Abstract: A ring authentication method for a concurrency environment, the method capable of providing unforgeability, sender anonymity, and deniability in the concurrency environment, in which, when a receiver receiving a message requests a sender of the message to certify the message, the sender requested to certify the message sends a message certification value certifying that the sender is one of a plurality of users {P1, . . . , Pn} and authenticates the message m to the receiver, and the receiver verifies the sent message certification value and authenticates that the message is sent from the one of the plurality of users {P1, . . . , Pn}.

Abstract: The invention describes a method and system for verifying the link between a public key and a server's identity as claimed in the server's certificate without relying on the trustworthiness of the root certificate of the server's certificate chain. The system establishes a secure socket layer type connection between a client and a server, wherein the server transmits information including the server's public key to the client while establishing the connection. Next, a first information is sent from the client to the server. The client and the server create an identical authentication key using a shared secret known to the server and the client. Next, the server transmits a first encrypted message to the client, wherein the first encrypted message includes the server's public key encrypted with the authentication key.

Abstract: A method is provided for enhancing security of a communication session between first and second endpoints which employs a key management protocol. The method includes sending a first message to a first end point over a communications network requesting a secure communication session therewith. The message includes an identity of a second end point requesting the authenticated communication session. A digital certificate is received from the first endpoint over the communications network. The digital certificate is issued by a certifying source verifying information contained in the digital certificate. The digital certificate includes a plurality of fields, one or more of which are transformed in accordance with a transformation algorithm. A reverse transform is applied to the one or more transformed fields to obtain the one or more fields. The digital certificate is validated and a second message is sent to the first endpoint indicating that validation is complete.

Abstract: Facilitating a transaction between a first party and a second party includes, prior to initiating the transaction, one of the parties obtaining an artificially pre-computed OCSP response about a specific digital certificate, where the artificially pre-computed OCSP response is generated by an entity other than the first party and the second party, one of the parties initiating the transaction, in connection with the transaction, the first party providing the specific digital certificate to the second party, and the second party verifying the specific digital certificate using the artificially pre-computed OCSP response. The second party may obtain the artificially pre-computed OCSP response prior to the transaction being initiated. The second party may cache the artificially pre-computed OCSP response for future transactions. The first party may obtain the artificially pre-computed OCSP response prior to the transaction being initiated.

Abstract: A method for forming a digital certificate includes receiving contact information associated with the digital certificate. The contact information includes at least a name, a mailing address, and an email address. The method also includes receiving billing information associated with the digital certificate and receiving a Certificate Signing Request (CSR) for the digital certificate. The method further includes receiving a first name for use in forming the digital certificate and receiving a second name for use in forming the digital certificate. Moreover, the method includes receiving an indication of a vendor of web server software, receiving an indication of a service period for the digital certificate, and forming the digital certificate. The first name is stored in a Subject field of the digital certificate and the second name is stored in the SubjectAltName extension of the digital certificate.

Abstract: The disclosure provides a system, method, and computer readable medium for booting a diskless client in an information handling system (IHS). Cached boot data is stored in a non-volatile memory of the diskless client. The diskless client sends a boot request with an identifier and receives a boot reply containing an image signature associated with the identifier. The diskless client determines whether there is a match between a cached image signature and the received image signature. If there is a match, the diskless client boots with the cached boot data. If there is not a match, the cached boot data is invalidated and new boot data is requested and received from a server. The diskless client stores the new boot data in the non-volatile memory and boots with the new boot data. The cached boot data may be update when network traffic is below a predetermined level and/or an administrator change to boot data affects a plurality of diskless clients.

Abstract: A mobile telephone includes a CPU that obtains and decodes instructions included in an OS, a nonsecure program, a switch device driver, and a secure program, and operates according to the decoding results. A memory includes a controlled area and an uncontrollable area. The OS has only the controlled area as its access space, and includes an instruction for mediating access of the nonsecure program to the controlled area and an instruction for instructing the switch device driver to make a switch to the secure program. The nonsecure program includes an instruction to access the controlled area via the OS. The switch device driver includes an instruction to make a switch from execution of the OS to execution of the secure program in response to an instruction of the OS. The secure program has only the uncontrollable area as its access space, and includes an instruction to access the uncontrollable area.

Abstract: In some embodiments, authentication, confidentiality, and privacy are enhanced for a wireless network of cognitive radios by encryption of network management and control messages as well as data traffic, thereby protecting information pertaining to node identification, node location, node-sensed incumbent transmissions, CRN frequency channel selections, and such like. During initial network registration, a temporary ID can be issued to a node, and then replaced once encrypted communication has been established. This prevents association of initial, clear-text messages with later encrypted transmissions. Elliptic curve cryptography can be used for mutual authentication between subscribers and the base station. ECC-based implicit digital certificates can be embedded in co-existence beacons used by CRN nodes to coordinate use of frequency channels, thereby preventing denial of service attacks due to transmitting of falsified beacons.

Abstract: A system for digitally signing electronic documents is disclosed. The system includes a mobile device, an application server and a database, the mobile device includes a requesting module and a digest encrypting module, the application server includes an obtaining module, a digest generating module and a merging module. The requesting module is configured for sending a request for a digital signature of an electronic document to the application server; the obtaining module is configured for obtaining the electronic document from the database; the digest generating module is configured for generating a digest of the electronic document, and sending the digest to the mobile device; the digest encrypting module is configured for encrypting the digest, generating an encrypted value, and sending the encrypted value to the application server; the merging module is configured for merging the encrypted value and the electronic document. A related computer-based method is also disclosed.

Abstract: A scanned image disclosure apparatus has a disclosure unit that encrypts and discloses to a disclosure destination a scanned image by using a public key or a private key relating to a public key certificate that has been verified to be valid, a re-verification unit that judges whether or not re-verification of the validity of the public key certificate is necessary during execution for the disclosure unit and performs re-verification if it is judged to be necessary, a termination unit that terminates the execution for the disclosure unit if the public key certificate was judged to be invalid by the re-verification unit.

Abstract: A method is for securing and verifying an electronic certificate issued by an authority to an owner. The certificate is stored in the memory of a user unit operated by the owner. The user unit transmits all or part of the data of the certificate to the authority. Further, during an initialization phase, the method includes determining, by the authority, a network identifier pertaining to the user unit, and storing, by the authority, the identifier in connection with the data of the certificate. As such, the use of an electronic certificate by individuals other than the owner may be prevented. Further, damages to the owner, in the case of the theft or copying of a certificate, may be avoided.

Abstract: A method and system are provided for a web browser toolbar signature. In one example, the method includes receiving a submission of user content from a source webpage, receiving a producer identity of a producer who submitted the user content, receiving identifying information about the destination webpage, coding signed content using the user content and the producer identity, wherein the signed content includes a signature, and submitting the signed content to a server hosting the destination webpage.

Abstract: Systems and methods consistent with the present invention enable explicit and multilateral trust across a community of federated servers via a network. A trusted third party establishes a framework of policies and procedures governing a federation. Organizations joining the federation submit to an audit process of internal policies and procedures to ensure compliance with the policies and procedures of the federation. Upon successful completion of an audit, an organization may receive a digital certificate containing the digital public key of the organization and indicating approval of the trusted third party. The organization may then use the associated digital private key for signing security assertions associated with a request for resources from another federation service provider. The service provider may trust the assertion from the organization based on trust placed in trusted third party by the service provider and the trust placed in the organization by the trusted third party.

Abstract: In an example embodiment described herein is an apparatus comprising a transceiver configured to send and receive data, and logic coupled to the transceiver. The logic is configured to determine from a beacon received by the wireless transceiver whether an associated wireless device sending the beacon supports a protocol for advertising available services from the associated wireless device. The logic is configured to send a request for available services from the associated wireless device via the wireless transceiver responsive to determining the associated wireless device supports the protocol. The logic is configured to receive a response to the request via the wireless transceiver, the response comprising a signature. The logic is configured to validate the response by confirming the signature comprises network data cryptographically bound with service data.

Abstract: The disclosure relates to the management of PKI digital certificates, including certificate discovery, installation, verification and replacement for endpoints over an insecure network. A database of certificates may be maintained through discovery, replacement and other activities. Certificate discovery identifies certificates and associated information including network locations, methods of access, applications of use and non-use, and may produce logs and reports. Automated requests to certificate authorities for new certificates, renewals or certificate signing requests may precede the installation of issued certificates to servers using installation scripts directed to a particular application or product, which may provide notification or require approval or intervention. An administrator may be notified of expiring certificates, using a database or scanning or server agents.

Abstract: A network management method and system is provided that issues a digital certificate easily and safely. A digital certificate is issued to a personal computer that is to newly join a network by the following method. A provisional authentication server issues a first digital certificate that is a provisional certificate of the personal computer. The personal computer enters the first digital certificate and a private key corresponding thereto. The personal computer and a formal authentication server establish a connection for encryption communication based on the first digital certificate. After establishing the connection, the formal authentication server generates a second digital certificate that is a formal digital certificate of the personal computer. Further, an experimental network independent of the network is prepared and participation of a personal computer having the first digital certificate into the experimental network is allowed.

Abstract: A system for authenticating a user of a communication network is disclosed. The system includes a user station associated with the user and an authenticating station communicatively coupled to the user station via the communication network. The authenticating station is configured to authenticate the user. The authenticating station is further configured to perform an operation, which includes receiving a first value, from a user station associated with the user, via the communication network. The first value represents a first user credential. A first key portion is generated based on the first value and a second value that is unknown to the user. The first key portion, along with a second key portion, is used for authenticating credentials of the user for a predefined period of time or for authenticating user credentials for a predefined number of times. The second key portion is generated based on the first key portion.

Abstract: A method of managing switching of a virtual private network (VPN) tunnel termination point from a first address to a second address. The VPN operates between a fixed network node and a mobile node which defines the termination point. The address of the mobile mode is switched from the first address to the second address and a notification from the mobile node to the fixed node is sent to indicate that the address of the mobile has changed from the first address to the second address. Verification of the trustworthiness of the second address is also then made. A searching manager for performing the method is also disclosed.

Abstract: A method for signing a document to be transmitted between two correspondents, i.e. a sender and an addressee, including recording the sender and the addressee of the document for the allocation of a digital identity thereto; authorizing by the addressee a correspondence with the sender; ciphering the document; indicating to the addressee that the document is available; detecting an access to the document by the addressee; generating an electronic report indicating the delivery of the document, the document-delivery electronic report including a set of data associated with the transmission of the document to the addressee, the set including identification of elements concerning the addressee authentication, the sealing of the document, the access to the document by the addressee and the time-stamping of the access to the document by the addressee; and electronically signing, by a reliable third-party using the private key thereof, the document-delivery electronic report.

Abstract: An apparatus may include a processor configured to receive a security certificate request from a remote device comprising a public key of the remote device and an authentication credential based upon a legacy authentication mechanism of the remote device. The processor may be further configured to validate the received authentication credential in accordance with the legacy authentication mechanism. The processor may be additionally configured to generate a security certificate for the public key.

Abstract: A platform configuration measurement device including: a configuration register; means for executing extension processing in which a predetermined operation is performed on a content of the configuration register by using a given additional value, a hash value is obtained by applying a predetermined hash function to a value obtained by the predetermined operation, and the hash value is set for a new content of the configuration register; and measurement extension means for obtaining measured values, corresponding to predetermined components constituting a platform, by sequentially making predetermined measurement on the predetermined components, and for allowing the means for executing extension processing to execute the extension processing using the measured values as the additional values, random extension means is provided for allowing the means for executing extension processing to execute the extension processing using a random value as the additional value.

Abstract: The present invention discloses a system and method for configuration of access rights to sensitive information handled by a sensitive Web-Service. In a case of requested configuration changes initiated by the client system the Web-Server system provides a configuration data file to the client system preferably using a SOAP-communication protocol. The changes of the configuration data file are exclusively performed offline at the client side and the updated configuration data file is signed with authentication information and sent as a part of a SOAP-request to the Web-Server system. The Web-Server system provides a filter component for identifying and discarding non-SOAP requests as well as an access control manager for providing authentication examination for incoming SOAP-requests. After successful passing these components the SOAP-request is used for updating the existing configuration data file.

Abstract: A system and method for creating a trusted network capable of facilitating secure transactions via an open network using batch credentials, such as batch PKI certificates, is presented. A certificate is bound to a group, or batch, or devices. This certificate is referenced by an activation authority upon processing a request for service by a device. Information regarding the device batch certificate is maintained in a permanent, or escrow, database. A user identity is bound to a device, as a device key is used to sign a user key created on the device in the presence of the user, and a copy of the device key is later used to decrypt the signed user key upon its transmission and receipt.

Abstract: The invention relates to a method and a communication system for releasing a data processing unit used for processing project data of a selected project. In order to obtain project-related release of a data processing unit (90), a client requests a user right for the data processing unit (90) used for processing the project data that is part of a predetermined project. A first signature (I) is verified as to the correctness thereof. The data processing unit (90) is released to process the project data that is part of the selected project only if the verification process has established that the first signature (I) is correct.

Abstract: A key management of cryptographic keys has a data package including one or more cryptographic keys that are transferred to a personal device 100 from a secure processing point 150 of a device assembly line in order to store device specific cryptographic keys in the personal device 100. In response to the transferred data package, a backup data package is received by the secure processing point 150 from the personal device 100, which backup data package is the data package encrypted with a unique secret chip key stored in a tamper-resistant secret storage 125 of a chip 110 included in the personal device 100. The secure processing point 150 is arranged to store the backup data package, together with an associated unique chip identifier read from the personal device 100, in a permanent, public database 170.

Abstract: A system for managing service mobility using an extensible Markup Language (XML) electronic signature. A mobility interface stops and stores the operation of a service being currently performed. Before the service is moved, a service serializer serializes service state information and converts it into an XML form which is attachable to an electronic signature. An XML security manager creates an XML electronic signature for the Manifest file of the Java ARchive (JAR) file of a service bundle, attaches the serialized service state information to the XML electronic signature, and records it. A service installer transmits the signed JAR file to an Open Service Gateway initiative (OSGi) framework that has requested that the service be moved.

Abstract: Securing inter-process communications includes receiving, from a device that supports a first process that is an instantiation of a first application being executed, a request to initiate inter-process communications. Securing inter-process communications also includes replying to the device with a request for information of a first digital certificate that uniquely authenticates an identity of the first process. An identity of a second process that is a distinct instantiation of the first application is authenticated using a second digital certificate distinct from the first digital certificate.

Abstract: An integrated authentication service is described which may receive a bundled request from one or more clients. One or more of the described techniques may be utilized to provide, in response to a single bundled request, a token for proof of identity and a certificate for establishing secure communications.

Abstract: A method of authenticating data transmitted in a digital transmission system, in which the method comprises the steps, prior to transmission, of determining at least two encrypted values for at least some of the data, each encrypted value being determined using a key of a respective encryption algorithm, and outputting said at least two encrypted values with said data.

Abstract: A server component includes a network interface and an analysis component. The server component is at least partially implemented by an operative set of processor executable instructions configured for execution by at least one processor. The network interface is in operative communication with a network and is configured to communicate with at least two nodes of different node types. The network interface is also in operative communication with a local RFID tag attached to a corresponding module. A node of the at least two nodes is a printer-based node associated with a printing machine. The analysis component is configured to utilize the network interface to communicate with the node associated with the printing machine such that the analysis component is in operative communication with the local RFID tag attached to the corresponding module.

Abstract: A system, including: an audio-visual terminal; and a storage terminal, wherein the audio-visual terminal establishes a first connection protected by authentication and encryption, to server providing AV contents on a network; acquires an authorization to use of the contents by the first connection, concurrently acquires download control information including contents location information that indicates a location of the AV contents on the network and license information about the AV contents; and transmits the acquired download control information to the storage terminal, and the storage terminal acquires the download control information from the audio-visual terminal, downloads the contents from the server based on the contents location information via the network and stores the contents; acquires a license of the contents from the server based on the license information and stores the license; and uses the contents for a predetermined period based on the stored license.

Abstract: A first network element receives a message from a second network element. The message is modified by the first network element by inserting a certificate into the message, wherein the certificate includes an identity of the first network element and a digital signature produced by the first network element. The modified message is sent to a third network element.

Abstract: A method and system for supporting multiple digital certificate status information providers are disclosed. An initial service request is prepared at a proxy system client module and sent to a proxy system service module operating at a proxy system. The proxy system prepares multiple service requests and sends the service requests to respective multiple digital certificate status information providers. One of the responses to the service requests received from the status information providers is selected, and a response to the initial service request is prepared and returned to the proxy system client module based on the selected response.

Abstract: A clearinghouse server for routing multi-media communications, including telephony calls, between a source device and a destination device via a distributed computer network, such as the global Internet. The clearinghouse server can authorize the completion of a communication from a source device to a destination device and collect usage-related information for the completed communication. In response to an authorization request issued by an enrolled source device, the clearinghouse server can identify one or more available destination devices available to accept a communication from an authorized source device. The clearinghouse server can provide a list of the identified destination devices, typically organized in a rank order, by sending an authorization response to the source device. In turn, the source device can use this list to select a destination device and contact that selected device via the computer network to complete the communication.

Abstract: A method for producing a certificate, the certificate including data, the method including choosing a seed s, the seed s including a result of applying a function H to the data, generating a key pair (E,D), such that E=F(s,t), F being a publicly known function, and including s and t in the certificate. Related methods, and certificates produced by the various methods, are also described.

Abstract: System and method for providing secure resource management. The system includes a first device that creates a secure, shared resource space and a corresponding root certificate for the shared space. The first device associates one or more resources that it can access with the shared space. The first device invites one or more other devices to join as members of the space, and establishes secure communication channels with the devices that accept this invitation. The first device generates a member certificate for each accepting device, and sends the root certificate and the generated member certificate to the device through the secure channel. These devices may then access resources associated with the shared space by presenting their member certificates. Further, members of the shared space may invite other device to join the space, and may create member certificates in the same manner as the first device.

Abstract: Secure computation environments are protected from bogus or rogue load modules, executables and other data elements through use of digital signatures, seals and certificates issued by a verifying authority. A verifying authority—which may be a trusted independent third party—tests the load modules or other executables to verify that their corresponding specifications are accurate and complete, and then digitally signs the load module or other executable based on tamper resistance work factor classification. Secure computation environments with different tamper resistance work factors use different verification digital signature authentication techniques (e.g., different signature algorithms and/or signature verification keys)—allowing one tamper resistance work factor environment to protect itself against load modules from another, different tamper resistance work factor environment.

Abstract: A method includes issuing a digital certificate to a licensee, the digital certificate identifying a licensed product and the licensee to enable the licensee to enable the licensed product. The method involves receiving a request to enable the licensed product from an entity, the request including the digital certificate and determining whether the entity is the licensee of the licensed product based on the digital certificate. A system includes a relational structure having associations among authorized entities and digital certificates within an organization. Each to digital certificate identifies a licensed product licensed to the organization. A certificate distribution module distributes the digital certificates to associated authorized entities.

Abstract: An application is loaded into a device, such as downloading an application into a portable device, such as a mobile telephone, by downloading the application with a signature to the device. The signature of the application is coupled to a predefined attribute certificate stored in the device. The application and said attribute certificate are then installed together. The signature of the application may be coupled to a root certificate that in turn links the application to a predefined attribute certificate.

Abstract: A health monitoring method and system is disclosed. A sensor for use in a health monitoring system includes a first transducer for collecting biometric data for biometrically identifying an individual, a second transducer for measuring at least one physiological parameter and outputting data indicative thereof, and an output for outputting the data. In addition, a health monitoring system includes a server comprising a data processor and a memory, and one or more of the sensors, wherein the server is arranged to receive the data from the one or more sensors, to process the data associated with the respective individual from which the data was collected, and to output at least one result of the processing of the data.

Abstract: A public key authentication system and method for use in a computer system having a plurality of users. The system includes a virtual smart card server, storage connected to the virtual smart card server, and a virtual smart card agent connected to the virtual smart card server. The storage includes a plurality of virtual smart cards, wherein each virtual smart card is associated with a user and wherein each smart card includes a private key. The virtual smart card agent authenticates the user and accesses the authenticated user's virtual smart card to obtain the user's private key.

Abstract: Scalable session management is achieved by generating a cookie that includes an encrypted session key and encrypted cookie data. The cookie data is encrypted using the session key. The session key is then signed and encrypted using one or more public/private key pairs. The encrypted session key can be decrypted and verified using the same private/public key pair(s). Once verified, the decrypted session key can then be used to decrypt and verify the encrypted cookie data. A first server having the private/public key pair(s) may generate the cookie using a randomly generated session key. A second server having the same private/public key pair(s) may decrypt and verify the cookie even if the session key is not initially installed on the second server. A session key cache may be used to provide session key lookup to save public/private key operations on the servers.

Abstract: Peer-to-peer authentication may be accomplished by sending a digital certificate to a responder, receiving a randomized codeword in response to the sending, creating a secure fingerprint based at least in part on the digital certificate and randomized codeword, creating a first bit sequence based at least in part on a first portion of the secure fingerprint and a second portion of the randomized codeword and indicating the first digital certificate is authenticated based upon whether the first bit sequence matches a second bit sequence received from the responder via an out-of-band communication in response to the sending. The size of the first bit sequence is less than the size of the secure fingerprint. According to another aspect, the first bit sequence is compared with a rendering of the second bit sequence, using an out-of-band communication, by associating the first bit sequence with one or more indices into an array of representations.

Abstract: The invention relates to a method of secure broadcasting of encrypted digital data of a proprietary entity, these data being stored in a storage module (6) of a server (5), comprising: the encryption of the digital data by means of an encryption key for the broadcasting of the digital data to the authenticated third party, and the broadcasting of these digital data to the authenticated third party.

Abstract: There is provided a communication system in which a public key certificate is easily updated when identification information is changed, while network traffic increase is prevented. A print server executes encryption communication using a public key certificate which attests that own public key corresponds to own identification information. Then, if the print server detects that the own identification information (IP address or host name) is to be changed, the own server certificate which attests that own public key corresponds to changed identification information is generated by an electronic signature using the CA private key in a server.

Abstract: A system and method for retrieving certificates and/or verifying the revocation status of certificates. In one embodiment, when a user opens a digitally signed message, a certificate that is required to verify the digital signature on the message may be automatically retrieved if it is not stored on the user's computing device (e.g. a mobile device), eliminating the need for users to initiate the task manually. Verification of the digital signature may also be automatically performed by the application after the certificate is retrieved. Verification of the revocation status of a certificate may also be automatically performed if it is determined that the time that has elapsed since the status was last updated exceeds a pre-specified limit.

Abstract: A secure handshake service is implemented among a plurality of UPnP (Universal Plug and Play) portable media devices and endpoints in an open network hosting one or more UPnP services. A first portable media device receives a first request for a hosted service from a second portable media device via the network. The first portable media device authenticates authorizes the second portable media device as a function of the certificate of the request. The second portable media device is allowed to access the requested service hosted on the first portable media device if the second portable media device has been authenticated and authorized by the first portable media device.

Abstract: Embodiments of the present invention relate to systems and methods to authenticate software licenses. One embodiment of the present invention comprises a method where a vendor creates a reversible hash from a known, predetermined seed value, encrypts the hash to generate a digital signature, and sends the digital signature to the customer. The customer enters the digital signature. The customer's client computer reverses the reversible hash to obtain a determined seed value. The client has access to the known seed value used by the vendor. The known seed value is compared to the determined seed value. If the seed values compare, the software license and the associated software is authenticate.

Abstract: A method for issuing a digital residence certificate using a module associated with a counter. Data from the counter are continuously monitored, whereby the data are read and a consistency test is performed on the basis of a predetermined criterion. In addition, after receiving a residence certificate request, a decision is made as to whether or not the request should be fulfilled, based on the results of the continuous data monitoring.

Abstract: Inter-process communications between a first process and a second process are secured. A first process recognizes that inter-process communications must be initiated with a second process. A first computer that supports the first process submits a request to initiate inter-process communications with a second computer that supports the second process. The second computer replies to a request to initiate inter-process communications by replying to the first computer with a request for information of a digital certificate that authenticates the first process.