Abstract: Embodiments include method, systems, and computer program products for filtering trust services records. Embodiments include receiving a trust services record that includes a plurality of security components and that is usable to secure data that is stored in an untrusted location. It is determined whether the trust services record has been tampered with, including verifying each of the plurality of security components of the trust services record. The trust services record is filtered based on the determination of whether the trust services record has been tampered with. The filtering includes, when the trust services record is determined to have not been tampered with, allowing performance of at least one task with respect to the secured data; and, when the trust services record is determined to have been tampered with, disallowing performance of any task with respect to the secured data.

Abstract: Systems and methods are provided to allow a smart phone or any terminal to activate a door lock using a web site or server computer system. An access control system is provided that includes a server and an access device. The access device includes a processor and a communication module. The process has control of a door lock and is able to receive a reservation certificate presented by a portable terminal through the communication module. The processor activates the door lock when a current reservation certificate has been presented.

Abstract: Methods and systems for configuring a network are disclosed. An example method can comprise receiving a first token and an encryption key from a first device. A second token can be received from a second device. A determination can be made as to whether the first token matches the second token. Configuration information can be provided to the second device if the second token matches the first token. The configuration information can comprise information for connecting to a proxy configured on the first device. A request for content can be received from the proxy on behalf of the second device. The request for content can comprise the encryption key.

Abstract: A three-way trust relationship is established between a mobile device, Internet-connected vehicle system, and a cloud-based service. Access rights are granted to the mobile device from the vehicle system, such that the mobile device can securely connect to, and obtain status information and/or control the Internet-connected vehicle system, through the cloud-based service.

Abstract: An information processing system including a medium where a content to be played is stored; and a playing apparatus for playing a content stored in the medium; with the playing apparatus being configured to selectively activate a playing program according to a content type to be played, to obtain a device certificate correlated with the playing program from storage by executing the playing program, and to transmit the obtained device certificate to the medium; with the device certificate being a device certificate for content types in which content type information where the device certificate is available is recorded; and with the medium determining whether or not an encryption key with reading being requested from the playing apparatus is an encryption key for decrypting an encrypted content matching an available content type recorded in the device certificate, and permitting readout of the encryption key only in the case of matching.

Abstract: Embodiments disclosed facilitate secure communication for cloud-based and/or distributed computing applications. In some embodiments, a method may comprise: instantiating a first Virtual Machine (VM) on a cloud infrastructure, wherein the at least one first VM is dynamically configured with a private key and a wildcard security certificate comprising a public key corresponding to the private key, and registering, with a domain name server, a domain name derived from an Internet Protocol (IP) address associated with the first VM and a Common Name associated with the wildcard security certificate.

Abstract: A distributing device for generating private information correctly even if shared information is destroyed or tampered with. A shared information distributing device for use in a system for managing private information by a secret sharing method, including: segmenting unit that segments private information into a first through an nth pieces of shared information; first distribution unit that distributes the n pieces of shared information to n holding devices on a one-to-one basis; and second distribution unit that distributes the n pieces of shared information to the n holding devices so that each holding device holds an ith piece of shared information distributed by the first distribution unit, as well as a pieces of shared information being different from the ith piece of shared information in ordinal position among n pieces of shared information, “i” being an integer in a range from 1 to n.

Abstract: In various embodiments, a computerized method includes receiving electronic content to be archived. The electronic content comprises a digital signature. The method may include archiving the digital signature, by determining a validity status of the digital signature and storing the validity status in the electronic content. The method may also include archiving the electronic content after the validity status has been stored in the electronic content.

Abstract: An intermediary system facilitates a connection request from a client to a server. The intermediary system may participate in either or both of a token creation phase and a server connection phase. If participating in the token creation phase, the intermediary system generates a token that may later be used by the client during a server connection phase. The token includes a session identifier and is returned to the client. If participating in the server connection phase, the intermediary receives the token, which is sent from the client in conjunction with a connection request, extracts the session identifier from the token, and compares against the session identifier for the session in which the token was created. If the session identifiers match, then the intermediary connects to the server to complete the connection request for the client.

Abstract: A resilient hashing system leverages a fast, non-cryptographic hash/checksum function that has good diffusion properties while remaining reasonably efficient on modern central processing units (CPUs). The hash function uses random secret data so that hash keys for particular data are difficult to predict. Due to its internal structure, well-chosen random secret data is difficult for an attacker to counter without having access to the direct output of the hash function. At every stage of the block function, there are at least two operations that can be performed in parallel, increasing performance on modern superscalar CPUs. Thus, the resilient hashing system provides a hash table and checksum that can be used in Internet-facing or other vulnerable sources of input data to manage performance in the face of malicious attacks.

Abstract: The present disclosure is generally related to embedding public key infrastructure information to a system-on-chip (SOC). The method includes generating a key pair including a public key and a private key. The method includes creating a digital certificate corresponding to the public key. The method includes signing the digital certificate with a unique signature. The method includes extracting the public key and the unique signature into a key file, wherein the key file is to be stored in a plurality of silicon fuses on the SOC.

Abstract: Systems and methods of theft prevention of communication devices are provided. In one embodiment, the method may include, for example, one or more of the following: registering a communication device being used at a home, where the device is connected to a communication network; entering validation information relating to the communication device; and analyzing the validation information to determine whether the communication device is authorized for use in the communication network.

Abstract: Systems and methods for providing privacy of file synchronization with sharing functionality are presented. In embodiments, a file synchronization system comprises one or more folders associated with one or more non-shared encryption keys, which may be a managed key shared across an organization, and/or a personal key that is not shared or has limited third-party sharing. The one or more non-shared encryption keys are not known to the data storage service. The file synchronization system may also include one or more folders associated with a shared encryption key that is shared with the data storage service, and in embodiments, with a set of users of the service. The system may include a mapping correlating folders to encryption type so items in each folder can be handled appropriately. The system may have additional folders, such as one or more public folders that may be available with limited or no restrictions.

Abstract: Code injection is detected based on code digests associated with hashes of selected portions of content supplied to clients by a server. A client receives the content and generates a corresponding code digest, and based upon a comparison with the code digest received from the server, determines if the received content has been corrupted. The code digest can be signed or supplied with a digital certification for verification that the code digest originated from the server providing the content.

Abstract: A wireless LAN communication terminal and its communication control method are provided that make it possible to configure desired security between the terminal and an other-end terminal, without increasing power consumption of the terminals. The wireless LAN communication terminal (103) in a wireless LAN system including an access point (102), if the other-end terminal (101) has connected to the access point 102, acquires from the other-end terminal information about security functions the other-end terminal has and information about a current connection with the access point; compares the security function information and the connection information on the other-end terminal with its own security policy; selects, based on results of the comparisons, either a direct connection (106) with the other-end terminal or a relay connection (105) via the access point so that the security policy is met; and performs communication with the other-end terminal by using the selected connection.

Abstract: Systems and methods that facilitate dynamic directory service object creation and certificate management are discussed. One such method can include discovering a device deployed on a network, creating and deploying a corresponding directory services object, automatically creating and deploying a certificate to the device and updating attributes associated with the device. The disclosed system and method reduce the time involved in deploying and configuring directory services and public key infrastructure (PKI), increase efficiency, improve network availability and lessen the chances for errors associated with manual configuration.

Abstract: A method of packet security management to ensure a secure connection from one network node to another. The method includes creating a security tag for each packet in a network session, selecting one of a number of possible tag locations within the packet, inserting the security tag at that location, transmitting the tagged packets from a sending node to the receiving node, authenticating the packets' security tags at the receiving node, and dropping non-authenticated packets. The method also includes determining best possible tag locations when sending a packet and locating a security tag when receiving a packet.

Abstract: The present application provides a terminal, a server and a digital content authorization method. The terminal comprises: an extracting unit, configured to extract identification information of the terminal when the terminal requests an authorization for a designated layer of content of digital contents from a server; a transceiver unit, configured to transmit the identification information of the terminal to the server and receive an authorization certificate and the designated layer of content of the digital contents from the server; and a decryption unit, configured to decrypt the designated layer of content of the digital contents based on the identification information and the authorization certificate. Embodiments of the present invention may support the copyright protection by using layered encryption technique. The digital content cannot be read only by copying so as to enhance the protection of the digital contents.

Abstract: Methods and apparatuses for validating the status of digital certificates include a relying party receiving at least one digital certificate and determining if the at least one digital certificate is to be validated against a private certificate status database. The relying party accesses the private certificate status database and cryptographically validates the authenticity of data in the private certificate status database. The relying party also validates the at least one digital certificate based on information in at least one of the private certificate status database and a public certificate status database.

Abstract: A client device has one or more processors and memory. An application running on the device obtains a client certificate from a system service running on the device. The certificate includes a public key for the device. The device is authenticated to a remote server using the certificate. The application receives encrypted application identification information and an encrypted access token from the server. The application is authenticated to the device by comparing the received application identification information with corresponding application identification information from the application. The application invokes the system service to unencrypt the access token using the private key corresponding to the public key. The application sends a request for protected information to the server. The request includes the unencrypted access token.

Abstract: To generate a group signature on a message, a processor generates a two-level signature on an identity of the group member at the first level and the message at the second level; generates a commitment to the identity of the group member, commitments to each group element and a proof that the identity and the group elements satisfy a predetermined equation; encodes the identity of the group member in the group signature in a bit-wise manner using an identity-based encryption scheme where the message serves as the identity of the identity-based encryption scheme to produce a ciphertext; generates a first proof that the ciphertext encrypts the identity of the group member; generates a second proof that the encoded identity is an identity of a group member in a certificate signed by a group manager and that the certificate was used to generate the signature on the message at the second level; and outputs the group signature comprising the two-level signature, the commitments, the encoded identity of the group me

Abstract: Methods and apparatus to certify digital signatures are disclosed. An example method includes retrieving, from a first database, a first geographical location associated with an identification number associated with a network device and identified in a request to certify a digital signature, comparing the first geographical location associated with the identification number to a second geographical location to verify the second geographical location, determining that the first geographical location matches the second geographical location, and certifying the digital signature to indicate an authenticity of the digital signature based on the verification of the second geographical location and a comparison of (a) biometric information associated with a user associated with the request and (b) stored biometric information.

Abstract: A method for downloading software from a host device to an electronic device through a communication line, which, even when the download is interrupted, can simplify the procedure to restart the download while maintaining security. In the method, a certificate of authenticity data, which the card reader has obtained from the HOST computer, is stored in the non volatile memory. The download of the software from the HOST computer to the card reader is executed. The verification of authenticity data is obtained by calculation with respect to the downloaded software. This verification of authenticity data is then compared with the certificate of authenticity data obtained from the HOST computer, and the downloaded software is run when the certificate of authenticity data matches the verification of authenticity data.

Abstract: The present invention relates to a self-authenticated tag generation method and interpretation method used in the self-authenticated key system, which comprises the following steps: inputting data by the publisher; generating tag via a self-authenticated tag device by the publisher; transmitting generated tag to the receiver; interpreting tag via the self-authenticated tag device by the receiver; and displaying data. The present invention is easy and safe, the generated self-authenticated tag can be transmitted by various carriers, can distinguish the object and upload abundant information without easily tampered. Moreover, the acquisition of the public key is not achieved by the third party, which decreases wasting the network resources, and avoids the unsecure factors brought by the third party.

Abstract: A method and system for generating and processing an authenticity certificate. A request for a step certificate is received from a requester entity. The step certificate authenticates an involvement of the requester entity about an object. The request includes an object identifier, a requester entity type of the requester entity, and a requester identity certificate of the requester entity. The object identifier is hashed. A signature is created and includes the hashed object identifier, the requester entity type, a certifier identity certificate, and the requester identity certificate. A hashing result is generated by hashing a concatenation of the object identifier, the requester entity type, the certifier entity certificate, the requester identity certificate, and the signature. The step certificate is generated and includes the hashing result. The step certificate is encrypted. The encrypted step certificate is sent to the requester entity for subsequently storing the step certificate on a media.

Abstract: A network device initiates a transmission control protocol (TCP) connection to establish a TCP session with a management device, and performs, via the TCP session, a secure protocol client/server role reversal for the management device. The network device receives, from the management device, initiation of a secure connection over the TCP session in accordance with a secure protocol, and provides, to the management device, a trusted certificate with an embedded host key that is dynamically generated using a cryptographic processor of the network device, based on the initiation of the secure connection. The network device also establishes the secure connection with the management device based on an authentication of the host key by the management device via the trusted certificate.

Abstract: Novel, Internet-related architectures, methods and devices are proposed that are based on a fundamentally different philosophy: hosts (e.g., source and destination nodes) are given the ability to specify their access control policies to the network they are a part of, and the network enforces these policies. The architecture proposed is mobility friendly to the ever increasing number of mobile hosts and is scalable as well.

Abstract: A method for handling digital certificate status requests between a client system and a proxy system is provided. The method includes the steps of receiving at the proxy system digital certificate status request data transmitted from the client system and generating query data for the digital certificate status in response to receiving the digital certificate status request data. The query data is transmitted to a status provider system, and status data from the status provider system in response to the query data is received at the proxy system. Digital certificate status data based on the status data received is generated and transmitting to the client system.

Abstract: To verify a pair of correspondents in an electronic transaction, each of the correspondents utilizes respective parts of first and second signature schemes. The first signature scheme is computationally more difficult in signing than verifying and the second signature scheme is computationally more difficult in verifying than signing. The first correspondent signs information according to the first signature scheme, the second correspondent verifies the first signature received from the first correspondent, using the first signature scheme. The second correspondent then signs information according to the second signature scheme and the first correspondent verifies the second signature received from the second correspondent, according to the second signature algorithm. The method thereby allows one of the correspondents in participate with relatively little computing power while maintaining security of the transaction.

Abstract: Methods and systems for deploying management tunnels between managed and managing devices are provided. According to one embodiment, network devices, including a peer managed devices, a management device and a trusted peer managed device are deployed within a network. The network devices are pre-configured to form a web of trust by storing within each network device (i) a digital certificate signed by a manufacturer or a distributor and (ii) a unique identifier. The peer managed device establishes a management tunnel with the management device based on an address received from an external source. Prior to allowing the management device to use the management tunnel to perform management functionality, the peer managed device verifies credentials of the managed device by causing its unique identifier to be confirmed with reference to a pre-configured identifier of an authorized management device stored within the peer managed device.

Abstract: A system, method and program product for generating a private key. A system is disclosed that includes a signal acquisition system for obtaining biometric input from a user and encoding the biometric input into an acquired biometric; a recognition system for determining an identity based on the acquired biometric and outputting an absolute biometric associated with the identity; an input device for accepting a knowledge input from the user; and a key generator that generates a private key based on the knowledge input and the absolute biometric.

Abstract: Embodiments are directed to securely filtering trust services records. In one scenario, a client computer system receives at least one of the following trust services records: a trust services certificate, a principal certificate, a group certificate and a trust services policy. The client computer system performs a time validity check to validate the trust services record's timestamp, performs an integrity check to validate the integrity of the trust services record and performs a signature validity check to ensure that the entity claiming to have created the trust services record is the actual creator of the trust services record. The client computer system then, based on the time validity check, the integrity check and the signature validity check, determines that the trust services record is valid and allows a client computer system user to perform a specified task using the validated trust services record.

Abstract: A distributed operation is performed using at least one first and second computer-based object, wherein control information is used to influence or determine a property, a function of the first and/or second computer-based objects. The control information includes details of a parameter identifier, a value associated with the parameter identifier, a range of validity and a remote access attribute. The control information is provided in a retrievable manner, according to the included range of validity, in a memory organized according to ranges of validity and is associated with the first computer-based object. During a function or service call for performing the distributed operation, which is sent from the first computer-based object to the second, the control information is transmitted to the second computer-based object, provided in a retrievable manner in the memory organized according to the ranges of validity and associated with the second computer-based object.

Abstract: A method and system for roaming between heterogeneous networks. The method involves authenticating a mobile communication device on a first network, and providing the device with a single-use token that can be used to sign on to a second network without requiring conventional re-authentication over the second network.

Abstract: A self-authenticating device and a method for authenticating the self-authenticating device may be provided. In one aspect, a device may comprise a sensing circuit, which may comprise a circuit to be measured. The sensing circuit may generate measurement data for one or more physical properties of the device using the circuit to be measured. The device may further comprise a storage to store an authenticity certificate that contains authentication data derived from the measurement data and a communication port to communicate the authenticity certificate and measurement data with a communication partner via a link coupled to the communication port.

Abstract: A method for digital certification of authenticity of a physical object, and corresponding computer program and storage device, as well as to the use of the method for digital certification of authenticity of a physical object of value. The method includes the steps of issuing a storage device including a digital certificate of authenticity including encrypted information reflecting at least one characteristic unique to the physical object, checking, whenever required, the validity of the digital certificate of authenticity by use of a network computer, the network computer cooperating with the storage device and a validating or a certifying authority so as to output sensibly in real time the status of validity of the digital certificate of authenticity, and modifying the status of validity of the digital certificate of authenticity, whenever required.

Abstract: Methods and systems for secure key generation are provided. In embodiments, during the manufacturing process, a device generates a primary seed for the device and stores the seed within the device. The device exports the device primary key to a secure manufacturer server. The secure manufacturer server generates a public/private root key for the device and requests a certificate for the public root key of the device from a certificate authority. The device, having the stored primary seed, is integrated into an end-user system. Upon occurrence of a condition, the device after integration into the end-user system generates the public/private root key in the field. The system also receives and installs the certificate for the public root key.

Abstract: The user device includes: a recording unit which stores system parameters as respective parameters given in advance, a disclosure public key, a user public key, a user private key, a member certificate, and an attribute certificate; an input/output unit which receives input of the document from the user and an attribute the user intends to disclose; a cryptograph generating module which generates a cryptograph based on the inputted document, the attribute to be disclosed, and each of the parameters; a signature text generating module which generates a zero-knowledge signature text from the generated cryptograph; and a signature output module which outputs the cryptograph and the zero-knowledge signature text as the signature data. The user public key and the attribute certificate are generated by using a same power.

Abstract: According to an embodiment, provided is a device management apparatus that issues a digital certificate to a device. The device management apparatus includes: a storage unit that stores therein device identification information unique to the device in advance; a device-data obtaining unit that, when receiving a connection request from the device, obtains the device identification information contained in the connection request; and a certificate issuing unit that, when the device identification information that is obtained matches up with the device identification information that is stored, issues the digital certificate to the device.

Abstract: A valid duration period for a digital certificate is established by a process that includes assigning numeric values to certificate term. The numeric value assigned to each certificate term is representative of the valid duration period. The method continues by identifying one certificate term, which may include requesting a user to select a certificate term. The method may include transmitting the requested certificate term to a server. The certificate term requested is sent via a certificate request. The server is configured to convert the numeric value associated with the requested certificate term into a duration counter value. The method may also include a certificate server receiving from the server, the certificate request including the duration counter value. The method may conclude with transmitting the signed certificate request to a client device capable of generating the digital certificate with the requested certificate term.

Abstract: A method is provided for provisioning a device certificate. A device certificate request is transmitted from a communication device to a server in a communication network using an established communications channel between the communication device and the server. The device certificate request comprises at least a user identifier and a device identifier. The server provides to the communication device a device certificate that includes the user identifier and the device identifier and that is signed by a private key of a certificate authority.

Abstract: An apparatus comprising a processor configured to implement an anti-replay check for a plurality of received packets and a plurality of corresponding sequence numbers; and a circular buffer coupled to the processor and comprising a bitmap, wherein the bitmap is slided in a circular manner by updating a low index that points to a first sequence number for a first received packet and a high index that points to a last sequence number for a last received packet without bit-shifting, and wherein, when the update results in the new value of one of the low index and the high index exceeding the end of the circular buffer, the one of the low index and the high index wraps around from the beginning of the circular buffer.

Abstract: A method is provided for authenticating characteristics of electrical energy. The method comprises acquiring a key, acquiring an amount of electrical energy, and generating a digital signature based on the amount and the key. The method further comprises generating a certificate comprising the signature and the amount.

Abstract: This disclosure describes, generally, methods and systems for certifying user identities (IDs). The method includes receiving, from a customer, a certification request for a user ID. The method then identifies the user ID's owner and collects information about the owner. The information may include financial information, personal information, biographical information, etc. The method then analyzes the collected information to generate a risk score associated with the user ID, and based on the risk score exceeding a threshold, the method certifies the user ID.

Abstract: A method for reading at least one attribute stored in an ID token using first, second and third computer systems, wherein the third computer system comprises a browser and a client, and wherein a service certificate is assigned to the second computer system, wherein the service certificate comprises an identifier which is used to identify the second computer system, wherein the ID token is assigned to a user,: a first cryptographically protected connection (TLS1) is set up between the browser of the third computer system and the second computer system, wherein the third computer system receives a first certificate, the first certificate is stored by the third computer system, the third computer system receives a signed attribute specification via the first connection, a second cryptographically protected connection (TLS2) is set up between the browser of the third computer system and the first computer system, wherein the third computer system receives a second certificate, the signed attribute specification

Abstract: The invention relates to a motor vehicle electronics device comprising a first interface (116) for establishing a first connection to a first ID token (134) in order to read data from the first ID token, —a memory (104) for storing a certificate, —means (122) for the cryptographic authentication with respect to the first ID token using the certificate, —means (130) for actuating at least one display apparatus (136, 138) for reproducing the data, and —a second interface (118) for storing the certificate in the memory.

Abstract: At least one machine accessible medium having instructions stored thereon for authenticating a hardware device is provided. When executed by a processor, the instructions cause the processor to receive two or more device keys from a physically unclonable function (PUF) on the hardware device, generate a device identifier from the two or more device keys, obtain a device certificate from the hardware device, perform a verification of the device identifier, and provide a result of the device identifier verification. In a more specific embodiment, the instructions cause the processor to perform a verification of a digital signature in the device certificate and to provide a result of the digital signature verification. The hardware device may be rejected if at least one of the device identifier verification and the digital signature verification fails.

Abstract: An authentication includes a unit that issues right transfer information that is to be transmitted to a service providing device and a token that corresponds to the right transfer information and is to be transmitted to a service proxy access device on a basis of information about a user to whom a right is transferred and a condition under which the right is transferred, a unit that provides the token to the service proxy access device, and a unit that receives from the service providing device the token transferred from the service proxy access device and transmits to the service providing device the right transfer information that corresponds to the token and is kept by the authentication device.

Abstract: Methods, systems and computer program products are provided for controlling the disclosure time of information by a publisher to one or more recipients. A trusted body generates an asymmetrical key pair for a specified date and time of disclosure with an encryption key and a decryption key. The trusted body provides a digital certificate signed with a private key of the trusted body providing the publisher with the encryption key prior to the specified date and time. The publisher uses the encryption key to encrypt data and a recipient obtains the encrypted data at any time prior to the specified date and time. The trusted body then makes the decryption key available to the recipient at or after the specified date and time.

Abstract: A communication device for performing communication by employing first and second communication units, includes: a reception unit for receiving a communication packet including a random number generated for every connection with another communication device, a certificate calculated with the random number, and authentication method information indicating whether or not an authentication method at the second communication unit is compatible with the public key system, through the first communication unit; and a method determining unit for determining whether or not an originator of the communication packet accepts public key encryption based on the authentication method information included in the communication packet; wherein in a case of the method determining unit determining that the originator of the communication packet does not accept the public key system, the random number included in the communication packet is replied to the originator as the identification information of the device itself.