificate uniquely associated with the disc and with the video and embeds the digital certificate into the disc. The digital certificate will cause a video player to play the video without checking for the watermark.

Abstract: In the setup phase, the certification authority (CA 120) generates validation proof data structures for greater time than the maximum validity period of any digital certificate. Therefore, new certificates can be added to the existing data structures after the setup phase.

Abstract: A method for authentication of elements of a group, especially for authentication of sensor nodes in a preferably wireless sensor network is disclosed. The group has one specific element—leading element—with which each of the group elements can exchange information and wherein the authentication of the group elements takes place with regard to the leading element. The leading element sends an authentication request to the group elements wherein the authentication request is the same for all the group elements. The group elements each send authentication responses—based on the authentication request—to the leading element, with the authentication responses being different for each group element.

Abstract: Authorizing information flows between devices of a data processing system is provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.

Abstract: A system and method for automatic key and certificate management is disclosed. In particular, a key store in a base computer contains both new and previously viewed cryptographic keys. In one embodiment, for each new key, if a corresponding certificate matches an existing certificate, the new certificate may be automatically downloaded to a mobile communications device without prompting a user.

Abstract: A method and system for allowing a user to access a peer from a remote system are described. The method and system include authenticating the user for the peer using an authentication server and providing a token for the peer and the user based on the authenticating. The user is authenticated from the remote system. The method and system also include allowing the user to access the peer from the remote system through a proxy server and using the token, if the user is authenticated.

Abstract: A trusted read and write platform provides write-indisputability and read-undeniability for a distributed application. The platform is implemented at each node of the distributed application using a trusted platform module. To provide write-indisputability, the read and write platform of a node may generate a proof that is signed by the platform module and sent with a purportedly written result. The proof is decrypted using a public key associated with the platform module and includes indicators of the process taken by the read and write platform to write the result. To provide read-undeniability, the read and write platform may bind a key to a state of the platform module. A result to be read at the read and write platform is encrypted using the key and can only be decrypted when the read and write platform updates its state to the bound state.

Abstract: A system creates a trusted group of devices for single sign on. The trusted group is a set of two or more devices which can communicate securely to exchange information about the states of the devices. The two or more devices can arrange or establish the trusted group through the exchange of credentials or authentication information. After the establishment of the trusted group, the two or more devices may communicate through a secure connection established between the members of the trusted group. Each device may then execute normally and may encounter events that change the status of the device. Information about the locking or unlocking of the computer can be exchanged with the other members of the trusted group and the other members may also lock or unlock in concert.

Abstract: A method of carrying out wireless video communication involves at a wireless receiver (WR) device, providing a digital certificate, the digital certificate containing a High-Bandwidth Digital Copy Protection (HDCP) Key Source Vector (KSV), a device identifier for the WR device, and a digital signature cryptographically binding the identifiers; at the WR, responsive to an initiation of a wireless communication session from a wireless transmitter (WT) device, sending the digital certificate to the WT device; the WT receiving the digital certificate and having the identities in the digital certificate checked against a revocation list; and if one of the WR device's identities has been revoked, halting the wireless communication session. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract.

Abstract: A method for facilitating electronic certification, and systems for use therewith, are presented in the context of public key encryption infrastructures. Some aspects of the invention provide methods for facilitating electronic certification using authority-neutral service requests sent by an application, which are then formatted by a server comprising a middleware that can convert the authority-neutral request into certification authority specific objects. The server and middleware then return a response from a selected certification authority back to the service requesting application. Thus, the server and/or middleware act as intermediaries that facilitate user transactions in an environment having multiple certification authorities without undue burden on the applications or the expense and reliability problems associated therewith.

Abstract: A computer located outside of an organizational computing environment is remotely prepared and configured to work in the organizational computing environment. A hypervisor operating system is installed and replaces the primary operating system of the computer, and the primary operating system, virtual software appliances (VSA) and virtual machines (VM) can execute as processes of the hypervisor. The hypervisor is configured to establish secure connection with organizational computing environment and to receive from it organization-configured image software for configuring the compute to work in the organizational computing environment. The secure connection can also be used for remote maintenance of the computer even when the computer operating system is faulty or inactive.

Abstract: Issuing and disseminating a data about a credential includes having an entity issue authenticated data indicating that the credential has been revoked, causing the authenticated data to be stored in a first card of a first user, utilizing the first card for transferring the authenticated data to a first door, having the first door store information about the authenticated data, and having the first door rely on information about the authenticated data to deny access to the credential. The authenticated data may be authenticated by a digital signature and the first door may verify the digital signature. The digital signature may be a public-key digital signature. The public key for the digital signature may be associated with the credential. The digital signature may be a private-key digital signature. The credential and the first card may both belong to the first user.

Abstract: A method for provisioning a device such as a token. The device issues a certificate request to a Certification Authority. The request includes a public cryptographic key uniquely associated with the device. The Certification Authority generates a symmetric cryptographic key for the device, encrypts it using the public key, and creates a digital certificate that contains the encrypted symmetric key as an attribute. The Certification Authority sends the digital certificate to the device, which decrypts the symmetric key using the device's private key, and stores the decrypted symmetric key.

Abstract: An Identity System manages certificate related actions for organization members and affiliates. Examples of certificate related actions include certificate enrollment, renewal, and revocation. The Identity System maintains and employs different certificate related workflows for different organization members and affiliates. After receiving a request for a certificate related action, the Identity System retrieves a workflow for responding to the request. The Identity System selects the workflow from a plurality of workflows for responding to the type of certificate related action being requested. Each workflow in the plurality corresponds to a different set of user characteristics. The Identity System selects the workflow that corresponds to the requested certificate related action, as well as the type of user for which the request is made.

Abstract: An industrial automation system is provided. This includes at least one license component that is granted by a third party to permit access to a portion of an industrial control component. At least one protocol component that is based in part on a private key exchange facilitates authentication and access to the portion of the industrial control component.

Abstract: Access to content may be administered by storing content, the content comprising one or more selections, accessing a passive optical out-of-band token associated with the content, determining an access right for the content based on the passive optical out-of-band token, and enabling access to the content in accordance with the access right.

Abstract: The enrollment process for purchasing multiple digital certificates configured using different cryptographic algorithms or hashing algorithms is streamlined. A certificate purchaser wishing to purchase two or more certificates is prompted to provide answers to common enrollment questions, such as the purchaser's contact information, payment details, web sever software, and the like, using a simplified and streamlined enrollment process. Each certificate is optionally configured using a different hashing algorithm.

Abstract: A computer system (110) provides validity status proofs each of which proves the validity or invalidity of a set (F) of one or more digital certificates (104). The computer system may decide to cache a validity proof for a set F to later provide the cached proof to other parties. The caching decision is based on the caching priority of the set F. The priority may depend on the number of certificates in the set F, the sum of the remaining validity periods for the certificates in the set, and other factors.

Abstract: A license-management system and method is provided. A method of issuing a proxy certificate includes transmitting a proxy-certificate-issuance-request message to a license server in order for the local license manager to acquire an authority to issue a license by a local license manager; enabling the license server to verify the proxy-certificate-issuance-request message; if the proxy-certificate-issuance-request message is valid, transmitting a proxy certificate to the local license manager by the license server, the proxy certificate including information regarding the authority to issue a license; and verifying the proxy certificate by the local license manager.

Abstract: A method is provided to perform network access control. A computing device utilising Online Certificate Status Protocol responder functionality determines whether attempted communication should be allowed between other computing devices appropriately configured with Internet Protocol Security (IPsec), digital certificates and OCSP client software. This determination is based on a set of rules considering the role or roles of the computing devices attempting to communicate, and whether the computing devices attempting to communicate have previously exhibited suspicious or undesirable behaviour.

Abstract: A method as provided enables mutual authentication of nodes in a wireless communication network. The method includes processing at a first node a beacon message received from a second node, wherein the beacon message comprises a first nonce value (step 405). An association request message comprising a certificate of the first node, a first signed block of authentication data, and a second nonce value is then transmitted from the first node to the second node (step 410). The second node can then verify a signature of the certificate of the first node and verify a signature of the first signed block of authentication data. An association reply message received from the second node is then processed at the first node (step 415), whereby the first node verifies a signature of a certificate of the second node and verifies a signature of a second signed block of authentication data.

Abstract: Methods for providing for secure communications across data networks, including untrusted networks. In one embodiment, the method comprises establishing security associations between devices on the network using a digital certificate and key exchange protocol. In one variant, the digital certificate comprises a public encryption key; the recipient of the certificate authenticates the sender using at least the signature, and then generates a cryptographic element (e.g., key), and initialization vector. The key is encrypted and sent back to the originator, where it is decrypted and used to encrypt datagrams sent between the devices. The initialization vector may be used to initialize the encryption algorithm on the receiving device.

Abstract: A computer platform (100) uses a tamper-proof component (120), or “trusted module”, of a computer platform in conjunction with software, preferably running within the tamper-proof component, that controls the uploading and usage of data on the platform as a generic dongle for that platform. Licensing checks can occur within a trusted environment (in other words, an environment which can be trusted to behave as the user expects); this can be enforced by integrity checking of the uploading and license-checking software. Metering records can be stored in the tamper-proof device and reported back to administrators as required. There can be an associated clearinghouse mechanism to enable registration and payment for data.

Abstract: Systems and methods for digitally certified stationery are described. In one aspect, a stationery granting authority (SGA) receives a request from a user to generate a document. If the user is authorized for the requested document, the SGA generates a certificate with credentialing information from data in the request. The SGA generates a first digital signature from some of the credentialing information. The SGA communicates the certificate to the user for editing and distribution as the document. A recipient of the document determines whether the document is “official” by contacting a specified service to provide certain information from the document. The verification service computes a second digital signature from the provided information for comparison to the first digital signature. If there is a match, the service notifies the recipient that the document is valid/official. Otherwise, the recipient is notified that the document is not valid.

Abstract: A method for digital certification of authenticity of a physical object, and corresponding computer program and storage device, as well as to the use of the method for digital certification of authenticity of a physical object of value. The method includes the steps of issuing a storage device including a digital certificate of authenticity including encrypted information reflecting at least one characteristic unique to the physical object, checking, whenever required, the validity of the digital certificate of authenticity by use of a network computer, the network computer cooperating with the storage device and a validating or a certifying authority so as to output sensibly in real time the status of validity of the digital certificate of authenticity, and modifying the status of validity of the digital certificate of authenticity, whenever required.

Abstract: A secure data depository assembly, and an associated method, provides for storage of data at a secured location forming a vault. Data associated with any of various compliance standards, such as the HIPAA (Health Insurance Portability and Accountability Act) and the PCI (Payment Card Industry) data security standard is stored at sub-vaults defined at the vault. An access controller controls access to the sub-vaults and the data stored thereat. Remote requests generated remote from the vault are routed by way of a packet data network, and, if appropriate, the access controller provides access to the vault and sub-vault contents pursuant to the request.

Abstract: An authentication mechanism is provided for a web method platform that allows homogeneous access for different types of clients according to a bootstrapping procedure utilized to establish the session. Different clients can be assigned different levels of trust based in part on the bootstrapping procedure and/or information provided during the procedure. The bootstrapping procedure can produce a token that is used by the clients in subsequent requests to provide previous authentication or state information to the platform. The token can comprise a shared secret used to ensure integrity of communications in some cases, and the token can be opaque to the client. Tokens can expire and require a client to re-bootstrap to provide higher levels of authentication protection, and tokens can be shared among a plurality of application servers to facilitate effective handling of requests in a farmed environment.

Abstract: In a peer-to-peer environment, copyrights and users' privacies can be protected by a tracking mechanism. In described implementations, tracking mechanisms can use certificates that are produced using random numbers to protect the privacy of users and/or certificates that are produced responsive to at least one hardware identifier to enable uploader to be identified to protect copyrights.

Abstract: A system may publish authenticated contact information in a publicly available index store, retrieve the contact information, and validate it. The claimed method and system may provide a client-based, server optional approach to publishing. The publicly available index store may be a distributed hash table used in a peer-to-peer network. The system may be used in other secure directory service applications where a server may not be available or where server trust may be minimal.

Abstract: A subscription-based computing device has hardware and a subscription enforcer implemented in the hardware. The enforcer has an accumulator that accumulates a usage value as the computing device is being used and an expiration value register that stores an expiration value. The enforcer allows the computing device to operate in a subscription mode without hindrance and with full use when the usage value is less than the stored expiration value, and allows the computing device to operate in an expiration mode with hindrance and without full use when the usage value reaches the stored expiration value to signal that the subscription for the computing device has expired.

Abstract: Provided is an apparatus and method of a portable terminal authenticating another portable terminal. The portable terminal may receive a seed generated by the other portable terminal, issue an authentication certificate generated using the seed to the other portable terminal, authenticate the other portable terminal based on the authentication certificate, and provide a secure communication.

Abstract: A system that incorporates teachings of the present disclosure may include, for example, a server having a controller to implement an Elliptic Curve Diffie-Hellman (ECDH) cryptosystem and manage a key exchange, authentication, and certificate exchange with a communication device also implementing the ECDH cryptosystem, wherein the server communicates over a network that provides an encrypted communication link for the communication device. Other embodiments are disclosed.

Abstract: Authentication and access control device (104) includes a first security key sub-system (110, 112, 114, 116, 118). The first security key sub-system is responsive to an input signal for providing a first key code required for permitting a user access to a controlled resource. The device advantageously also includes a second security key sub-system (110, 112, 114, 116, 118) for providing a second key code different from the first key code. The second key code is useful for authenticating the user or facilitating secure use of a particular controlled resource (102).

Abstract: A certificate registry system is configured to issue authentication certificates to each one of a plurality of information providers and to maintain a root certificate corresponding to all of the authentication certificates. Each one of the authentication certificates links respective authentication information thereof to identification information of a corresponding one of the information providers. Each one of the authentication certificates includes a respective Instant Messaging (IM) screen name information of the information provider. The authentication certificates of the certificate registry are associated in a manner at least partially dependent upon at least one of a particular type of information that the information providers provide, a particular organization that the information providers are associated with, a particular type profession in which the information providers are engaged and a particular geographical region in which the information providers are located.

Abstract: Control system of an electronic instrument for metrological measurements, comprising an electronic local processing unit including a handling application of said instrument. The system includes a control application for said handling application, which can be associated with said local processing unit, said control application being suitable for generating a univocal certification code for the application.