Abstract: An information processing apparatus and method that prior to using a digital certification considers a validity expiration date of the digital certificate as well as a usable deadline of an algorithm or a public key used in the digital certificate.

Abstract: Techniques and systems for authentication with an untrusted root between a client and a server are disclosed. In some aspects, a client may connect to a server. The server and client may initiate a secure connection by exchanging certificates. The server may accept a client certificate having an untrusted root that does not chain up to a root certificate verifiable to the server certificate authority. In further aspects, the server may enable the client to associate an untrusted certificate with an existing account associated with the server. The client certificate may be hardware based or generated in software, and may be issued to the client independent of interactions with the server.

Abstract: Technologies for labeling diverse content are described. In some embodiments, a content creation device generates a data structure that may include encrypted diverse content and metadata including at least one rights management (RM) label applying to the diverse content. The RM label may attribute all or a portion of the diverse content to one or more authors. The metadata may also be signed using an independently verifiable electronic signature. A consumption device receiving such a data structure may verify the authenticity of the electronic signature and, if verification succeeds, decrypt the encrypted diverse content in the data structure. Because the metadata is encapsulated with the diverse content in the data structure, it may accompany the diverse content upon its transfer or incorporation into other diverse content.

Abstract: A network authentication system authenticates a connection-request based on a manner that the connection-request traverses the network. In client-server terminology, a server authenticates a client request for connection by examining one or more sequences of network entities (or network nodes) that form entity-patterns. The client pseudo-randomly selects entities of the network to be redirectors that redirect a received connection-request to further redirectors and/or the server. The client generates a different connection-request for each of the redirectors, and each redirector does the same for each of the further redirectors. This results in substantially unique connection-requests transmitted by each entity of the network in connection with the user request. Thus, redirector patterns are substantially unique and may be used for authentication.

Abstract: A computer method, computer system, and article for enabling digital signature auditing. The method includes the steps of: receiving at least one signature request issued by at least one application, forwarding a first data corresponding to the received at least one signature request to at least one signing entity for subsequent signature of the first data, storing an updated system state that is computed using a function of: i) a reference system state and ii) a second data corresponding to the received at least one signature request, where the reference system state and the updated system state attest to the at least one signature request, and repeating the above steps, using the updated system state as a new reference system state, where the steps of the method are executed at a server of a computerized system.

Abstract: Terminal certification means of a communication terminal manages a content and certification information on the content in association with each other. Upon access to a server associated with the execution of the content, request means sends the server a request including certification information associated with the content. In response to the request from the communication terminal, the server uses server certification means to certify the request. Access control means performs access control based on policy information stored in policy information storage means.

Abstract: A method and system for roaming website accounts and passwords are provided. The method is operational on a first client and includes: authenticating website accounts and passwords that have been stored; obtaining the stored website addresses, accounts and passwords according to a success verification; encrypting the stored website addresses, accounts and passwords for generating encrypted information, and generating a first QR code to be obtained by a second client according to the encrypted information. The website accounts and passwords are roamed and synchronized to be shared. The synchronization process verifies the accounts and passwords, and would not need a third-party server. Risk of data lost in case that the third-party server is attacked would be eliminated, and the safety for the accounts and passwords is improved.

Abstract: Techniques are provided for obtaining first and second digital certificates from a certificate authority database for establishing a secure exchange between network devices. The first digital certificate contains identity information of a first network device, and the second digital certificate contains classification information of the first network device. In one embodiment, a secure key exchange is initiated with the second network device, and the first and second digital certificates are transmitted as a part of the secure key exchange to the second network device. In another embodiment, the first and second digital certificates are received by an intermediate network device. The first digital certificate is encrypted and is not evaluated by the intermediate network device. The second digital certificate is evaluated for classification information of the first network device.

Abstract: Systems and processes of the present invention allow for digital identity validation. In an example embodiment, a digital identity is registered to a Registrant. During the registration process, one or more registration records are collected from the Registrant and stored in a Records Database. The registration records may include information regarding a digital identity, its Registrant, or another person or entity associated with the digital identity. They may also include name, address, phone number, email address, website, URL, or other information. The information is then verified, possibly by contacting a Registrant, administrative contact, technical contact, or another contact to confirm at least some information in the records. If the information is verified, the Digital Identity Provider may provide the Registrant with a Validation Marker indicating that the digital identity has been validated.

Abstract: A method for registering a first device with a second device over a wireless network includes receiving a registration request from the first device and sending one or more user input choices to the first device. The user input choices each specify a user input action available though a user interface associated with the second device. A device description describing the second device is sent to the first device in a manner that allows it to be presented to the user by the first device. At least one of the user input actions are sequentially received through the user interface in response to instructions provided to the user by the first device. The first device is registered with the second device if the user input actions received by the second device correctly reflect the instructions provided to the user by the first device.

Abstract: A computer-implemented method for distributed data deduplication may include (1) identifying a deduplicated data system, the deduplicated data system include a plurality of nodes, wherein each node within the plurality of nodes is configured to deduplicate data stored on the node, (2) identifying a data object to store within the deduplicated data system, (3) generating a similarity hash of the data object, the similarity hash representing a probabilistic dimension-reduction of the data object, (4) selecting, based at least in part on the similarity hash, a target node from the plurality nodes on which to store the data object, and then (5) routing the data object for storage on the target node based on the selection of the target node. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Example methods and apparatus associated with a messaging policy controlled email deduplication are provided. In one example a messaging policy is accessed. It is determined whether a received message complies with the policy based on rules of the messaging policy. If a message complies with the messaging policy, the message is displayed. If the message does not comply with the messaging policy, it is determined whether the message is duplicative. If the message is deemed duplicative it is not displayed. Conversely, if the message is not deemed duplicative it is displayed.

Abstract: A method includes receiving at a first computer a new certificate which is to replace an old certificate associated with the first computer and associating by the first computer the new certificate with the first computer. In response to the first computer associating the new certificate with the first computer, the first computer accesses an email address book of the first computer having information identifying a second computer as having received the old certificate to determine from the information that the second computer is to associate the new certificate in place of the old certificate with the first computer. In turn, the first computer transmits the new certificate to the second computer for the second computer to associate the new certificate with the first computer.

Abstract: A mechanism and method for managing credentials on an electronic device configured with an iOS based operating system. The iOS based device includes a “keychain” configured in device memory. According to an embodiment, the electronic device comprises an application configured to generate a public certificate object in the keychain and a password object in the keychain. The public certificate object is configured to store a public certificate, and the password object is configured to store a private key. The password object further includes a label or thumbprint for associating the private key with the corresponding public certificate. According to an embodiment, the application stores the private key in an encrypted container in the password object to provide an additional layer of security. The application is configured to unlock the encrypted container utilizing a password provided the user. According to a further aspect, the user password is not stored in memory on the device.

Abstract: A system and method are provided for pre-processing encrypted and/or signed messages at a host system before the message is transmitted to a wireless mobile communication device. The message is received at the host system from a message sender. There is a determination as to whether any of the message receivers has a corresponding wireless mobile communication device. For each message receiver that has a corresponding wireless mobile communication device: the message is processed so as to modify the message with respect to encryption and/or authentication aspect. The processed message is transmitted to a wireless mobile communication device that corresponds to the first message receiver. The system and method may include post-processing messages sent from a wireless mobile communications device to a remote system. Authentication and/or encryption message processing is performed upon the message. The processed message may then be sent through the remote system to one or more receivers.

Abstract: A system and method for obtaining an authorization key to use a product utilizes a secured product identification code, which includes a serial number and at least one code that is generated based on a cryptographic algorithm.

Abstract: A computer method, computer system, and article for enabling digital signature auditing. The method includes the steps of: receiving at least one signature request issued by at least one application, forwarding a first data corresponding to the received at least one signature request to at least one signing entity for subsequent signature of the first data, storing an updated system state that is computed using a function of: i) a reference system state and ii) a second data corresponding to the received at least one signature request, where the reference system state and the updated system state attest to the at least one signature request, and repeating the above steps, using the updated system state as a new reference system state, where the steps of the method are executed at a server of a computerized system.

Abstract: A terminal unique information transmission method including: receiving, by a server, from a terminal, a terminal unique information acquisition request including a terminal unique public key certificate of the terminal; generating an encrypted terminal unique public key certificate by encrypting the terminal unique public key certificate of the terminal; checking, by the server, whether the generated encrypted terminal unique public key certificate is described in a discarded terminal information table; and transmitting, by the server, when the generated encrypted terminal unique public key certificate is not described in the discarded terminal information table, a terminal unique information of the terminal to the terminal.

Abstract: A method for assembling authorization certificate chains among an authorizer, a client, and a third party allows the client to retain control over third party access. The client stores a first certificate from the authorizer providing access to a protected resource and delegates some or all of the privileges in the first certificate to the third party in a second certificate. The client stores a universal resource identifier (URI) associated with both the first certificate and the third party and provides the second certificate and the URI to the third party. The third party requests access to the protected resource by providing the second certificate and the URI, without knowledge or possession of the first certificate. When the authorizer accesses the URI, the client provides the first certificate to the authorizer, so that the client retains control over the third party's access.

Abstract: A client system may be configured to request a certificate from a server system and store the certificate locally. The stored certificate may be used to later authenticate a secure connection between the client system and the server system. The secure connection validated by the stored certificate may be, for example, a secure sockets layer/transport layer security (SSL/TLS) connection.

Abstract: Provided is an apparatus and method of a portable terminal authenticating another portable terminal. The portable terminal may receive a seed generated by the other portable terminal, issue an authentication certificate generated using the seed to the other portable terminal, authenticate the other portable terminal based on the authentication certificate, and provide a secure communication.

Abstract: A method for securely searching, finding, reproducing, recovering, and/or exporting electronic data from at least two systems which can be found in a network and which are organized in a functionally identical and decentralized manner. The individual systems include a system certificate and a corresponding serial number by the manufacturer and can carry out an authentication process using said system certificate and serial number. Information is provided on user authorizations between the systems using configuration tables which are stored on each of the systems. A maximum level of security is ensured by combining cryptographic methods and the mutual authentication of the involved systems. A user interface is provided for the user, wherein the user receives a pre-selection of the requested electronic data in the user interface and can then mark the pre-selection for further processing.

Abstract: A computationally-implemented method, for certain example embodiments, may include, but is not limited to: identifying a network connection coupling a computer server to a computing device; and transmitting, via the network connection, a behavioral fingerprint associated with an authorized user of the computing device, the behavioral fingerprint providing at least one status of the authorized user with respect to the computing device. In addition to the foregoing, other example aspects are presented in the claims, drawings, and written description forming a part of the present disclosure.

Abstract: A network device initiates a transmission control protocol (TCP) connection to establish a TCP session with a management device, and performs, via the TCP session, a secure protocol client/server role reversal for the management device. The network device receives, from the management device, initiation of a secure connection over the TCP session in accordance with a secure protocol, and provides, to the management device, a trusted certificate with an embedded host key that is dynamically generated using a cryptographic processor of the network device, based on the initiation of the secure connection. The network device also establishes the secure connection with the management device based on an authentication of the host key by the management device via the trusted certificate.

Abstract: An apparatus may include a processor configured to receive a security certificate request from a remote device comprising a public key of the remote device and an authentication credential based upon a legacy authentication mechanism of the remote device. The processor may be further configured to validate the received authentication credential in accordance with the legacy authentication mechanism. The processor may be additionally configured to generate a security certificate for the public key. The processor may be further configured to provide the generated security certificate to the remote device.

Abstract: A system and method for allowing access to digitally protected content are disclosed. License metadata and credentials from multiple types of digital rights management systems may be used to grant access to content protected by a different type of digital rights management system. Hierarchical levels of access to the content may be granted based on at least one of license metadata and credentials.

Abstract: Aspects describe spectrum authorization, access control, and configuration parameters validation. Devices in an ad-hoc or peer-to-peer configuration can utilize a licensed spectrum if the devices are authorized to use the spectrum, which can be determined automatically. Aspects relate to distribution of authorization tickets by an authorization server as a result of validating a device's credentials and services to which the device is entitled. An exchange and verification of authorization tickets can be performed by devices as a condition for enabling a validated wireless link using the spectrum.

Abstract: In a system including a client, a print server, an image forming device and a database, when the print server verifies a certificate transmitted from the image forming device upon performing TLS communication, verification of certificates that are registered in advance with the database is accelerated. A search key, which is for acquiring information of a desired image forming device from data stored in the database, is set in the print server. Certificate information is registered with the database in association with the search key. In this way, the certificate information can be searched for using the search key and verification can be accelerated.

Abstract: A renewed digital certificate is obtained within an asynchronous messaging environment from a certificate server of an issuer of an existing digital certificate to replace the existing digital certificate. The renewed digital certificate includes an extended attribute that stores a serial number value of the existing digital certificate. A message is received with a symmetric key that is encrypted using the existing digital certificate. The symmetric key is identified within the message by the serial number value of the existing digital certificate. The message is processed using the renewed digital certificate.

Abstract: A graphical user interface can be provided for creating a digital certificate profile for a digital certificate. In one embodiment, a security metric is determined using a first subset certificate profile attributes selected by a user, and a usability metric is determined using a second subset of certificate profile attributes. Graphical representations of the security metric and a graphical representation of the usability metric can then be provided the graphical user interface. In one embodiment, the first subset of certificate profile attributes is the same as the second subset.

Abstract: An Always-On Authentication (“AOA”) system comprises a computer system, such as a server, that automatically monitors and authenticates an enrolled individual's online transactions and/or activities to, for example, detect and/or prevent fraud. The AOA system actively monitors and/or authenticates the individual's online transactions and/or activities with service providers. A risk level may be associated with transactions and/or activities, and if a monitored transaction or activity is determined to exceed risk level for the individual, the individual may be prompted for further authentication information. A risk profile may be built for the individual over time based on the individual's history or pattern of transactions and activities. The AOA system may issue a virtual credential to the individual and/or to one or more of the individual's computing devices.

Abstract: Generally, this disclosure describes software delivery systems (and methods). A server is provided that operates to provision software on a customer's local machine. The server system, in response to a software purchase from an end user (customer), is configured to install the software on the customer's machine, encrypt the software, and provision encryption keys to grant the customer access to the software. In addition, a software agent is installed on the customer's machine that enables monitoring, by the server, of the customer's installed software. The server system is configured to control customer access to the installed software, via the software agent, and to terminate customer access to the software (for example, for nonpayment of fees). Thus, the software provider can retain control over software that is remotely deployed at an end user location.

Abstract: An embodiment of the disclosure can receive a composite resource document containing at least one resource. An updated manifest resource can be obtained. The updated manifest resource can list all resources in the composite resource document. A set of zero or more (0 . . . N) resources can be indicated. Each indicated resource is one that is to be subtracted from the list of resources in the updated manifest resource in order to create a generated signature reference list of identified resources to be signed. A hash token can be generated using the resources identified in the generated signature reference list to form a signature hash token. The signature hash token can be encrypted with a secret key.

Abstract: A controller is provided with a controller key and a first controller identification information unique to the controller. The controller generates a controller unique key unique to a respective controller based on the controller key and the first controller identification information, and a second controller identification information based on the first controller identification information. A decryptor decrypts the encrypted medium device key using the controller unique key to obtain a medium device key. An authentication/key exchange process unit performs authentication/key exchange process with the host device through an interface unit using the medium device key, the medium device key certificate and the second controller identification information to establish a secure channel.

Abstract: An information processing apparatus that communicates using an electronic certificate is provided. When identification information is configured that identifies the information processing apparatus on a network, the configured identification information is stored in a storage unit. A request for issue of an electronic certificate containing the identification information stored in the storage unit is issued to a certificate authority. Once the request for issue is issued, a determination is made as to whether or not the identification information contained in the request for issue matches the identification information stored in the storage unit prior to obtaining the electronic certificate that is issued by the certificate authority in response to the request for issue. If it is determined that a mismatch exists, the user is notified to that effect.

Abstract: An authentication system, including a service use device 1 which presents blurred information obtained by blurring certification information desired to be certified, service providing devices 3a to 3c which verify the validity of blurred information presented by the service use device 1, and an authentication device 2 which supports the service use device 1 to issue valid blurred information. The authentication device 2 adds a digital signature to information including certification information and blurred information, and generates authentication information including the obtained digital signature, certification information, and blurred information (S2). The service use device 1 generates, based on the authentication information generated in the authentication device 2, blurred authentication information including blurred information selected according to an instruction from a user, instruction information representing the instruction, and a digital signature (S4).

Abstract: A system and method for processing certificates located in a certificate search. Certificates located in a certificate search are processed at a data server (e.g. a mobile data server) coupled to a computing device (e.g. a mobile device) to determine status data that can be used to indicate the status of those certificates to a user of the computing device. Selected certificates may be downloaded to the computing device for storage, and the downloaded certificates are tracked by the data server. This facilitates the automatic updating of the status of one or more certificates stored on the computing device by the data server, in which updated status data is pushed from the data server to the computing device.

Abstract: Embodiments relate to a method for generating a set of authentication certificates by a set of certificate authority devices. The method includes receiving, by the set of certificate authority devices, a set of certificate requests from a user device. The method includes generating, by the set of certificate authority devices, a set of crosschecked certificates, each crosschecked certificate of the set of crosschecked certificates being configured to cryptographically verify the remaining crosschecked certificate of the set of crosschecked certificates. The method includes transmitting, by the set of certificate authority devices, the set of crosschecked certificates to the user device, the set of crosschecked certificates configured to be utilized by the user device in establishing a secured communication channel over a network between the user device and a client device.

Abstract: Providing revocation status of at least one associated credential includes providing a primary credential that is at least initially independent of the associated credential, binding the at least one associated credential to the primary credential, and deeming the at least one associated credential to be revoked if the primary credential is revoked. Providing revocation status of at least one associated credential may also include deeming the at least one associated credential to be not revoked if the primary credential is not revoked. Binding may be independent of the contents of the credentials and may be independent of whether any of the credentials authenticate any other ones of the credentials. The at least one associated credential may be provided on an integrated circuit card (ICC). The ICC may be part of a mobile phone or a smart card.

Abstract: A method and system is provided for generating a one-time passcode (OTP) configured for use as a personal identification number (PIN) for a user account from a user device. The OTP may be generated using an OTP generator which may include an algorithm an user account-specific OTP key. The OTP key may be camouflaged by encryption, obfuscation or cryptographic camouflaging using a PIN or a unique machine identifier defined by the user device. Obtaining an OTP from the user device may require inputting a data element which may be one of a PIN, a character string, an image, a biometric parameter, a user device identifier such as an machine effective speed calibration (MESC), or other datum. The OTP may be used for any transaction requiring a user PIN input, including ATM and debit card transactions, secure access and online transactions.

Abstract: The present invention provides for a digital rights management system with a centralized domain service capable of creating and managing membership criteria for joining a domain in accordance with business rules defined by a content owner. A domain identification is created that allows a content provider to uniquely bind content licenses to a domain. The content licenses include usage rights that define how content associated with the licenses may be consumed by one or more members of the domain. The centralized domain service can enforce digital rights by validating membership criteria including at least one of a domain proximity check for validating that a requestor is in close proximity to the domain, a total number of requestors, or the frequency that the requests have been made by various requestors to join the domain and unjoin from the domain.

Abstract: Embodiments of the present disclosure include methods (and corresponding systems and computer program products) for monitoring secured communication channels based on certificate authority impersonation. One aspect is a method comprising: intercepting a certificate transmitted by the remote server to the software application, the certificate comprising a public key; generating a first public key and a first private key pair for the intercepted certificate; replacing the public key in the intercepted certificate with the first public key; transmitting a modified intercepted certificate including the first public key to the software application in place of the intercepted certificate; and monitoring the security communication channel between the software application and the remote server, wherein the security communication channel is established based at least in part on the modified intercepted certificate.

Abstract: A first device with a changing identity establishes a secure connection with a second device in a network by acting as its own certificate authority. The first device issues itself a self-signed root certificate that binds an identity of the first device to a long-term public key of the first device. The root certificate is digitally signed using a long-term private key, where the long-term public key and the long-term private key form a public/private key pair. The first device provides its root certificate to the second device in any trusted manner. The first device can then create a certificate for one or more short-term identities acquired by the first device and sign the newly-created certificate using the long-term private key. The first device can authenticate itself to the second device by sending the newly-created certificate to the second device.

Abstract: Described are a system and method for presenting security information about a current site or communications session. Briefly stated, a browsing software is configured to receive a certificate during a negotiation of a secure session between a local device and a remote device. The certificate includes security information about a site maintained at the remote device. The security information is displayed to a user of the browsing software in a meaningful fashion to allow the user to make a trust determination about the site. Displaying the security information may include presenting a certificate summary that includes the most relevant information about the certificate, such as the name of the owner of the site and the name of the certificating authority of the certificate.

Abstract: A client device that is coupled to a host device sends a parent public key and an associated certificate to the host device. The parent public key, the certificate and a corresponding parent private key are stored in secure persistent storage included in a secure device associated with the client device. The client device receives instructions from the host device for generating a child private and public key pair. In response to receiving the instructions, the client device generates a child private key based on a first random number produced within the secure device, and a child public key associated with the child private key. The client device computes a first signature on the child public key using the parent private key. The client device sends the child public key and the first signature to the host device.

Abstract: Reflective factors are used in combination with a, one-time password (OTP) in order to strengthen a system's ability to prevent man in the middle (MITM) phishing attacks. These reflective factors may include information such as URL information, HTTPS, a server's certificate, a session key, or transaction information. These reflective factors help to ensure that a client that wishes to access a server is the legitimate client, because even if a phisher (including a phisher attacking the legitimate client in real time) records identifying information from the legitimate client, it cannot replicate the reflective information to authenticate itself with the server.

Abstract: In one embodiment, a computing apparatus that receives respective unique identifiers corresponding to a machine and a diagnostic tool and a requested parameter setting for configuring a machine component residing in the machine, and provides an authorization code with a payload comprising the requested parameter setting, the payload encrypted based on the unique identifiers.

Abstract: A method and system for software package auditing is described. A processing device receives user input that identifies one or more software packages to be included in a software product release. The one or more identified packages are imported into a package audit tool executable by the processing device and the package audit tool automatically validates that the imported packages comply with a set of one or more requirements specified for the software product release using the package audit tool.

Abstract: A method for increasing the security of private keys is provided that includes generating transaction data at a device operated by a user and processing the transaction data. Moreover, the method includes determining whether the user permits using a private key that is associated with the user and with a public-private key pair of the user. The private key is stored in a computer system different from the device. Furthermore, the method includes authenticating the user when the user permits using the private key, applying the private key to other data after successfully authenticating the user, and transmitting the other data to the device. The method also includes conducting a transaction with the transaction data.

Abstract: A system for managing security certificates on a plurality of remote computers comprises a certificate manager that can determine in accordance with at least one preestablished criterion whether a security certificate on a remote computer is to be managed. The system also includes an installer module that can access an account of the remote computer to manage the security certificate. Methods of using the system are also provided.