Abstract: A method for operating a door operator, includes inserting a first functional module into a slot of the door operator. The first functional module includes first information data function to be enabled. The first information data is transmitted to the door operator and, determining which additional functions are to be enabled. A first unique first identification is generated in the door operator. This generated first identification is transmitted back to the first functional module and saved in the first functional module. The determined functions to be enabled are activated, respectively enabled in the door operator.

Abstract: Various embodiments of a system and method for a single request-single response protocol with mutual replay attack protection are described. Embodiments include a system that receives multiple single request messages, each of which include a respective nonce, timestamp, and digital signature. The system may create a record of previously received nonces that, at any given time, may include multiple message nonces received within a valid period of time prior to that given time. To validate a given single request message, the system verifies the digital signature of the message, determines that the timestamp of the message indicates a time within the valid period of time prior to the current time, and determines that the nonce of the message is not present within the record of previously received nonces. The system sends a single response message that includes the same nonce as the validated message.

Abstract: In a system and method of watermarking content for tracking media consumption, the method may include creating, by a computer processor, at least one copy of a mezzanine asset for distribution to at least one user, the mezzanine asset being watermarked with a watermark identifier, and the at least one copy including a copy of the watermark identifier.

Abstract: An apparatus and method for generating a multiplex of media streams, the method includes the steps of: (i) receiving a set of media streams that comprises first type media stream components and second type media stream components; (ii) applying a modification process that is not adapted to modify second type media stream components, such as to provide at least one modified first type media stream component; and (iii) multiplexing at least the second type media stream components and the modified first type media stream components.

Abstract: The disclosed embodiments are directed to improving the efficiency of guaranteeing data consistency to clients, such as for one or more objects stored on a plurality of volumes configured as a Striped Volume Set. In particular, the disclosed embodiments optimize requests from clients which span multiple Data Volumes and which require strong serialization. The disclosed embodiments provide a “viral ticket book” model that provides lower latency while improving compatibility with client protocols.

Abstract: A method for reading at least one attribute stored in an ID token assigned to a user involving: authenticating the user to the ID token, authenticating a first computer system to the ID token, and, assuming successful authentication of the user and the first computer system to the ID token, read access by the first computer system to the at least one attribute stored in the ID token for transmission of the at least one attribute to a second computer system, and generating of a time indication for the at least one attribute by the first computer system.

Abstract: A method of establishing the integrity of an audit record set is described. The method comprises receiving a set of audit records and generating a first set of random values wherein each audit record in the set corresponds to at least one value of the first set. The method further comprises generating a second set of values based on an audit record and a corresponding value of the first set for each audit record in the set and generating a summary value based on the second set of values. The method further comprises certifying the summary value to generate an integrity certificate enabling verification of the integrity of the audit record set and storing the audit record set and at least one of the first set of values and the generated digital signature.

Abstract: A server receives a package of data including: a document designated for notarization, identification information including a photograph, photograph of a user, and a signature of the user. The server compares the photograph of the user to the photograph included with the identification information. Next, the server verifies an identity of the user based on the identification information and the photograph by comparing the photograph of the signer to the photograph included with the identification information. The server then applies the signature and an indication of notarization to the document designated for notarization to create a notarized version of the document. The server stores the notarized version of the document, the photograph, and the identification document in a secure data package, and provides the notarized version of the document to the user.

Abstract: Methods, systems and computer program products are provided for controlling the disclosure time of information by a publisher to one or more recipients. A trusted body generates an asymmetrical key pair for a specified date and time of disclosure with an encryption key and a decryption key. The trusted body provides a digital certificate signed with a private key of the trusted body providing the publisher with the encryption key prior to the specified date and time. The publisher uses the encryption key to encrypt data and a recipient obtains the encrypted data at any time prior to the specified date and time. The trusted body then makes the decryption key available to the recipient at or after the specified date and time.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for generating a nonce. In one aspect, a method includes generating, by a data processing apparatus, a source value, and hashing, by the data processing apparatus, the source value to generate the nonce.

Abstract: An image forming apparatus which can prohibit any users but a user who has made a deposit from operating the image forming apparatus for a chargeable process. A communication controller of the image forming apparatus obtains pieces of proper information of cell-phones. An ID management section issues IDs for the respective pieces of proper information, and the communication controller sends the IDs to the corresponding cell-phones. At an input section, a user of one of the cell-phones inputs the ID sent thereto. Thereafter, the communication controller receives an access from a cell-phone and receives proper information of the cell-phone. In this moment, it is judged whether the cell-phone which has made an access is identical with the cell-phone of which ID was inputted at the input section. Only when the communication controller identifies the cell-phone, the communication controller permits the image forming apparatus to communicate with the cell-phone.

Abstract: An automated notarization device includes a scanner, printer, hardware security module and camera. The hardware security module includes a secure processor and secure storage for data records and cryptographic keys, along with a secure real time clock. A person desiring to have a document notarized presents the document to the device, presents identification to the device, and has his/her picture and or video taken. Each of these items is stored in a data record, which is then displayed to the person for approval. Upon approval, the data record is provided to the hardware security module, which adds a timestamp to the data record and then digitally signs the data record. The resulting signed data record ties together the original document, and identification of the person, and a timestamp. Changes to any of these data elements can be detected by verifying the digital signature.

Abstract: A method, apparatus, and computer program product are provided in order to capture and share audio and/or video content in a multi-user environment. In the context of a method, audio and/or video content is captured and selected to be uploaded to be shared with other users. The method may assign and verify global timestamps for captured content and cause the content and verified timestamps to be uploaded to a multi-user content server. The method uses the verified timestamps to synchronize multi-user content to a common timeline in an efficient manner, allowing for rendering of content that is to be shared with other end users. A corresponding apparatus and a computer program product are also provided.

Abstract: Media signals such as audio and/or video signals are certified as being authentic. A private key and a corresponding public key are provided. For a current media segment of the media signal, a signature is created using the private key to sign data based on media content of the current media segment combined with a signature from a media segment present at another point within the media signal where the signature from the media segment present at another point within the media signal is created by signing with the private key data based on media content of the media segment present at the other point within the media signal. The signature is included in metadata of the current media segment of the media signal and the public key is included in a second metadata of the media signal.

Abstract: A method for securing communications between an access point and a station includes generating a first hashed service set identifier (SSID) by applying a first hash function to a first SSID known by the station, transmitting a first message to the access point, wherein the first message includes the first hashed SSID, and receiving a second message from the access point, wherein the second message includes a second hashed SSID generated by the access point by applying a second hash function to a second SSID associated with the access point. The method also includes generating a third hashed SSID by applying the second hash function to the first SSID, determining if the third hashed SSID matches the second hashed SSID, and transmitting a third message to the access point if the third hashed SSID matches the second hashed SSID.

Abstract: Long-term signature data is formed at a server side while a private key and the like are held at a client side. The long-term signature data is configured by arranging ES, STS, verification information, ATS (1st), and ATS (2nd) in a predetermined long-term signature format. Among these elements, those for which processing using the private key and original data are necessary are ES and ATS. Due to processing where the original data and the private key is necessary being performed by a client terminal 3 and processing where the long-term signature data is analyzed and generated being performed by a long-term signature server 2, the long-term signature data is generated in the long-term signature server 2 while the original data and the private key are held in an inner portion of the client terminal 3.

Abstract: The present invention provides a log management system which is devised so that improper behavior by managers with regard to the log information can easily be discovered. Virtual OS are respectively installed for respective users in a file server that can also be constructed as an NAS device. These virtual OS function as virtual NAS. The virtual OS and manager OS can exchange information relating to log information via an information exchange part constructed as a kernel. The log information produced in the virtual OS is transmitted to a first log management device via a first communications network, and is also transmitted to a second log management device via a second communications network. The respective networks are separated. As a result of the same log information being managed by multiplex management using separate management devices, it can be detected whether or not there has been any improper behavior with respect to the log information.

Abstract: A digital rights management method includes: storing information on a rights object in a memory area, wherein the rights object has been transferred from a first device to a second device, and wherein the rights object includes permissions linked to a digital media object; receiving a rights object at the first device; and accessing the memory area to check whether information on the received rights object is stored in the memory area and to set up the received rights object on the first device in case the information on the received rights object is not stored in the memory area, and to reject the received rights object in case the information on the received rights object is stored in the memory area.

Abstract: In implementations, a computer-implemented method for location assurance is disclosed. The method can include receiving, by an application executing on a mobile computing device, an electronic token from a server, wherein the electronic token comprises a timestamp signed using a cryptographic signing algorithm; providing, by the application, the electronic token to a passive computational tag, wherein the electronic token is countersigned by the passive computational tag; receiving, by the application, the electronic token that was countersigned by the passive computational tag; and providing, by the application, the electronic token that was countersigned to the server.

Abstract: Embodiments relate to a method for generating a set of authentication certificates by a set of certificate authority devices. The method includes receiving, by the set of certificate authority devices, a set of certificate requests from a user device. The method includes generating, by the set of certificate authority devices, a set of crosschecked certificates, each crosschecked certificate of the set of crosschecked certificates being configured to cryptographically verify the remaining crosschecked certificate of the set of crosschecked certificates. The method includes transmitting, by the set of certificate authority devices, the set of crosschecked certificates to the user device, the set of crosschecked certificates configured to be utilized by the user device in establishing a secured communication channel over a network between the user device and a client device.

Abstract: The present invention is related to a wireless transmit/receive unit (WTRU) for providing advanced security functions. The WTRU includes trusted platform module (TPM) for performing trusted computing operations; and a secure time component (STC) for providing a secure measurement of a current time. The STC and the TPM are integrated to provide accurate trusted time information to internal and external to the WTRU. The STC may be located on an expanded a subscriber identity module (SIM), on the WTRU platform, or two STCs may be used, one in each location. Similarly, the TPM may be located on an expanded SIM, on the WTRU platform, or two TPMs may be used, one in each location. Preferably, the STC will include a real time clock (RTC); a tamper detection and power failure unit; and a time report and sync controller.

Abstract: System and method for displaying digital content on a display device comprising at least one digital content item, configured to be displayed on the display device, a service cloud, comprising a server, memory, and processor, configured to store the digital content item as one or more encrypted slices, and a crypto controller, running on the service cloud server, configured to download a cypher key stored in the service cloud memory. The cypher key is configured to be encoded with a unique identification corresponding to the display device and lock the digital content item to that display device. The service cloud processor is configured to retrieve the encrypted slices, assemble the slices into one or more encrypted particles, and send the encrypted particles and the cypher key to the display device for assembly by the cypher key into the digital content item using an activation code provided by the crypto controller.

Abstract: Detection of email phishing attacks is initiated when an email is received in a computer system. The email is parsed for features indicative of an email phishing attack, such as a link to an external website. The link to the website is followed to connect to and access the website. Fictitious information, such as fake user credentials or fake credit card information, is provided to the website. The response of the website to the fictitious information is evaluated to determine if the website is a phishing site. The website is deemed to be a phishing site when the website accepts the fictitious information as valid. The email is blocked to prevent its addressee from opening the email when the email is deemed part of a phishing attack, such as when it links to a phishing site.

Abstract: A method in a multimedia device (130) including obtaining protected content having a limited exercisable right associated therewith, obtaining an extension of the limited exercisable right when a condition is satisfied, for example, when the device enters a DRM system different than the DRM system from which the protected content originated, wherein the extension of the limited exercisable right is obtained from an entity other than the multimedia device, for example, from an anomaly detector.

Abstract: A long-term signature server includes a signing target data acquisition function for acquiring signing target data, a signature data transmission function for transmitting to a long-term signature terminal signature data for the electronic-signing of the acquired signing target data, a signature value reception function for receiving an electronic signature value of the signing target data generated using the signature data transmitted from the long-term signature terminal, a time stamp acquisition function for acquiring a time stamp corresponding to the received electronic signature value, and a signature data generation function for generating basic signature data using at least the acquired signing target data, the received electronic signature value, and the acquired time stamp.

Abstract: According to an embodiment, a system is provided comprising a memory and a processor. The memory may be operable to store a master image associated with a user account. The master image may comprise an image of a physical, non-living object. The processor may be coupled to the memory and may be operable to receive a request to perform a transaction associated with the user account. The processor may be further operable to receive an image that is scanned in real-time in conjunction with the request to perform the transaction. The processor may be further operable to compare the scanned image with the master image associated with the user account and to perform the transaction if the scanned image is substantially similar to the master image.

Abstract: A timestamping system including a plurality of time servers and a timestamping device, the timestamping device including a dividing processing unit dividing an electronic document into a plurality of divided data items by a secret sharing scheme, a distributing processing unit transmitting the divided data items to different servers, respectively, and collecting, from each of the servers, each of the divided data items corresponding to the electronic document being requested for timestamping by a user, a restoring processing unit restoring the electronic document by a secret sharing scheme based on each of the collected divided data items, and an existed time calculating unit calculating and outputting an existed time regarding the electronic document based on timestamps applied to the data items when the electronic document can be normally restored.

Abstract: A computer readable medium stores a program causing a computer to execute a key generating processing. The computer generates a signatory private key which is used in an electronic signature, a signatory public key, a signatory public key certificate, a certification public key which is used when recording the signatory private key in a PKI card and a certification private key, transmits the certification private key to the PKI card via a secure communication path, and transmits an encoded signatory key obtained by encoding the signatory public key certificate and the signatory private key using the certification public key to the PKI card via the secure communication path or a non-secure communication path.

Abstract: Methods and systems for robust watermark insertion and extraction for digital set-top boxes are disclosed and may include descrambling, detecting watermarking messages in a received video signal utilizing a watermark message parser, and immediately watermarking the descrambled video signal utilizing an embedded CPU. The embedded CPU may utilize code that may be signed by an authorized key, encrypted externally to the chip, decrypted, and stored in memory in a region off-limits to other processors. The video signal may be watermarked in a decompressed domain. The enabling of the watermarking may be verified utilizing a watchdog timer. The descriptors corresponding to the watermarking may be stored in memory that may be inaccessible by the main CPU. The watermark may comprise unique identifier data specific to the chip and a time stamp, and may be encrypted utilizing an on-chip combinatorial function.

Abstract: A data processing system for distributing and authenticating documents from a plurality of parties to a recipient data processing apparatus is disclosed. The system comprises a plurality of document distribution devices each configured to generate an original hash value from the content of a file containing a document to be distributed. A recipient data processing apparatus is configured to generate an original super hash value from the plurality of the original hash values, and to distribute the original super hash value to each of the document distribution devices. The system provides assurance that distributed documents have not been tampered with during communication, by an unscrupulous distributing party, or by an unscrupulous recipient by only submitting a hash value of the document to be distributed. The hash value provides for assurance at the eventual recipient of the document that no changes to the document have been made.

Abstract: An electronic device generates identifying values which are used in authenticating the electronic device. The device comprises an interface, a private key generator for generating a private key, a non-volatile memory for storing at least the private key, an index source, a hash engine, and a logical interconnection between the private key generator, the non-volatile memory, the index source, the hash engine and the interface. The hash engine generates identifying values provided to the interface via the logical interconnection. The identifying values are provided to a verifying device for use in authenticating the electronic device. Alternatively or in addition, devices may be paired to share a root key to cryptographically communicate between each other and/or to authenticate each other.

Abstract: A method of performing a transaction between a first device and a second device, the first device having an established trusted communication relation with a first trusted device and the second device having an established trusted communication relation with a second trusted device, the first and the second trusted device each having an established trusted communication relation with a fourth trusted device, comprises the steps of the first device sending, to the first trusted device, first input data, and the second device sending, to the second trusted device, second input data, the first trusted device confirming the originality of the first device and sending the first input data to the fourth trusted device, and the second trusted device confirming the originality of the second device and sending the second input data to the fourth trusted device, the fourth trusted device, upon receipt of the first and the second input data, sending to the first trusted device a first receipt message comprising the f

Abstract: Existing video surveillance security approaches enhanced with suitable functionality of the telecommunications wireless network are provided. Security personnel are equipped with hand-held devices capable of recording video, photos, audio, and text. This data is geo-tagged and time-stamped by the application and uploaded to the telecommunications network and stored in the network. As such, the geo-tagged, time-stamped information is immediately available to other investigators who are in the same geographic vicinity through access controls administered by a secure social network. The information may also be accessible from remote locations via the internet. All wireless and Internet communications may be protected using end-to-end secure transport layer communications protocols.

Abstract: An apparatus and a method for validating requests to thwart cross-site attacks is described. A user identifier token, a request identifier token, and a timestamp, are generated at a web application of a server. A Message Authentication Code (MAC) value is formed based on the user identifier token, the request identifier token, and the timestamp using a secret key of the web application. Names of the form elements are enciphered. Fake form elements can also be added to the dynamic form. The entire page also can be enciphered. The dynamic form is sent with the MAC value and the time stamp to a client. A completed form comprising a returned MAC value and a returned timestamp is received from the client. The completed form is validated at the server based on the returned MAC value and the returned timestamp.

Abstract: A secure protocol for transactions, such as electronic commerce transactions, is described that provides improved security through exploiting an independent (where this independence is logical and/or physical) communication path (e.g., between a customer and a back-end financial institution), ensuring that key financial information remains within the back-end financial institutions themselves. Hence, this protocol directly reduces cyber-crime risks through improvements to transaction security. In addition, various implementations of the secure protocol provide non-repudiation for one or more of the entities involved in the transaction.

Abstract: A computerized authentication method of an electronic document, in particular a file designed to be on-board an aircraft. The method includes generating a digital signature of the electronic document using a private key corresponding to a public key certified by a certifying authority, and sending via the Internet a time stamp request of the electronic document to a time stamping authority and receiving in response thereto a time-stamp signed by the certifying authority. The method includes sending via the Internet a request to an Online Certificate Statute Protocol (OCSP) server and receiving in response thereto a statute of the certificate of the public key, and adding to the electronic document of the digital signature, the time-stamp and the statute of the certificate to create an authenticated electronic document.

Abstract: Authentication codes associated with an entity are generated. A stored secret associated with an entity is retrieved. At a first point in time, a first dynamic value associated with a first time interval is determined. A first authentication code based on the first dynamic value is determined. At a second point in time, a second dynamic value associated with a second time interval is determined. A second authentication code based on the second dynamic value is determined. The first and second authentication codes are derived from the stored secret and the amount of time between the first and second points in time is different from the length of the first time interval.

Abstract: The present invention is related to a wireless transmit/receive unit (WTRU) for providing advanced security functions. The WTRU includes trusted platform module (TPM) for performing trusted computing operations; and a secure time component (STC) for providing a secure measurement of a current time. The STC and the TPM are integrated to provide accurate trusted time information to internal and external to the WTRU. The STC may be located on an expanded a subscriber identity module (SIM), on the WTRU platform, or two STCs may be used, one in each location. Similarly, the TPM may be located on an expanded SIM, on the WTRU platform, or two TPMs may be used, one in each location. Preferably, the STC will include a real time clock (RTC); a tamper detection and power failure unit; and a time report and sync controller.

Abstract: A method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party is disclosed. The method includes the following steps: 1) an entity B transmits a message 1 to an entity A; 2) the entity A transmits a message 2 to a credible third party TP after receiving the message 1; 3) the credible third party TP determines the response RepTA after receiving the message 2; 4) the credible third party TP returns a message 3 to the entity A; 5) the entity A returns a message 4 to the entity B after receiving the message 3; 6) the entity B receives the message 4; 7) the entity B transmits a message 5 to the entity A; 8) the entity A receives the message 5.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for authorizing actions of a service provider. In one aspect, a method includes providing a user security key to a mobile device of a user. A request is received from a client device distinct from the mobile device to perform an action. A challenge token including a security signature matched to a service security key is generated, and the challenge token is provided to the mobile device. An approval value is received from the client device. The approval value is determined to be valid in reference to the challenge token and the user security key previously provided to the mobile device and to indicate approval to perform the action for the user. The action is performed in response to receiving the approval value.

Abstract: A method for safe data communication via WAN, LAN (e.g. Internet) between at least one external access unit and a field device, or a field bus adapter for determining or monitoring at least one physical or chemical process parameter. According to the method unauthorized accessing of a field device, or a field bus adapter, in the field is blocked in that the operator of the field device or the field bus adapter permits the external access unit to have targeted access to the field device, or the field bus adapter.

Abstract: Virtual account based digital cash protocols employ two pairs of private and public keys. Each public key is certified separately and the protocols do not use any blind signature schemes. As a result, the virtual account based digital cash protocols provide strong protection of the user privacy by using two certified public keys instead of a blind signature. One pair of certified keys consists of one master user private key and one master user public key. A second pair of certified keys consists of one pseudonym user private key and one pseudonym user public key. The use of a master key pair and a pseudonym key pair circumvents the need for blind signatures. As a result, the proposed protocols do not require blind signatures and do not add additional overhead and security requirements necessitated by conventional blind signature schemes.

Abstract: A method of detecting a fault attack including generating a first signature of a first group of data values by performing a single commutative non-Boolean arithmetic operation between all the data values of the first group; generating a second set of data values by performing a permutation of the first set of data values; generating a second signature of the second group of data values by performing said single commutative non-Boolean arithmetic operation between all the data values of the second group; and comparing the first and second signatures to detect a fault attack.

Abstract: A method and apparatus for secure generation of a short-term key SK for viewing information content in a Multicast-broadcast-multimedia system are described. A short-term key is generated by a memory module residing in user equipment (UE) only when the source of the information used to generate the short-term key can be validated. A short-term key can be generated by a Broadcast Access Key (BAK) or a derivative of BAK and a changing value with a Message Authentication Code (MAC) appended to the changing value. A short-term key (SK) can also be generated by using a private key and a short-term key (SK) manager with a corresponding public key distributed to the memory module residing in the user equipment (UE), using a digital signature.

Abstract: A system and method for data storage and removal includes providing databases and providing encryption keys. Each database is associated with a database time period and each encryption key is associated with an encryption time period. Data items are received and each data item is encrypted using the encryption key associated with the encryption time period that corresponds to a time associated with the data item. Each encrypted data item is stored in the database associated with the database time period that corresponds to the time associated with the data item. Each encryption key is deactivated at a predetermined time after the associated encryption time period ends. Each database is made irretrievable upon a determination that all of the encryption keys associated with the data items stored in that database have been deactivated.

Abstract: The invention concerns a method of detecting a fault attack including providing a plurality of blinding values; generating a first set of data elements including a first group of data elements and at least one additional data element generated by performing the exclusive OR between at least one data element in the first group and at least one of the blinding values; generating a second set of data elements corresponding to the exclusive OR between each data element of the first set and a selected one of the plurality of blinding values; generating a first signature by performing a commutative operation between each of the data elements of the first set; generating a second signature by performing the commutative operation between each of the data elements of the second set; and comparing the first and second signatures to detect a fault attack.

Abstract: A method for improving accuracy of a time estimate used in digital rights management (DRM) license validation is disclosed. In one embodiment, a memory device receives a request to validate a DRM license stored on the memory device, wherein the DRM license is associated with a time stamp update policy (TUP) that specifies when a new time stamp is needed. Before attempting to validate the DRM license, the memory device determines if a new time stamp is needed based on the TUP associated with the DRM license. If a new time stamp is needed, the memory device receives the new time stamp and then attempts to validate the DRM license using a time estimate based on the new time stamp. Other embodiments are disclosed, and each of the embodiments can be used alone or together in combination.

Abstract: Long-Term Validation (LTV) of a digital signature status indicator is disclosed. In some embodiments, the Long-Term Validation of a digital signature status indicator includes automatically determining whether a digital signature of a digitally signed document is LTV enabled based at least in part on LTV information; and generating an LTV status indicator that displays whether the digital signature of the digitally signed document is LTV enabled.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: The present invention validates provenance dates of electronic documents. A document version date may be determined by creating a unique checksum for the document and having the document's owner digitally sign it with a private key. The checksum and digital signature are securely stored by an authorization entity along with a timestamp fixing the date/time. A unique resource identifier is returned to the user. Subsequently, if the document's date needs to be proved to a third party, a verification program is applied to the original document to create a new checksum. The unique resource identifier is used to retrieve the signed checksum from the authorization entity. Upon verification of matching checksums, the timestamp provided by the authorization entity proves the date/time the document existed. In addition, the public key provided by the document owner proves that the checksum was signed by the owner's private key, proving their ownership.