Abstract: A method and system for conveying trust and security to consumers regarding the validity of a web page or the web-pages source by showing a feature from webpage as determined by a digital certificate associated with the webpage. The security of the method and system can be further enhanced by preventing any overwriting of the feature and by displaying the feature independent of the web-page being accessed by the user.

Abstract: Embodiments of methods and apparatus for providing an access profile system associated with a broadband wireless access network are generally described herein. Other embodiments may be described and claimed.

Abstract: We present technology that allows layman computer users to simply create, provision, and maintain secured infrastructure—an instant PKI. This technology can be used in a wide variety of applications including enabling secure communications to components of a vehicle, and enabling secure communications between the vehicle and associated infrastructure.

Abstract: A system and a method for gathering information in a secure and efficient manner is provided. A two-level security procedure ensures that communication occurs only between authorized parties. Communications between parties are according to the XML convention, which enables the parties to communicate or transfer information with each other even if they use incompatible communications systems. Communications may occur synchronously or asynchronously depending on predetermined parameters, such as the complexity of the communication and the amount of information being communicated or transferred.

Abstract: Systems and methods of providing a desktop framework. The desktop framework may include an application framework component that includes a set of core libraries that provide desktop applications access to data and services, a download component that maintains versions of the desktop applications and core libraries installed on a computer, and a license component that tracks data use and access. The application framework exposes APIs to provide the desktop applications with access to the data and services. The application framework serves as a platform upon which the desktop applications share common data and logic.

Abstract: A platform configuration measurement device including: a configuration register; means for executing extension processing in which a predetermined operation is performed on a content of the configuration register by using a given additional value, a hash value is obtained by applying a predetermined hash function to a value obtained by the predetermined operation, and the hash value is set for a new content of the configuration register; and measurement extension means for obtaining measured values, corresponding to predetermined components constituting a platform, by sequentially making predetermined measurement on the predetermined components, and for allowing the means for executing extension processing to execute the extension processing using the measured values as the additional values, random extension means is provided for allowing the means for executing extension processing to execute the extension processing using a random value as the additional value.

Abstract: An information communication method performed by a communication terminal apparatus, the method including: sharing a first encryption key with a first server; receiving a request for sending identification information of the communication terminal apparatus; authenticating the first server based on certificate information of the first server that is acquired while sharing the first encryption key and verification information retained in the communication terminal apparatus; encrypting the identification information of the communication terminal apparatus using a second encryption key; and encrypting, using the first encryption key, according to an authentication result, encrypted identification information of the communication terminal apparatus as generated by using the second encryption key, and transmitting resulting double-encrypted identification information of the communication terminal apparatus to the first server.

Abstract: Techniques are disclosed herein for protecting personally identifying information (PII) and behavioral data while delivering targeted assets. In one aspect, a profile is created based on a template and desired characteristics of users to receive one or more targeted assets. The template provides a framework for the user characteristics. One or more clients are provided the template. A manifest that identifies the targeted assets is encrypted based on the profile. The encrypted manifest is sent to the one or more clients. A user profile is generated at a client based on a template. The client attempts to decrypt the encrypted manifest based on the profile created at the client. The client sends a request for any targeted assets that were identified through the attempt to decrypt the encrypted manifest.

Abstract: A method of and apparatus for transmitting data in systems such as computer networks, for example in client-server or peer-to-peer arrangements. Access to transmitted data received by a destination apparatus is limited by the provision of software code at the destination apparatus. The software code is arranged to produce a result which is a function of the state of the destination apparatus, and this result is used to access the data. The software code may be either transmitted to the destination apparatus, for example along with the data it is used to access or from a separate server, or may be generated at the destination apparatus. The method and apparatus is particularly applicable in the field of on-line gaming, wherein the transmitted data is encrypted gaming data and the result of the software code provides the access key to the encrypted data.

Abstract: The invention relates to a system for authenticating electronic prescriptions, the system comprising an acquisition unit for acquiring an electronic prescription for authentication, the electronic prescription comprising a transaction number, a first pseudonym, and a signature of a first participant using a transaction pseudonym, the first pseudonym indicating the first participant's registration at a first privacy officer; a generation unit for generating the transaction pseudonym based on the first pseudonym, the transaction number and a registration key corresponding to the first pseudonym and being shared between the first participant and a second privacy officer; and a validation unit for verifying the first participant's registration at the second privacy officer and the authenticity of the signature based on the registration key and the transaction pseudonym.

Abstract: Systems and methods directed at transforming security claims in a federated authentication system using an intermediate format. The systems and methods described herein are directed at transforming security claims in a federated authentication system using an intermediate format. The federated authentication system includes an identity provider and a resource provider. The identity provider receives a request for information from the resource provider to authenticate an account by an application associated with the resource provider. A security claim associated with the account is retrieved where the security claim is provided by an account store in a format specific to the account store. The security claim is transformed from the account store specific format to an intermediate format. The security claim is then transformed from the intermediate format to a federated format recognized by the resource provider. The transformed security claim is provided in a security token to the resource provider.

Abstract: A method and system for automatically cloning IT resource structure in stateful web services environments by employing a new approach for configuration management. The present new approach models the configurational state of each resource as a stateful web service. Configuration data are provided by this service's resource properties. Relationships between configurations of different resources are modeled as “stateful web services relationships” between web service instances. These relationships can be navigated, which allows exploring the configuration of a whole system in a standards-based way. Additionally a new web service interface is provided by the stateful web service encapsulating the resource. This interface provides two new operations: “getConfiguration” allows an exploiter to take a snapshot of a resource's and related resources' configurational state and “setConfiguration” allows for setting the configurational state of a resource to a previously saved state.

Abstract: A system for licensing a computational component in a distributed processing network is provided. The system includes a licensing provider 100 that is spatially remote from the computational component 154 and is operable to: (a) assign a private and public key pair to the computational component 154; (b) create a digital certificate 308 for the computational component 154, the digital certificate 308 being signed with a private key of the licensing provider 100, the licensing provider's private key being different from the computational component's private key 312; (c) create a license file 176 to be installed on the computational component; and (d) transmit the license file 176 and the computational component's signed digital certificate 308 and private key 312 to the computational component 154.

Abstract: A system and method for establishing secure communications between two entities, such as a server and a client, may involve the use of an intermediate gateway. Each party may establish a secure communication link with the gateway, and the gateway may provide signed certificates to each party, each certificate identifying the gateway as the other party for purposes of the communication. The gateway may then facilitate the secure communications between the two parties, and may perform data translation on the communications. The identification information may be contained within the certificates used by the gateway.

Abstract: Described are a system and method for presenting security information about a current site or communications session. Briefly stated, a browsing software is configured to receive a certificate during a negotiation of a secure session between a local device and a remote device. The certificate includes security information about a site maintained at the remote device. The security information is displayed to a user of the browsing software in a meaningful fashion to allow the user to make a trust determination about the site. Displaying the security information may include presenting a certificate summary that includes the most relevant information about the certificate, such as the name of the owner of the site and the name of the certificating authority of the certificate.

Abstract: A Certificate Status Service that is configurable, directed, and able to retrieve status from any approved Certification Authority (CA) is disclosed. The CSS may be used by a Trusted Custodial Utility (TCU) and comparable systems or applications whose roles are validating the right of an individual to perform a requisite action, the authenticity of submitted electronic information objects, and the status of authentication certificates used in digital signature verification and user authentication processes. The validity check on authentication certificates is performed by querying an issuing CA. Traditionally, to create a trusted Public Key Infrastructure (PKI) needed to validate certificates, complex relationships are formed by cross-certification among CAs or by use of PKI bridges.

Abstract: An algorithm or an authentication system for a low-cost authenticating device such as a radio frequency identification (RFID) tag, or a sensor node are provided, by which authentication is processed efficiently without requiring complicated hardware. A claimant entity attempting to be authenticated and a verifying entity to authenticate the claimant entity, share a plurality of secret keys so that authentication is processed as the claimant entity responds to a challenge by the verifying entity. The verifying entity and the claimant entity perform authentication using Learning Parity with Noise (LPN) problem. The verifying entity and the claimant entity generate keys independently from one another, and exchange the generated keys. The claimant entity may generate an encrypted value for use in the authentication, using a basic Boolean Exclusive OR and a logical AND operations.

Abstract: A secure instant messaging system integrates secure text instant messaging and secure file transfers into existing instant messaging systems. At least one certificate authority (CA) is provided that issues a security certificate to a user that binds the user's instant messaging screen name to a public key which is used by other users to encrypt messages and files sent to the user and by the user to decrypt the received messages and files. A subscriber database is used by the CA to keep track of valid users and their associated information, such as: user screen names, user subscription expiration dates, and enrollment agent information. A user sends his certificate to the invention's instant messaging server which publishes the user's certificate to other users by creating a hash value of the user's certificate and sending it to the other users which allows the recipients to decide if they need to update their caches with a new copy of the user's certificate.

Abstract: A security module is provided in a data recording medium, data to be written to the data recording medium is encrypted with an content key different from one data to another, and the content key is safely stored in the security module. Also, the security module makes a mutual authentication using the public-key encryption technology with a drive unit to check that the counterpart is an authorized (licensed) unit, and then gives the content key to the counterpart, thereby preventing data from being leaked to any illegal (unlicensed) unit. Thus, it is possible to prevent copyrighted data such as movie, music, etc. from being copied illegally (against the wish of the copyrighter of the data).

Abstract: A remote assisting method is applied in a remote assisting system, which includes a server, a help-asking device and a helping device. The remote assisting method includes the following steps. First, ticket information is encrypted into encrypted ticket information, which is provided to the server, in response to a help-asking event and according to a first key. Next, the encrypted ticket information provided by the help-asking device is decoded into the ticket information according to a second key. Then, the ticket information, generated by decoding, is provided to the helping device such that the helping device can log in the help-asking device and perform a remote assisting operation.

Abstract: Methods, systems, and devices are described for the secure electronic exchange of procurement documents. A server computer system may manage different sets of security procedures, distributing certificates to trading partners. These certificates may be community-specific certificates for a limited community of trading partners. When particular trading partners (e.g., of the community) agree to exchange procurement documents, they may first exchange their certificates (or portions thereof) with each other. A sending trading partner may then provide an electronic signature for a procurement document to be transmitted, and encrypt the signed procurement document using the receiving trading partner's public key.

Abstract: A system and method to authenticate products. The method includes storing identity data corresponding to products to be sold into a database, accessing the database at a point-of-sale of a product, and determining the authenticity of the product at the point-of-sale by comparing the product's identity data with the identity data stored in the database.

Abstract: A method of Authentication Authorization and Accounting (AAA) in an interworking between first and second networks that do not belong in the same administrative domain, using certificate based transactions. In the method according to the invention, the second network sends a public key to the first network, and a certificate to a mobile device. The certificate includes information regarding the subscription level of the mobile device and is signed with a private key of the second network. Upon detection of the first network the mobile device transmits the certificate and the first network authenticates the certificate using the public and private keys of the second network, and authorizes access to the network in response. The first network then sends a session key encrypted with a public key of the mobile device. The mobile device decrypts the session key with a private key and access the first network using the session key.

Abstract: A system and method are disclosed for transparently providing certificate validation and other services without requiring a separate service request by either a relying customer or subscribing customer. In a preferred embodiment, after the subscribing customer digitally signs a document (e.g., a commercial document such as a purchase order), it forwards the document to a trusted messaging entity which validates the certificates of both the subscribing customer and relying customer and the respective system participants of which they are customers. If the certificates are valid, the trusted messaging entity appends a validation message to the digitally-signed document and forwards the document to the relying customer. A validation message is also preferably appended to a digitally-signed receipt from the relying customer and transmitted to the subscribing customer. In this way, both the relying customer and subscribing customer obtain certification of their respective counterparty to the transaction.

Abstract: An image-forming apparatus configured to be controlled based on access-control information and to perform a flow which includes performance a plurality of functions of the image forming apparatus based on flow setting information, where flow setting information designates an order of performance of the plurality of functions of the image forming apparatus. The image-forming apparatus includes an acquisition unit configured to acquire the access-control information based on a signature included in the flow setting information if the flow setting information includes the signature, and a flow-performing unit configured to perform the flow based on the access-control information acquired by the acquisition unit.

Abstract: The anonymity of a user at a client computer may be preserved when authenticating with an on-line service or content provider through the use of an anonymous and verifiable (i.e., “blind”) certificate set that is created by a certificate authority from a fixed-size set of PKI key pairs. The certificate authority randomly selects a subset of PKI key pairs to generate the blind certificate set where each certificate in the set includes a respective public key from the PKI key pair subset. The certificate authority also sends the private keys from the PKI key pair subset to the user. During authentication, the client computer is configured to randomly select a subset of one or more certificates from the set to present to the provider. The provider will encrypt content using the public keys in the subset of certificates and the client will decrypt the content with the corresponding private keys.

Abstract: An apparatus and a method for authenticating a secure communication is described. A server receives a request from a client for an original SSL certificate. The server embeds a message in a common name (CN) of a new SSL certificate directing the client to another server. The client is transparently reconfigured and establishes a secure communication with the other server using the new SSL certificate.

Abstract: A communication apparatus has a communication part and authenticates a communication partner by using a digital certificate. The communication apparatus includes an authentication part carrying out authentication of the communication partner by using a common certificate. The common certificate is a digital certificate not including identification information of an apparatus. An individualized certificate transmission part acquires, in the case the authentication by the authentication part has been made successfully, an individualized certificate and transmits the individualized certificate to the communication partner. The individualized certificate is a digital certificate including identification information of the communication partner.

Abstract: Described herein is a technique of protecting users against certain types of Internet attacks. The technique involves obtaining certificates from visited web sites and qualifying communications with those web sites based on the content of the certificates.

Abstract: A system such as in a networked computer system comprising a user, an application server, a gatekeeper server and an authentication server. Communication within the system is managed by the gatekeeper server, wherein the user communicates with the authentication server and the application server through the gatekeeper server. Once the user has been initially authenticated by the authentication server, the user may request application services from a plurality of application servers within the networked computer system without having to be re-authenticated.

Abstract: Methods and systems for handling on an electronic device a secure message to be sent to a recipient. Data is accessed about a security key associated with the recipient. The received data is used to perform a validity check related to sending a secure message to the recipient. The validity check may uncover an issue that exists with sending a secure message to the recipient. A reason is determined for the validity check issue and is provided to the mobile device's user.

Abstract: A method and system for transferring licenses between electronic devices supporting licensable features. Specifically, in a method a request is generated for transferring a license between first and second electronic devices. The request includes first information unique to the first electronic device, second information unique to the second electronic device. The request is sent to a license distributor to generate a master key. The master key includes a removal key including the first information and an add key including the second information. The removal key is used to remove the license from the first electronic device when the first information matches official versions of the first information. The add key is revealed from the master key when the license is successfully removed. The add key is used to add the license to the second electronic device when the second information matches official versions of the second information.

Abstract: A system and method for detecting exposure of an OCSP responder's session private key in a D-OCSP-KIS to verify the status of a user's certificate online are provided. The system includes: a client for requesting certificate status information from the OCSP responder; the OCSP responder for receiving the certificate status information request from the client, sending a response, producing a hash value, and delivering the hash value to a certificate authority (CA) to get a certificate issued; and the CA for receiving the hash value from the OCSP responder and issuing the certificate to the OCSP responder in response to a certificate issue request; wherein the client verifies a digital signature using a hash value contained in the OCSP responder's certificate and the hash value contained in the response, and each client stores a counter value for a hash operation in each verification and recognizes the response as valid when a current counter value is greater than a previous counter value.

Abstract: A communication apparatus with a memory (418) holding CA information A(301a) including (i) a CA certificate A(106a) indicating that an AP server certificate A(402a) (that indicates the validity of an application server (401)) is valid and (ii) a URL B(302b) indicating the URL of a download server B(406b) where CA information B(301b) including the next valid CA certificate B(106b) is stored. The communication apparatus also having a server authentication unit (416) verifying the AP server certificate A(402a) using the CA certificate A(106a), and having a CA information update unit (417) obtaining the CA information B(301b) from the download server B(406b) indicated by the URL B(302b), wherein, when the CA certificate A(106a) becomes revoked, the server authentication unit (416) authenticates the application server (401) using the CA certificate B(106b) included in the CA information B(301b) obtained by the CA information update unit (417).

Abstract: A card activated cash dispensing automated banking machine is provided. The machine may be operative to install a terminal master key (TK) therein in response to at least one input from a single operator. The machine may include an EPP that is operative to remotely receive an encrypted terminal master key from a host system. The machine may authenticate and decrypt the terminal master key prior to accepting the terminal master key. The machine may further output through a display device of the machine a one-way hash of at least one public key associated with the host system. The machine may continue with the installation of the terminal master key in response to an operator confirming that the one-way hash of the public key corresponds to a value independently known by the operator to correspond to the host system.

Abstract: To check a digital signature, using a microcircuit card, the microcircuit being designed to receive and to process requests to check digital signatures, the process comprises storing in a memory in the microcircuit a certificates table containing digest forms of authorized public keys, and a phase of checking a digital signature consisting of: receiving by the microcircuit the digital signature to be checked and a public key corresponding to a private key that was used to generate the digital signature to be checked; calculating a digest form of the received public key, searching for the calculated digest form of the public key in the certificates table, and decrypting the digital signature using the received public key if the calculated digest form of the public key is located in the certificates table.

Abstract: A service discovery mechanism may allow clients in a distributed computing environment to search for services. The service discovery mechanism may allow a client to request a capability credential from a service. In one embodiment, the client may present to the service a set of desired capabilities. The service may then respond with a capability credential that may convey to the client the rights to use the requested capabilities. A complete service advertisement may be needed to create a message endpoint for accessing the service. In an embodiment, the capability credential may be used by a client to obtain a complete advertisement for the requested capabilities. The capability credential may provide an additional level of security for the service provider. The capability credential that may be used to receive the complete advertisement may also be used to construct a message gate to communicate with the service where the gate embeds the capability credential in each message to the service.

Abstract: Techniques are described for generating and actively verifying a boot code associated with a peripheral device of a computer system to prevent potential security threats the boot code may introduce into the computer system. The techniques for generating boot code entail generating the boot code from a high-level programming language using a verification application program interface (API). The API aids in generating a certificate, which is associated with the boot code in that the certificate describes operation of the boot code. After generating the boot code and associated certificate, the two are loaded onto a memory module of the peripheral device. Once the peripheral device is connected to the computer system, the computer system may retrieve the boot code and certificate. The computer system utilizes techniques to actively verify the boot code by performing a security check on the boot code in accordance with the associated certificate.

Abstract: In a server certificate issuing system according to the invention, the Web server includes a control panel which configures and manages a Web and a mail. The control panel is loaded with an entry screen generator to input application items for an issuance of a server certificate, password generator for generating a password which is used to encrypt, and a verification page generator to indicate intention of requesting the issuance of the certificate. On the verification page, the generated password is indicated as verification information for example. The registration server retrieves the password from the received server certificate request and accesses the Web server to read out the verification information indicated on the verification page, and compares the read verification information with the password.

Abstract: Method and apparatus for generating cryptographic credentials certifying user attributes and making cryptographic proofs about attributes encoded in such credentials. Attributes are encoded as prime numbers E in accordance with a predetermined mapping and a cryptographic credential is generated encoding E. To prove that an attribute encoded in a cryptographic credential associated with a proving module of the system is a member of a predetermined set of user attributes, without revealing the attribute in question, the proving module determines the product Q of respective prime numbers corresponding to the attributes in the set in accordance with the predetermined mapping of attributes to prime numbers. The proving module demonstrates to the receiving module possession of a cryptographic credential encoding a secret value that is the prime number E, and then whether this secret value divides the product value Q.

Abstract: A method and apparatus securely transmit data between a client and a server over a communications network. The secure data transmission includes, after the client is initially authenticated, (a) transmitting a series of client connection messages from the client to the server at least while the data is being transmitted, (b) transmitting a series of server connection messages from the server to the client at least while the data is being transmitted; (c) monitoring the client connection messages at the server; (d) monitoring the server connection messages at the client; (e) if a disturbance is found either in the client connection messages or the server connection messages, terminating the data transmission between the client and the server, re-authenticating the client, and re-transmitting the data; and (f) if the encrypted data is successfully transmitted to the server, storing the data in a database associated with the recipient.

Abstract: In a certification request, a user device includes an object identifier. When a certification authority generates an identity certificate responsive to receiving the certification request, the certification authority includes the object identifier, thereby allowing improved management of the identity certificate at the user device and elsewhere.

Abstract: A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one broad aspect, a method is provided in which a certificate search request is received, a search of one or more certificate servers for certificates satisfying the request is performed, located certificates are retrieved and processed at a first computing device to determine data that uniquely identifies each located certificate, and search result data comprising the determined data is communicated to a second device (e.g. a mobile device) for use in determining whether each located certificate is already stored on the second device.

Abstract: An improved secure programming technique involves reducing the size of bits programmed in on-chip secret non-volatile memory, at the same time enabling the typical secure applications supported by secure devices. A technique for secure programming involves de-coupling chip manufacture from the later process of connecting to ticket servers to obtain tickets. A method according to the technique may involve sending a (manufacturing) server signed certificate from the device prior to any communication to receive tickets. A device according to the technique may include chip-internal non-volatile memory to store the certificate along with the private key, in the manufacturing process.

Abstract: A system and method for generating a digital certificate is provided wherein a new digital record is received and is assigned a sequence value. A first composite digital value is generated by applying a first deterministic function to the digital records stored in a repository. The sequence value and first composite digital value are included in a first certificate. After the digital record is added to the repository, a second composite digital value is generated by applying a second deterministic function to the digital records in the repository. This second composite digital value, and a composite sequence value, are published. An interval digital value which is based upon the first and second composite digital values, and the sequence value, are included in a second certificate which thus verifies the authenticity and sequence value of the digital record.

Abstract: Disclosed herein are several digital certificate discovery and management systems. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims.

Abstract: A method of providing a certificate from a client to a server is disclosed. The method comprises receiving a request for a certificate from the server and forwarding the request to a biometric certification server (BCS). The method further includes receiving a biometric identification from the client and forwarding the biometric identification to the BCS. If the biometric identification matches a registered user on the BCS, receiving a certificate including a public key of the client certified by the BCS, and forwarding the certificate to the server, thereby identifying the client to the server.

Abstract: A method of exchanging data between a data processing system and an electronic entity, characterized by the following steps: the electronic entity sending the data processing system a certificate (CASD_CERT) associating an identifier of the electronic entity with a public key (CASD_PK) associated with a secret key (CASD_SK) stored in the electronic entity in a set of reserved keys associated with a first security domain; the data processing system verifying the association of the identifier and the public key (CASD_PK) via the certificate (CASD_CERT); and an application of the electronic entity separate from the first security domain and the data processing system exchanging data encrypted by the public key (CASD_PK) or signed by the first security domain by the secret key (CASD_SK) stored in the electronic entity.

Abstract: A digital content rights management method and system belongs to the digital content rights management technique field. The method of the invention includes the steps: registering the system, generating the time stamp, verifying the time stamp when the system starts up, acquiring the certificate, verifying the time before accessing the digital content. The system of the invention comprises a device for accessing the digital content and a server, wherein the device for accessing the digital content comprises: a registering module, a time stamp generating module, a time stamp verification module, a certificate of authorization acquiring module, and a time verification module. The method and system have solved the problem that the digital content can still be used beyond the time limit.

Abstract: A communication apparatus has a communication part and authenticates a communication partner by using a digital certificate, wherein the communication apparatus includes an authentication part carrying out authentication of the communication partner by using a common certificate, the common certificate being a digital certificate not including identification information of an apparatus, and an individualized certificate transmission part acquiring, in the case the authentication by the authentication part has been made successfully, individualized certificate and transmitting the individualized certificate to said communication partner, the individualized certificate being a digital certificate including identification information of the communication partner.