Abstract: Disclosed is a system and method that uses digital signature technology to authenticate the contents of one or more manifests located on a storage device. Each manifest contains a list of file records, where each record contains the name of a file stored on the storage device, and a SHA1 hash value derived from the contents of the file. At boot time, the gaming machine first authenticates the contents of the manifest and then verifies the contents of the files using the SHA1 value stored in the manifest. Files are verified using the SHA1, as they are needed, during the boot up of the operating system and throughout normal operation. This method reduces the boot time of the gaming machine and eliminates the need to check digital signatures for each individual file or over the entire contents of a non-secure media.

Abstract: By comparing a chip unique password, certification for activating a debug function can be established on the chip unique password. Thus, even when the chip unique password is lost due to negligence, not only certification for activating debugging on other motherboards of the same model number can remain unaffected, but also risks caused by replacing a chip or by a private key leakage from a system manufacturer are eliminated.

Abstract: A data authenticity assurance method carried out by a management computer including: a first step of receiving the first data piece from the computer; a second step of selecting a plurality of second data pieces at predetermined intervals in chronological order from among the plurality of second data pieces held in the data holding part; a third step of performing an arithmetic operation for each of the hash values of the selected plurality of second data pieces; a fourth step of generating signature target data by combining the first data piece received from the computer with the hash values of the selected plurality of second data pieces; and a fifth step of generating a second data piece by assigning the digital signature to the signature target data by using the preset key, and holding the generated second data piece in chronological order sequentially in the data holding part.

Abstract: A signature scheme is provided in which a message is divided in to a first portion which is hidden and is recovered during verification, and a second portion which is visible and is required as input to the verification algorithm. A first signature component is generated by encrypting the first portion alone. An intermediate component is formed by combining the first component and the visible portion and cryptographically hashing them. A second signature component is then formed using the intermediate component and the signature comprises the first and second components with the visible portion. A verification of the signature combines a first component derived only from the hidden portion of the message with the visible portion and produces a hash of the combination. The computed hash is used together with publicly available information to generate a bit string corresponding to the hidden portion.

Abstract: The present invention is directed to a secure communication network that enables multi-point to multi-point proxy communication over the network. The network employs a smart server that establishes a secure communication link with each of a plurality of smart client devices installed on local client networks. Each smart client device is in communication with a plurality of agent devices. A plurality of remote devices can access the smart server directly and communicate with agent devices via the secure communication link between the smart server and one of the smart client devices. This communication is enabled without complex configuration of firewall or network parameters by the user.

Abstract: The examples of the present invention provide a method and device for verifying a dynamic password. In the method and device, some algorithm parameters can be exchanged in public by using a DH algorithm, and thus a same key is shared safely between two entities, so as to implement the verification of the dynamic password and further improve the security of identity verification. Moreover, the method and device can be easy to use. Further, by the above technical solution, no message exchange is needed between a mobile device and a verification server, and a user does not need to pay for additional flux, so as to decrease the burden of the user and verification costs.

Abstract: Deterrence of device subversion by substitution may be achieved by including a cryptographic fingerprint unit within a computing device for authenticating a hardware platform of the computing device. The cryptographic fingerprint unit includes a physically unclonable function (“PUF”) circuit disposed in or on the hardware platform. The PUF circuit is used to generate a PUF value. A key generator is coupled to generate a private key and a public key based on the PUF value while a decryptor is coupled to receive an authentication challenge posed to the computing device and encrypted with the public key and coupled to output a response to the authentication challenge decrypted with the private key.

Abstract: Provided is a Captcha Access Control System (CACS) for generating an improved captcha that are based, in one described embodiment, upon a command in one format and a response in a different format, one or both of which are rendered in a format that is difficult for an automated system to interpret. A computer system or program to which a user is requesting access generates a textual or audible command. A video device captures the user's response and transmits the response to a response evaluation device. Based upon an analysis of the transmitted video and a comparison between the analyzed video and the command, the computer or program either enables access or denies access.

Abstract: A system and method for processing certificates located in a certificate search. Certificates located in a certificate search are processed at a data server (e.g. a mobile data server) coupled to a computing device (e.g. a mobile device) to determine status data that can be used to indicate the status of those certificates to a user of the computing device. Selected certificates may be downloaded to the computing device for storage, and the downloaded certificates are tracked by the data server. This facilitates the automatic updating of the status of one or more certificates stored on the computing device by the data server, in which updated status data is pushed from the data server to the computing device.

Abstract: Providing revocation status of at least one associated credential includes providing a primary credential that is at least initially independent of the associated credential, binding the at least one associated credential to the primary credential, and deeming the at least one associated credential to be revoked if the primary credential is revoked. Providing revocation status of at least one associated credential may also include deeming the at least one associated credential to be not revoked if the primary credential is not revoked. Binding may be independent of the contents of the credentials and may be independent of whether any of the credentials authenticate any other ones of the credentials. The at least one associated credential may be provided on an integrated circuit card (ICC). The ICC may be part of a mobile phone or a smart card.

Abstract: A certification is received from a user stating that captured content does not comprise a particular restricted element and a request from the user for an adjustment of a digital rights management rule identified for the captured content based on the captured content comprising the particular restricted element. At least one term of the digital rights management rule is adjusted to reflect that the captured content does not comprise the particular restricted element. The usage of the captured content by the user is monitored to determine whether the usage matches the certification statement.

Abstract: In one embodiment, an object in a database schema may be verified as having a valid digital signature associated with a trusted entity. An application may be permitted access to the object of the database schema only when the object of the database schema is verified to have a valid digital signature associated with the trusted entity. In another embodiment, an object in a database schema may be verified as having a digital signature associated with at least one trusted entity. An application may be permitted access to the object of the database schema only when the digital signature for the object is verified to be associated with the at least one trusted entity.

Abstract: A method for verifying an electronic signature is described including determining a residue class given by the signature; determining an integer having the residue class; determining a field element of a finite field such that the field element corresponds to the integer according to a predetermined mapping of the finite field to the set of integers; determining whether the field element fulfills a predetermined criterion and deciding whether the signature is valid based on whether the field element fulfills the predetermined criterion.

Abstract: Systems and methods are provided for determining a presence of a watermark in electronic data. In certain embodiments, a plurality of keys is generated, and a plurality of payloads are retrieved from electronic data using the keys. A statistical indicia of randomness is generated based on the payloads, and the presence of a watermark is determined when the indicia is below a threshold.

Abstract: A method of extending an integrity measurement in a trusted device operating in an embedded trusted platform by using a set of policy commands to extend a list of Platform Configuration Registers (PCRs) for the device and the current values of the listed PCRs and an integrity value identifying the integrity measurement into a policy register, verify a signature over the integrity value extended into the policy register, and, if verification succeeds, extend a verification key of the trusted platform, plus an indication that it is a verification key, into the policy register, compare the integrity value extended into the policy register with a value stored in the trusted platform, and, if they are the same: extend the stored value, plus an indication that it is a stored value, into the policy register, and extend the integrity measurement in the trusted device if the value in the policy register matches a value stored with the integrity measurement.

Abstract: Methods and computing devices enable code and/or data software on computer devices to be verified using methods and signatures which can be updated by a signing server after distribution. Updated verification methods and signatures may be provided in a second signature file. When a computing device unpacks an application for execution it may check whether a second signature file is associated with the application file. If not it may connect to a signing server to request a second signature file for the software. The signing server then may request information related to the software sufficient to determine if the software is trustworthy. If determined to be trustworthy, the signing server can send a second signature file to the computer device for use in verifying the software henceforth. The second signature file may include new or modified verification methods and a new signature.

Abstract: An authentication system, including a service use device 1 which presents blurred information obtained by blurring certification information desired to be certified, service providing devices 3a to 3c which verify the validity of blurred information presented by the service use device 1, and an authentication device 2 which supports the service use device 1 to issue valid blurred information. The authentication device 2 adds a digital signature to information including certification information and blurred information, and generates authentication information including the obtained digital signature, certification information, and blurred information (S2). The service use device 1 generates, based on the authentication information generated in the authentication device 2, blurred authentication information including blurred information selected according to an instruction from a user, instruction information representing the instruction, and a digital signature (S4).

Abstract: A validity determination method includes having a receiving apparatus of electronic data identify a public key corresponding to an electronic signature attached to the received electronic data among one or more public keys having respective valid terms, send a resend-request of the electronic data if the identified public key is not valid, and determine validity of the electronic data based on whether the electronic data is resent in response to the resend-request; and having a sending apparatus of the electronic data resend the electronic data to the receiving apparatus in response to receiving the resend-request if the sending apparatus has sent the electronic data relevant to the resend-request in a past.

Abstract: A communication system includes a first relay device connected to a first network accessible by any user, and a second relay device connected to a second network accessible by a specific user. The first relay device includes a first receiver, a first authentication information acquisition unit, and a first transmitter. The first receiver receives an electronic certificate from a terminal device of the specific user. The first authentication information acquisition unit acquires authentication information. The first transmitter transmits the authentication information to a service device connected to the first network, and transmits the electronic certificate to the second relay device. The second relay device includes a second receiver, a second authentication information acquisition unit, and a second transmitter. The second receiver receives the electronic certificate. The second authentication information acquisition unit acquires authentication information.

Abstract: A digital rights management retrieval system is provided. In some embodiments, a digital rights management system includes receiving a first notification from a first client device of a first protected content transaction for a first user with a first content distributor, wherein the first notification includes a first network address for the first content distributor; receiving a second notification from the first client device of a second protected content transaction by the first user with a second content distributor, wherein the second notification includes a second network address for the second content distributor; and maintaining a first list of content distributors for the first user, wherein the first list includes a network address for each content distributor from which the first user has downloaded protected content.

Abstract: A computing device to determine whether to update using a computer file by generating a file signature for that computer file based on its file header information and comparing the file signature to a collection of file signatures for updates already applied for matches.

Abstract: A method of verifying a request made in respect of an IPv6 address comprising a network routing prefix and a cryptographically generated Interface Identifier. The request includes a delegation certificate containing a public key of the host, one or more further parameters or a formula or formulae for generating one or more further parameters, a specification of a range or set of IPv6 network routing prefixes, an identity of a delegated host, and a digital signature taken over at least the identity and the specification of a range or set of IPv6 network routing prefixes using a private key associated with the public key. The method verifies that the network routing prefix of said IPv6 address is contained within the specification, verifying that the public key and the further parameter(s) can be used to generate the cryptographically generated Interface Identifier, and verifying said signature using the public key.

Abstract: Techniques for generating and enforcing document visibility rights associated with a document in use with an electronic signature service are described. Consistent with embodiments of the invention, document visibility rights can be established for each person designated to sign and/or receive a copy of a document, and on a per-page, per-document section, or per-source document basis. Additionally, visibility rights may be conditional, such that various events (including the singing of a document) may modify visibility rights making a previously un-viewable page or document section viewable to a particular person.

Abstract: A method and system for the secure delivery of data to a remote device that has been registered and which requires authentication through the use of a multifactor signature profile is disclosed, and in particular according to certain disclosed aspects, a method and system for ensuring that an authenticated remote device remains authenticated.

Abstract: A virtual session for a computer in which files that are worked on or automatically stored to a portable device such as a hard drive. Depending on the options that are selected, helper files for those programs may also be stored. Those helper files may be files that enable reading the programs, for example, or may be a complete new OS.

Abstract: The present invention provides a system and method of managing traffic traversing an intermediary based on a result of end point auditing. An authentication virtual server of an intermediary may determine a result of an end point analysis scan of a client. Responsive to the determination, the traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary. In some embodiments, the authentication virtual server may receive one or more expressions evaluated by the client. The one or more expressions identifies one or more attributes of the client. The traffic management virtual server can also determine a type of compression or encryption for the connection based on applying the one or more traffic management policies using the result.

Abstract: Described are a system and method for presenting security information about a current site or communications session. Briefly stated, a browsing software is configured to receive a certificate during a negotiation of a secure session between a local device and a remote device. The certificate includes security information about a site maintained at the remote device. The security information is displayed to a user of the browsing software in a meaningful fashion to allow the user to make a trust determination about the site. Displaying the security information may include presenting a certificate summary that includes the most relevant information about the certificate, such as the name of the owner of the site and the name of the certificating authority of the certificate.

Abstract: A method of distributing media content over networks where content is shared includes coupling downloading metadata, which is accessed to start downloading media contents from the network, with semantic metadata representative of the semantic information associated with at least one of the content, and with source metadata indicative of the source of the media content. At least one of the semantic and the source metadata may be made accessible without downloading, even partially, the media content. A digital signature may also be applied to the metadata to enable the verification that, at reception, the metadata is intact and has not been subjected to malicious tampering.

Abstract: Within a secure messaging environment, a determination is made that a request to send a message has been generated by a user. A message protection policy configured to process the message within the secure messaging environment is identified. The message protection policy specifies that, within the secure messaging environment, a secured digital certificate, other than a user-assigned digital certificate of the user, is configured with an associated private key to digitally sign the message on behalf of the user. Based upon the message protection policy, a determination is made to digitally sign the message using the private key of the secured digital certificate. The message is signed on behalf of the user using the private key of the secured digital certificate.

Abstract: Within a secure messaging environment, a determination is made that a request to send a message has been generated by a user. A message protection policy configured to process the message within the secure messaging environment is identified. The message protection policy specifies that, within the secure messaging environment, a secured digital certificate, other than a user-assigned digital certificate of the user, is configured with an associated private key to digitally sign the message on behalf of the user. Based upon the message protection policy, a determination is made to digitally sign the message using the private key of the secured digital certificate. The message is signed on behalf of the user using the private key of the secured digital certificate.

Abstract: A method and system may allow for authenticating a computing device. A computing device may send an authentication request over a network to an authentication computing device. The authentication request may include a user name and a password. The user name may include a credential and the password may be a digitally signed version of the user name. The authentication computing device may authenticate the requesting computing device by decrypting the password and comparing the received user name to the decrypted password.

Abstract: Methods and systems are described for verifying the source and integrity of a media presentation description (MPD) defined by the Dynamic Adaptive Streaming over HTTP (DASH) protocol. A streaming client receives an MPD from an MPD publisher. The MPD can include addresses associated with one or more media servers and/or advertising servers. The streaming client can receive from the MPD publisher at least one of a digital signature, cryptographic key, and certificate information associated with the MPD. The streaming client can verify the legitimacy of the MPD by verifying the digital signature using the received cryptographic key. The streaming client may use the certificate information to verify the MPD. The streaming client can prevent playing the media associated with the MPD if the MPD is not legitimate. The legitimacy of servers associated with addresses in the MPD may also be verified using authentication information for servers stored in the MPD.

Abstract: A system is provided that includes a receiving component a first encrypting component and a second encrypting component. The receiving component can receive, from a first user, item identification data based on a tangible item and an ownership verification indicator. The receiving component can also receive, from the first user, image data based on the tangible item. The first encrypting component can generate encrypted item identification data based on the item identification data. The second encrypting component operable to generate encrypted image data based on the image data. The resultant set of encrypted information is stored so as to associate the image and the ownership data for use later as proof of ownership of an item and its associated rights.

Abstract: An access control method for accessing an embedded system includes: performing a first access control operation for an access system by a first authentication subject, wherein the first access control operation includes performing a first authentication for the access system; when the first access control operation is passed, receiving at the first authentication subject a result of a second access control operation for the access system which is performed by a second authentication subject that is separate from the first authentication subject performing a second authentication for authenticating whether the access system is an access system that is authenticated by a second authentication subject that is separate from the first authentication subject, and receiving the result of the authentication; and allowing the access system to access the embedded system if the first authentication and the second authentication are successful.

Abstract: A method of ensuring the integrity of read-only components in deployed mixed-mode applications that includes generating a digital fingerprint prior to the deployment of a mixed-mode application is discussed. The digital fingerprint is based on a read-only component in the mixed-mode application and uniquely identifies the read-only component. The method also deploys the mixed-mode application and the digital fingerprint. Additionally, the method verifies, at execution time by using the digital fingerprint, that the read-only component in the mixed-mode deployed application that served as the basis for the digital fingerprint is identical to the same read-only component originally packaged with the mixed-mode application.

Abstract: In one aspect, a computing apparatus is configured to verify a digital signature applied on a set of data received from a user device, including an user ID assigned by a partner system to uniquely identify a user of the user device among customers of the partner system, and a user device identifier identifying the user device. The digital signature is generated via applying a cryptographic one-way hash function on a combination of the set of data and a secret, shared between the computing apparatus and the partner system via a secure communication channel separate from a channel used to receive the set of data.

Abstract: An approach is provided for interdicting malicious file propagation. Packets of a message being transferred to a destination device are received. In response to packet(s) of the message being received, the packet(s) are scanned by determining whether the packet(s) match a corresponding portion of a malicious file. If any of the scanned packet(s) do not match the corresponding portion of the malicious file, a transfer of subsequent packet(s) of the message to the destination device is permitted without performing a scan of the subsequent packet(s). If the scanned packet(s) including a last one or more packets of the message match corresponding portions of the malicious file, a transfer of the scanned packet(s) to the destination device is permitted, except a transfer of the last one or more packets of the message to the destination device is not permitted.

Abstract: A method distributes personalized circuits to one or more parties. The method distributes a generic circuit to each party, encrypts a unique personalization value using a secret encryption key, and transmits each encrypted personalization value to the corresponding party. Each party then stores the encrypted personalization value in their circuit. The stored encrypted personalization value allows a piece of software to be properly executed by the circuit. A semiconductor integrated circuit is arranged to execute a piece of software that inputs a personalization value as an input parameter. The circuit comprises a personalization memory arranged to store an encrypted personalization value; a key memory for storing a decryption key; a control unit comprising a cryptographic circuit arranged to decrypt the encrypted personalization value using the decryption key; and a processor arranged to receive the decrypted personalization value and execute the software using the decrypted personalization value.

Abstract: A method, computer program product, and computing device for obtaining an uncompressed digital media data file. One or more default watermarks is inserted into the uncompressed digital media data file to form a watermarked uncompressed digital media data file. The watermarked uncompressed digital media data file is compressed to form a first watermarked compressed digital media data file. The first watermarked compressed media data file is stored on a storage device. The first watermarked compressed media data file is retrieved from the storage device. The first watermarked compressed digital media data file is modified to associate the first watermarked compressed digital media data file with a transaction identifier to form a second watermarked compressed digital media data file.

Abstract: A data processing apparatus includes a data conversion part converting first data into second data, an identification data generation part generating identification data which depends on the first data, and a data processing part relating the identification data to the second data. Specifically, the data processing part adds the identification data to the second data.

Abstract: Methods, devices, and computer program products facilitate the application of a content use policy based on watermarks that are embedded in a content. Watermark extraction and content screening operations, which can include the application of content usage enforcement actions, may be organized such that some or all of the operations can be conducted at different times by different devices. These operations can be conducted by one or more trusted devices that reside in a networked environment. Real-time access to a content can also be facilitated by utilizing existing watermark extraction records. To facilitate real-time access to the content, the extraction records may contain segmented authentication information that correspond to particular segments of the content that is being accessed. Additionally, or alternatively, new watermark extraction operations can be conducted in real-time to produce new watermark extraction records.

Abstract: In a system and method for authenticating a client device by an authentication device, the client device user is assigned a PIN generated by the authentication device. The user provides the PIN and a password to the client device, from which the client device generates a symmetric key and further generates a public/private key pair. The private key is encrypted using the symmetric key and stored in encrypted form only. The public key and a message authentication code generated from the PIN are provided to the authentication device, which stores the public key. Subsequently, when the user seeks to be authenticated, the user enters a password at the client device, which is used to generate a symmetric key to decrypt the encrypted private key. A message to the authentication device is signed using the resultant value. The authentication device uses the public key to verify the signature of the message.

Abstract: Techniques for signer-initiated electronic document signing via an electronic signature service using a mobile or other client device are described. Example embodiments provide an electronic signature service (“ESS”) configured to facilitate the creation, storage, and management of documents and corresponding electronic signatures. In some embodiments, when a signer user receives an electronic signature document on a mobile device, the signer may use a client module executing on the mobile device to import the document into the ESS. Once the document is imported into the ESS, the signer can access, review, and sign the document at the ESS via the mobile device. After signing the document, the signer can use the mobile device to cause the ESS to provide the signed document to one or more recipients.

Abstract: A communication channel has an associated channel authenticator that includes a channel identifier, a use policy identifying how an owner of the communication channel indicates the communication channel is used, and a digital signature over the channel identifier and use policy. The identifier of the communication channel and the use policy can be verified by a computing device, and a check made as to whether a current security policy of the computing device is satisfied by the use policy. An access that the computing device is allowed to have to the communication channel is determined based at least in part on both whether the current security policy is satisfied by the use policy and whether the identifier of the communication channel and the use policy are verified.

Abstract: An article of manufacture comprises a printed document associated with a source entity. The printed document is readable by a software application of an electronic device. The printed document includes a plain text content portion and a two-dimensional code (2-D code) that includes data encoded therein which is readable by the software application of the electronic device. The encoded data includes a resource locator to an intent. The resource locator to an intent includes a protocol identifier designating a secure 2-D code which is detectable by the software application of the electronic device for electronic replacement by the software application with a protocol identifier used to access a secure server of the source entity located at a host portion of the resource locator. The protocol identifier is a protocol identifier associated with URL specifications.

Abstract: Systems and methods are provided for controlling access to online services. For example, the system may include an application running on a user computer (130) that collects platform data (e.g. physical device parameters) and generates a machine fingerprint (stage 602). The computer (130) may send the machine fingerprint to the authentication server (110). The server (110) may associate the received machine fingerprint with the appropriate online account information received from a host server (120) or the like (stage 604). The authentication server (110) may send the appropriate registration status signal to the host server (120), which in turn may update the online profile information to include the user's registration status (stage 606).

Abstract: Methods, devices, and computer program products facilitate the application of a content use policy based on watermarks that are embedded in a content. Watermark extraction and content screening operations, which can include the application of content usage enforcement actions, may be organized such that some or all of the operations can be conducted at different times by different devices. The watermark extraction results can be stored in a secure location and accessed by other devices at different times. These operations can be conducted by one or more trusted devices that reside in a home network. The home network can also include a gateway device that can coordinate the operations of the various network devices and/or delegate the various watermark extraction and content screening operations.

Abstract: According to one embodiment of the invention, a method for setting permission levels is described. First, an application and digital signature is received by logic performing the permission assessment. Then, a determination is made as to what permission level for accessing resources is available to the application based on the particulars of the digital signature. Herein, the digital signature being signed with a private key corresponding to a first public key identifies that the application is assigned a first level of permissions, while the digital signature being signed with a private key corresponding to a second public key identifies the application is assigned a second level of permissions having greater access to the resources of an electronic device than provided by the first level of permissions.

Abstract: A dual-channel electronic signature system is disclosed, having a signature verification server, a signature requester device, and a hand-held device. The signature requester device calculates a characteristic value related to content of a target document, encodes the characteristic value and a destination message to generate a first graph, and outputs the first graph The hand-held device captures and decodes an image of the first graph to obtain the characteristic value, performs an electronic signature operation on the characteristic value to generate a signature data, encodes the signature data to generate a second graph, and transmits the second graph to a destination network address. If the signature data contained in the second graph passes a verification procedure of the signature verification server, the signature verification server transmits a verification graph corresponding to the second graph to the signature requester device.

Abstract: A system (50) is used for identifying a content item. The system (50) receives a received first identifier (101) of the content item, the received first identifier being based on at least part of a baseband level representation of the content item; a received second identifier (102) of the content item, the received second identifier being based on at least part of an encoded representation (103) of the content item; and the at least part of the encoded representation (103) of the content item. The system comprises a second identifier generator (53) for generating a generated second identifier based on the at least part of the encoded representation (103) of the content item; and a validation unit (54) for validating the received first identifier as a valid first identifier of the content item if the generated second identifier matches the received second identifier.