Abstract: A decryption processing unit decrypts encrypted content data using a license key Kc. When an elapsed time after reception of the license key (Kc) does not exceed a hold time at a time of the license key (Kc) included in reproduction control information (ACp), reproduction of encrypted content data continues. When the elapsed time exceeds the hold time at a time, the license key (Kc) is discarded, and a reproduction control unit again obtains a license key (Kc) from a memory card. Discarding and reobtaining license key (Kc) continues until an allowable output count of license key (Kc) from the memory card becomes zero. As a result, a reproduction time of encrypted content data can be controlled safely.

Abstract: This invention relates to an information processing apparatus for permitting so-called grouping without recourse to group keys. A content server retains in advance certificates of devices subject to grouping. Each certificate contains a public key of the corresponding device. When providing a content, the content server authenticates the certificates of the grouped devices for which the content is destined (step S281), encrypts a content key by use of public keys of the authenticated certificates (step S283), and transmits the content key thus encrypted to each of the devices making up the group (step S284) together with the content. The inventive apparatus is applied to devices that provide contents.

Abstract: A method of constructing a unique domain for preventing content from being illegally used by an unauthorized third person in a public key-based architecture and applying the constructed domain to a home network using universal plug and play (UPnP). The method of the present invention includes selecting one of controlled devices that are operable as a master device and determining the selected device as the master device; performing device authentication in such a manner that other controlled devices receive a secret information block from the determined master device and create certificates; and determining slave devices by selecting one or more devices among the authenticated controlled devices.

Abstract: To restrict actions such as spoofing and thereby prevent tapping and leakages of data by certifying whether or not each communication device such as a storage device on a communication line is to be connected to the communication line. Upon receipt of a packet that contains an IP address in its IP header and stores a certificate in its certificate payload from a storage device 300, an authentication device 200 compares an IP address that is recorded in the certificate and the IP address that is recorded on the IP header of the packet. If the comparison results in a match of these IP addresses, the authentication device 200 can certify that the storage device 300 is a device for which a certificate issuing device 100 has properly issued the certificate.

Abstract: A system and method for authenticating an operating system includes, in accordance with one aspect, a method in a computer system having a processor, an operating system (OS), and a software identity register that holds an identity of the operating system, the processor having a private key. The method comprises forming an OS certificate containing the identity from the software identity register and signing the OS certificate using the private key. In accordance with another aspect, the signed identity is submitted to a recipient to prove an identity of the operating system to the recipient.

Abstract: The present invention provides a means for reflecting modifications made in a server to data with regard to a scope of rights, which are granted to an application program operable in a communication device such as a mobile station, on data stored in the communication device. To achieve the aim, in a system according to the present invention, Java-AP software is provided to a mobile station by transmitting an ADF, a SDF and a JAR file from servers to the mobile station in that order. The SDF is a file containing data indicating restrictions of behavior of a Java-AP in a mobile station. The SDF also contains data indicating a validity state of the SDF, namely ‘valid’ or ‘invalid’, which is managed by management server device 18. Before a mobile station runs a Java-APP which is installed in the mobile station, the mobile station accesses management server device 18 and checks whether a SDF corresponding to the Java-APP is valid.

Abstract: A providing computer system may receive a request, via a stateless protocol, to access a resource. An access control application may refer to administrative rules to set validation information associated with the request. Validation information may be in the form of electronic text that is stored in a location such as a cookie or state-table. Validation information may indicate the state of a session associated with a resource, such as whether a session is in a logged-in or logged-out state. When a request is received, validation information and authentication information may be utilized together to determine if access to a resource should be granted. When access to a resource is granted or denied, validation information may be updated to indicate that the state of the session has changed.

Abstract: Disclosed herein are several digital certificate discovery and management systems. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims.

Abstract: A system and method for detecting if an object has been tampered with comprising a characterizer, a comparator, and indicator, and optionally, a signer. The characterizer generates a first digital characterization of an object at a first time and at least one subsequent digital characterization of the object at at least one subsequent time. The comparator compares the first digital characterization with the at least one subsequent digital characterization, and the indicator generates a pre-selected characterization signal if the first and subsequent digital characterizations don't match. Optionally, the first digital characterization can be accompanied by a first digital signature. The signer optionally verifies the digital signature at the at least one subsequent time.

Abstract: A method includes associating a first authentication process with content, the first authentication process to protect the content from access by an unauthorized user. A second authentication process is also associated with the content, the second authentication process to protect the content from access by an unauthorized device. The first authentication process and the second authentication process are separate and distinct authentication processes. This enables an authorized user to access the content on an authorized device and prevents the authorized user from accessing the content on the unauthorized device.

Abstract: The invention is directed to a method for a software provider to enable a software-acquiring entity to arrive from an existent first signed piece of code at a second signed piece of code. Both pieces of code were generated at the software provider by use of a first software archive generator under use of generation instructions. The software provider provides to the software-acquiring entity a difference code that comprises the steps necessary to arrive from the first signed piece of code at the second signed piece of code. The difference code is combinable at the software-acquiring entity with the first signed piece of code by a second software archive generator to generate the second signed piece of code. The second software archive generator is therefor to be fed with those generation instructions that were used by the first software archive generator for the generation of both pieces of code.

Abstract: A public key certificate generation method includes the steps of: sending a certificate issuing request including a registration contents of a public key certificate and an information content guaranteed by the registration authority, to the issuing authority in a registration authority and generating a public key certificate including the registration contents described in the certificate issuing request the information guaranteed by the registration authority issuing contents issued by the issuing authority, and a signature to the issuing contents in the issuing authority.

Abstract: To provide an improved management structure of memory devices storing service-use applications. A card for a memory device applied to use various services is provided as one child card or more corresponding to each of the services, a parent card-stores data for child-card issue management, and the child-card issue processing is executed based on the parent card, such as parent card authentication. An issue certificate having a parent-card digital signature is stored in the child card, the issue certificate contains a service code and a child-card identification, and thus it becomes possible to confirm a service set in the child card based on the issue certificate as the parent-card signature data.

Abstract: System and method for creation and use of an agreement object having content packages and a transportable agreement, including both the content of the agreement and data used to validate the signatories and an audit trail for the agreement.

Abstract: A system and method for controlling, by an outside entity, one or more devices associated with a location. A representative embodiment of the system architecture comprises an internal computer system through which a device may be remotely controlled by the outside entity during a communication session between the outside entity and the internal computer system through an external computer network. The external computer network can be the Internet. When the outside entity is requested to control the device, the outside entity's identity information is authenticated before the communication session is established. In a preferred embodiment, the internal computer system is protected by a firewall. The firewall allows the outside entity to access the internal computer system to control the device if the outside entity can provide proper identity information. The identity information of the outside entity may be a password that is recognized by the firewall.

Abstract: A technique permitting an X.509 certificate to simultaneously support more than one cryptographic algorithm. An alternative public key and alternative signature are provided as extensions in the body of the certificate. These extensions define a second (or more) cryptographic algorithm which may be utilized to verify the certificate. These are not authenticated by the primary signature and signature algorithm in the primary cryptographic algorithm. These newly defined extensions are reviewed by a receiving entity if the entity does not support the cryptographic algorithm of the primary signature.

Abstract: A system comprises a client workstation, a single sign-on (“SSO”) server accessible to the client workstation, and a plurality of host servers accessible to the client workstation. Access by the client workstation to a first host server causes the client workstation to be automatically re-directed to the SSO server and the SSO server causes the client workstation to request sign-on credentials from a user if the user has not signed on to any of the host servers. The first host server, not the SSO server, authenticates the user.

Abstract: A home device authentication system and method, wherein the home device authentication system includes one or more home devices each having device information including coding information for authentication and information on a service provider providing authentication services; and a home gateway including decoding information corresponding to the coding information of the home devices, and for authenticating the home devices by using the decoding information. Further, if there exists no decoding information in the home gateway, the home gateway requests the decoding information from the service provider. Accordingly, privacy and security for the home network is secured.

Abstract: In an SNMP network including a Manager Station having a first digital certificate and an Agent Station having a second digital certificate, the MS generates a simple network management protocol (SNMP) configuration file which includes SNMP authentication keys and SNMP encryption keys for use by the MS and the AS for authentication and for encrypting communications between the MS and the AS, respectively. Mutual authentication can be performed using the first and second digital certificates to establish a secure session between the MS and the AS. The MS can encrypt the SNMP configuration file and transmit it to the AS which can then decrypt the encrypted SNMP configuration file to generate the SNMP authentication keys and the SNMP privacy keys. The MS and the AS can then use the SNMP authentication and privacy keys to conduct secure SNMP communications between the MS and the AS.

Abstract: A computer implemented method, apparatus, and computer program product for using a virtual file system to encrypt files. The process registers a plurality of file systems on a data processing system with the virtual file system. The virtual file system is enabled to encrypt files without intervention from any file system in the plurality of file systems. The virtual file system identifies whether a file on a given file system is an encrypted file using a map file associated with the given file system. In response to identifying the file as an encrypted file, the virtual file system encrypts all data written to the file in accordance with encryption specifications in the map file.

Abstract: A system and method for selectively enabling a feature of a controlled device. At least one feature on a controlled device is initially disabled. Content including a test is downloaded from a server to a mobile device. A user inputs into the mobile device background information and answers to the test. A score is generated based on the answers. If the score is high enough, a certificate is generated including release codes. The certificate is sent to the mobile device. The user may then place the mobile device in communication with the controlled device so as to forward the release codes and thereby enable the feature.

Abstract: In order to apply an electronic signature from a client station having authentication resources at a server, the following steps are carried out: the client station is authenticated at the server, thus establishing an authenticated communication channel; a private key/public key pair is generated at the client station; a signature certificate request generated by means of at least the public key is transmitted from the client station to the server via the authenticated channel; a signature certificate obtained in response to the request is returned via the authenticated channel; this certificate is verified at the client station; an electronic signature is calculated at the client station by means of the private key, after which this private key is destroyed; and the calculated signature is formatted with the aid of the signature certificate received via the authenticated channel.

Abstract: The present invention provides in a method for providing secure authentication using digital certificates, an improvement to enable the selective transfer of authentication data. The said method comprises presentation of basic authentication data certified by an accepted certifying authority, at the commencement of a secure transaction and transfer of additional individual authentication data units against specific requests, as and when required, thereby eliminating the risks associated with providing any authentication data that is not required for a particular transaction. The instant invention also provides a system and configured computer program product for carrying out the above method.

Abstract: The present invention discloses a system and method for configuration of access rights to sensitive information handled by a sensitive Web-Service. In a case of requested configuration changes initiated by the client system the Web-Server system provides a configuration data file to the client system preferably using a SOAP-communication protocol. The changes of the configuration data file are exclusively performed offline at the client side and the updated configuration data file is signed with authentication information and sent as a part of a SOAP-request to the Web-Server system. The Web-Server system provides a filter component for identifying and discarding non-SOAP requests as well as an access control manager for providing authentication examination for incoming SOAP-requests. After successful passing these components the SOAP-request is used for updating the existing configuration data file.

Abstract: A method of generating a public key in a secure digital communication system, having at least one trusted entity CA and subscriber entities A. For each entity A, the trusted entity selects a unique identity distinguishing the entity A. The trusted entity then generates a public key reconstruction public data of the entity A by mathematically combining public values obtained from respective private values of the trusted entity and the entity A. The unique identity and public key reconstruction public data of the entity A serve as A's implicit certificate. The trusted entity combines the implicit certificate information with a mathematical function to derive an entity information ƒ and generates a value kA by binding with ƒ with private values of the trusted entity. The trusted entity transmits the value kA to the entity to permit A to generate a private key from kA, A's private value and A's implicit certificate.

Abstract: One embodiment of the present invention provides a system that facilitates secure single sign-on (SSO) authentication for web-services communications. During operation, the system receives a Web Services for Remote Portlet (WSRP) request from a WSRP consumer and also receives a digital signature associated with the WSRP request. The system then validates the digital signature and authenticates a user based on the validation, thereby allowing the user to sign on without providing a password.

Abstract: Documents and other items can be delivered electronically from sender to recipient with a level of trustedness approaching or exceeding that provided by a personal document courier. A trusted electronic go-between can validate, witness and/or archive transactions while, in some cases, actively participating in or directing the transaction. Printed or imaged documents can be marked using handwritten signature images, seal images, electronic fingerprinting, watermarking, and/or steganography. Electronic commercial transactions and transmissions take place in a reliable, “trusted” virtual distribution environment that provides significant efficiency and cost savings benefits to users in addition to providing an extremely high degree of confidence and trustedness. The systems and techniques have many uses including but not limited to secure document delivery, execution of legal documents, and electronic data interchange (EDI).

Abstract: A certificate management method is provided whereby a plurality of service providers have different reliable certificate authorities and, when certificates issued from the certificate authorities are implemented into a smart card, merely by revoking the certificate issued from the certificate authority on which the first service provider relies, all other implemented certificates can be revoked, and the certificates can be individually revoked. A system for implementing the method is provided. The certificate authorities n (n?2) issue a certificate n by using a private key n? corresponding to certificate n? generated by using a certificate 1 issued from a certificate authority 1 which has previously been installed in the smart card and a corresponding private key 1. Thus, the issued certificates have a hierarchical chain relation. When the user wants to revoke all certificates, the certificate 1 issued from the certificate authority 1 is revoked.

Abstract: A method for public key certification in a local network environment, wherein a personal certification authority associated with the local network environment is connected with a first device needing to be certified. Responsive to the connection, a certificate is provided to the device to be certified from the personal certification authority. The devices receiving a certificate may then use the certificate to carry out secure information exchange within the local network environment with other devices having a similar certificate.

Abstract: A boot method an apparatus arc described which reduce the likelihood of a security breach in a mobile device, preferably in a situation where a reset has been initiated. A predetermined security value, or password, is stored, for example in BootROM. A value of a security location within FLASH memory is read and the two values are compared. Polling of the serial port is selectively performed, depending on the result of such comparison. In a presently preferred embodiment, if the value in the security location matches the predetermined security value, then polling of the serial port is not performed. This reduces potential security breaches caused in conventional arrangements where code may be downloaded from the serial port and executed, which allows anyone to access and upload programs and data in the FLASH memory, including confidential and proprietary information.

Abstract: The present invention provides in a method for providing secure authentication using digital certificates, an improvement to enable the selective transfer of authentication data. The said method comprises presentation of basic authentication data certified by an accepted certifying authority, at the commencement of a secure transaction and transfer of additional individual authentication data units against specific requests, as and when required, thereby eliminating the risks associated with providing any authentication data that is not required for a particular transaction. The instant invention also provides a system and configured computer program product for carrying out the above method.

Abstract: The present invention provides in a method for providing secure authentication using digital certificates, an improvement to enable the selective transfer of authentication data. The said method comprises presentation of basic authentication data certified by an accepted certifying authority, at the commencement of a secure transaction and transfer of additional individual authentication data units against specific requests, as and when required, thereby eliminating the risks associated with providing any authentication data that is not required for a particular transaction. The instant invention also provides a system and configured computer program product for carrying out the above method.

Abstract: A ring authentication method for a concurrency environment, the method capable of providing unforgeability, sender anonymity, and deniability in the concurrency environment, in which, when a receiver receiving a message requests a sender of the message to certify the message, the sender requested to certify the message sends a message certification value certifying that the sender is one of a plurality of users {P1, . . . , Pn} and authenticates the message m to the receiver, and the receiver verifies the sent message certification value and authenticates that the message is sent from the one of the plurality of users {P1, . . . , Pn}.

Abstract: A method and apparatus of transmitting data using authentication between a first device and a second device are provided. The method includes transmitting an encrypted certificate of the first device using a shared key shared by the first device and the second device, receiving authentication key generation information for generating an authentication key, which is received when it is determined that the certificate of the first device is valid and not revoked, generating a first random number and generating an authentication key based on the first random number and the authentication key generation information, and encrypting and transmitting data using the authentication key.

Abstract: A method and apparatus for performing authentication are provided. The method includes: receiving an authentication request signal for requesting authentication from an external device; determining whether authentication has been performed with the external device that has transmitted the authentication request signal; based on the determination, selectively outputting an indication representing that it is necessary to perform authentication with the external device; if the indication representing that it is necessary to perform authentication with the external device is output, receiving an authentication execution command for instructing the execution of authentication in response to the indication; and performing authentication with the external device according to the authentication execution command.

Abstract: This invention provides a message authentication system including: a message sending device having a send notice information generating unit that generates a first authentication code to certify a message and a second authentication code to certify the first authentication code and that sends the message and an authentication code generation key after authenticating reception certification information for the send notice information from a message receiving device; and including the message receiving device having a reception certification information generating unit that generates the reception certification information to certify the receiving of the send notice information, a first authentication code authenticating unit that authenticates the first authentication code by using the second authentication code and the authentication code generation key, a message authenticating unit that authenticates the message by using the authenticated first authentication code and the authentication code generation key.

Abstract: A system and method for a certificate verifier to make a request to a certificate distribution server for a copy of another entity's digital certificate and to have the certificate distribution center validate it. The certificate distribution center can request the appropriate certificates and validation thereof from a number of certificate authorities or may alternatively obtain copies from a certificate cache and validate the copies against a revocation list server.

Abstract: A method and apparatus for secure information transfer using dedicated public key pairs for articles of information. A first public key pair may be generated for an article of information. The article of information may be combined with a first public key from the first public key pair to form an information packet. The information packet may be digitally signed with a second private key from a second private key pair.

Abstract: System and method for enabling arbitrary components to control communications without having or requiring prior knowledge of each other. The system includes a first component that creates controller objects and provides the objects to other components. The controller objects include instructions which when executed by the other components enable the components to generate user interfaces for controlling the first component. Further, the controller objects are encrypted and are used to authenticate the senders or receivers of the objects.

Abstract: System for using a manufacturer issued certificate to authenticate a CTA device during registration with an IP telephony network. In response to providing the manufacturer issued certificate, the issuance of another certificate allows the CTA to be provisioned by a specific IP telephony network. The system includes a method of operating a cable telephony adapter in an IP telephony network. The method includes steps of storing a manufacturer issued certificate in the cable telephony adapter, providing the manufacturer issued certificate to the telephony network, receiving a network issued certificate, and registering for telephony services with the telephony network using the network issued certificate.

Abstract: A method and apparatus to transmit personal information, the method including: receiving an information request message requesting the personal information; receiving the personal information from a user; receiving a transmission approval from the user; transmitting a service requesting identifier to the service provider when the transmission approval is received; receiving a security policy with respect to the personal information to be transmitted; securing the personal information to be transmitted according to the received security policy; and transmitting the personal information to the service provider. Therefore, the personal information can be safely transmitted.

Abstract: An improved secure programming technique involves reducing the size of bits programmed in on-chip secret non-volatile memory, at the same time enabling the typical secure applications supported by secure devices. A technique for secure programming involves de-coupling chip manufacture from the later process of connecting to ticket servers to obtain tickets. A method according to the technique may involve sending a (manufacturing) server signed certificate from the device prior to any communication to receive tickets. A device according to the technique may include chip-internal non-volatile memory to store the certificate along with the private key, in the manufacturing process.

Abstract: Methods and apparatus, including computer program products, implement techniques for performing digital signature operations on electronic content. An electronic document includes a digital signature module. The electronic document is accessed using a user application. The digital signature module is used to perform one or more digital signature operations on the electronic document in the user application.

Abstract: Object To provide a technique for authenticating a communication partner using an electronic certificate containing personal information. Solving Means When a client apparatus receives a request for an electronic certificate from a server apparatus, the server apparatus reads a client certificate containing personal information and a server public key of the server apparatus from a storage unit and encrypts the client certificate using the server public key. The client apparatus also creates a temporary electronic certificate by setting, in a basic field of an electronic certificate, a predetermined item indicating that the electronic certificate is a temporary electronic certificate and by setting the client certificate having been encrypted in an extension field of the electronic certificate. Then, the client apparatus sends the temporary electronic certificate to the server apparatus.

Abstract: A method and apparatus for communication via a computer network (102) including registering a plurality of users (206, 222, 224) with a trusted body (110, 210). The trusted body (110, 210) verifies the identity of each user (206, 222, 224) and generates a random identifier (216) for each user (206, 222, 224). A plurality of users (206, 222, 224) can enter into a dialogue with the other users by means of messages sent over the computer network (102) via the trusted body (110, 210). A user (206, 222, 224) remains anonymous through use of its random identifier (216) until such time as the user (206, 222, 224) reveals its true identity. Due to the registration of the users (206, 222, 224) with the trusted body (110, 210) a means of non-repudiation of the dialogue by the users (206, 222, 224) is provided.

Abstract: A method and system to allow user generation of a private-public key pair and an associated user generated certificate to establish the identity of a user based upon signing the user generated certificate with a private key of a private-public key pair associated with a certificate issued by a Certification Authority (CA). The user generated certificate thereby allows the user that generated the certificate to establish a secure session with a third party without multiple use of the certificate issued by the CA, typically for use on another network infrastructure. The method and system are particularly useful for establishing a secure session, such as a Secure Socket Layer session using a personal computer, where the CA certificate is associated with a wireless identity module of a wireless device.

Abstract: The present invention provides a method for modifying validity of a certificate in a public key infrastructure (PKI)-based authentication system, which is capable of performing online suspension, recovery and revocation of a certificate between a user system and a certificate authority by executing user authentication with guaranteed reliability using user biometric information. Accordingly, there is no need for the user to personally visit a registration authority or certificate authority to modify the certificate validity. The user can easily modify the certificate validity using his/her user system connected online to the certificate authority.

Abstract: A card activated cash dispensing automated banking machine (12, 200, 302) is provided. The machine may be operative to install a terminal master key (TK) therein in response to at least one input from a single operator. The machine may include an EPP (204) that is operative to remotely receive an encrypted terminal master key from a host system (210, 304). The machine may authenticate and decrypt the terminal master key prior to accepting the terminal master key. The machine may further output through a display device (30) of the machine a one-way hash of at least one public key associated with the host system. The machine may continue with the installation of the terminal master key in response to an operator confirming that the one-way hash of the public key corresponds to a value independently known by the operator to correspond to the host system.

Abstract: A digital certificate management apparatus updates a proof key used for proving validity of a digital certificate used for authentication for establishing communication between a client and a server. The apparatus acquires a new proof key for updating, acquires a new digital certificate used for the authentication for which validity can be proved with the use of said new proof key, transmits the new proof key to the client and transmits a new server certificate which is a new digital certificate for the server to the server. The apparatus transmits the new server certificate to the server after receiving, from the client, information indicating that the client has received the new proof key.

Abstract: Authentication is performed to a confidence level (CL) desired by a verifier (220). A prover (210) picks and sends certain same size, square matrices to the verifier (220). A random request bit is sent (234) from the verifier (220) to the prover (210) after the receipt of a certain square matrix. Depending on the request bit, calculations are made (244, 264) by the verifier (220) to determine if the matrices sent from the prover are verifiable. The prover (210) is iteratively authenticated by the verifier (220). Iterations are continued until (320) a count of the iterations (IL) reaches a number sufficient to achieve the desired confidence level (CL). After a delay, more iterations can achieve a higher confidence level by building on previous result of authentication without having to begin at zero. During this delay, the verifier (220) can perform tasks in reliance on the result of authentication. Digital logic can perform the authentication.