Entries |
Document | Title | Date |
20080209210 | MASTER KEY TRUST GRANTS AND REVOCATIONS FOR MINOR KEYS - A method and apparatus is provided that allows code signed by a master key to grant trust to an arbitrary second key, and also allows code, referred to as an antidote and also signed by the master key to revoke permanently the trust given to the second key. | 08-28-2008 |
20080244263 | Certificate management system - A system and method for generating and storing a large number of public key certificates that enables a revocation status to be determined while providing a smaller amount of storage than is typically required. | 10-02-2008 |
20080244264 | PUBLIC KEY CERTIFICATE VALIDATION SYSTEM - To validate a certificate of a service provider apparatus, a service receiving apparatus determines a certificate validation method on based on a combination of the performance of the service receiving apparatus, the performance of a CRL repository apparatus, the performance of a certificate validation apparatus, and the performance of a network, and performs validation of a certificate by the determined method. Furthermore, to validate a certificate of a service provider apparatus, a service receiving apparatus requests a method selection apparatus to validate the certificate, and the method selection apparatus determines a certificate validation method based on a combination of the performance of the method selection apparatus, the performance of the CRL repository apparatus, the performance of the certificate validation apparatus and the performance of the network, validates the certificate by the determined method, and notifies a validation result to the service receiving apparatus. | 10-02-2008 |
20080263354 | AUTHENTICATION OF DATA TRANSMITTED IN A DIGITAL TRANSMISSION SYSTEM - A method of authenticating data transmitted in a digital transmission system, in which the method comprises the steps, prior to transmission, of determining at least two encrypted values for at least some of the data, each encrypted value being determined using a key of a respective encryption algorithm, and outputting said at least two encrypted values with said data. | 10-23-2008 |
20080270790 | APPARATUS AND METHOD FOR ENHANCED REVOCATION OF DIRECT PROOF AND DIRECT ANONYMOUS ATTESTATION - In some embodiments, a method and apparatus for enhanced revocation of direct proof and direct anonymous attestation are described. In one embodiment a trusted hardware device verifies that membership of the device within a trusted membership group is not revoked according to a revocation list received with a challenge request from a verifier. Once such verification is performed, the device convinces the verifier of possessing cryptographic information without revealing unique, device identification information of the trusted hardware device or the cryptographic information. In one embodiment, the trusted hardware device computes a digital signature on a message received with the challenge request to the verifier if membership of the anonymous hardware device within a trusted membership group is verified. In one embodiment, the verifier authenticates the digital signature according to a public key of the trusted membership group to enable a trusted member device to remain anonymous to the verifier. Other embodiments are described and claimed. | 10-30-2008 |
20080294891 | Method for Authenticating a Mobile Node in a Communication Network - A method for authenticating a mobile node ( | 11-27-2008 |
20080307223 | APPARATUS AND METHOD FOR ISSUER BASED REVOCATION OF DIRECT PROOF AND DIRECT ANONYMOUS ATTESTATION - In some embodiments, a method and apparatus for issuer based revocation of direct proof and direct anonymous attestation are described. In one embodiment, a trusted hardware device convinces a verifier that the trusted hardware device possesses cryptographic information without revealing unique, device identification information of the trusted hardware device or the cryptographic information. Once the verifier is convinced that the hardware device possesses the cryptographic information, the verifier may issue a denial of revocation request to the trusted hardware device, including a base value B | 12-11-2008 |
20080320300 | Authorisation and Authentication - The invention relates to content distribution over a network and provides methods of controlling the distribution, of receiving the content and of publishing content. The method of controlling distribution of content over a network includes receiving a content description and location information for a source of the content from a publisher, where the content description comprises authorisation details associated with the publisher. The validity of the authorisation details is checked and if found to be valid, the content description is provided to a node in the network | 12-25-2008 |
20080320301 | METHOD AND APPARATUS FOR RESTRICTING OPERATION OF DEVICE - A method of restricting operation of a device is provided. Based on a revocation list, which is a list regarding revoked devices, the method determines whether the device is the revoked device, based on the determination, decides whether to operate a Digital Rights Management (DRM) module of the device, and based on the decision, selectively restricts the operation of the device. | 12-25-2008 |
20090013177 | LICENSE MANAGEMENT SYSTEM AND METHOD - A license-management system and method is provided. A method of issuing a proxy certificate includes transmitting a proxy-certificate-issuance-request message to a license server in order for the local license manager to acquire an authority to issue a license by a local license manager; enabling the license server to verify the proxy-certificate-issuance-request message; if the proxy-certificate-issuance-request message is valid, transmitting a proxy certificate to the local license manager by the license server, the proxy certificate including information regarding the authority to issue a license; and verifying the proxy certificate by the local license manager. | 01-08-2009 |
20090019280 | Method of validating a digital certificate and a system therefor - A method of validating a digital certificate comprises retrieving from a first data store a digital certificate, retrieving from a second data store a plurality of certificate revocation lists (CRLs), and selecting one of the plurality of CRLs to validate the digital certificate as of a date which is before the current date. | 01-15-2009 |
20090031127 | Methods and systems for proofing identities using a certificate authority - A digital certificate is provided to a customer having an electronic account linked to the customer's physical address. Using the digital certificate, the customer performs electronic transactions with a third party. A proofing workstation receives a request from a third party to validate the digital certificate. The proofing workstation communicates with a proofing server that maintains a list of valid certificates and a list of revoked certificates. The proofing server sends a response to the proofing workstation, where it is received by the third party. | 01-29-2009 |
20090037729 | AUTHENTICATION FACTORS WITH PUBLIC-KEY INFRASTRUCTURE - A user access control system comprising a workstation coupled to a computer network and operable to receive a request for an authenticated access to the computer network, and to prompt for and receive one or more credentials associated with the request, a gating authentication server coupled to the computer network and operable to receive the one or more credentials and to provide as a gating factor an authenticated credential, and a public key infrastructure server coupled to the computer network and operable to generate private/public key pairs associated with the authenticated credential, wherein the private/public key pairs are either generated after a request for access to the computer system has been received at the workstation and the gating authentication server has authenticated the one or more credentials provided through the workstation, or the private/public key pairs are retrieved from a previously generated virtual smart card based on the authentication credential. | 02-05-2009 |
20090063854 | Method for revoking a digital signature - A method and apparatus for revoking a digital signature using a signature revocation list. In one embodiment, the method includes generating the signature revocation list to indicate revocation status of a signature. The signature is created from an encryption key and a document. The method also includes computing an identifier of the signature in the signature revocation list based on contents of the signature. The method further includes publishing the signature revocation list for access by users of the document. | 03-05-2009 |
20090063855 | Reduced computation for generation of certificate revocation information - A method and apparatus for propagating certificate revocation information. A first query is received regarding a revocation status of a first digital certificate. One or more additional queries are received regarding revocation statuses of one or more additional digital certificates. A response to the first query and the one or more additional queries is generated, the response including the revocation status of the first digital certificate and the revocation statuses of the one or more additional digital certificates. | 03-05-2009 |
20090106551 | DYNAMIC DISTRIBUTED KEY SYSTEM AND METHOD FOR IDENTITY MANAGEMENT, AUTHENTICATION SERVERS, DATA SECURITY AND PREVENTING MAN-IN-THE-MIDDLE ATTACKS - A distributed key encryption system and method is provided in which a key storage server provides a session key to the source and destination computers by encrypting the session key with unique distributed private keys that are associated with the respective source and destination computers by unique private key identifiers The destination computer then decrypts the encrypted session key using it's distributed private key and then decrypts the communication using the decrypted session key. | 04-23-2009 |
20090113206 | Revocation List Improvement - A method for enforcing use of certificate revocation lists in validating certificates, the lists being associated with a series of list generation indices such that each list is assigned one index which advances according to a time of generation of the list, the lists and the indices being cryptographically signed, the method including receiving one of the lists and an associated index as an identifier of the one list, checking the certificates against the list, associating each of the certificates, which have been checked against the list, with the index, receiving an enforcement generation index (EGI) associated with a latest list in use, storing the EGI as a last known EGI, and refusing performance of an action associated with a certificate if the one index of the one certificate is earlier in the series than the last known EGI. Related apparatus and methods are also included. | 04-30-2009 |
20090132813 | Apparatus and Methods for Providing Scalable, Dynamic, Individualized Credential Services Using Mobile Telephones - Apparatus and methods perform transactions in a secure environment between an individual and another party, such as a merchant, in various embodiments. The individual possesses a mobile electronic device, such as a smartphone, that can encrypt data according to a public key infrastructure. The individual authenticates the individual's identity to the device, thereby unlocking credentials that may be used in a secure transaction. The individual causes the device to communicate the credentials, in a secure fashion, to an electronic system of a relying party, in order to obtain the relying party's authorization to enter the transaction. The relying party system determines whether to grant the authorization, and communicates the grant and the outcome of the transaction to the device using encryption according to the public key infrastructure. | 05-21-2009 |
20090138704 | Cryptographic method with integrated encryption and revocation, system, device and programs for implementing this method - A first entity ( | 05-28-2009 |
20090150666 | INFORMATION PROCESSING APPARATUS AND LICENSE DISTRIBUTION SYSTEM - There are provided an information processing apparatus and a license distribution system including the information processing apparatus in which the reproduction or duplication of a content can be limited to the interior of a domain and a benefit based on the fact that an external device has participated in the domain can be made available at the time of reissuing a license. | 06-11-2009 |
20090164776 | REVOCATION STATUS CHECKING FOR DIGITAL RIGHTS MANAGMENT - In accordance with an embodiment, a method, apparatus or tangible computer medium (which stores computer executable code or program code) performs or facilitates: maintaining information identifying a plurality of devices with which interaction has occurred; transmitting the information identifying the plurality of devices to a remote trusted party; receiving from the trusted party status information pertaining to a trustworthiness of the identified devices based on the transmitted information; and controlling subsequent interaction relating to transfer or exchange of access rights for electronic content with one or more devices based on the received status information corresponding to the one or more devices. | 06-25-2009 |
20090177881 | Proactive forced renewal of content protection implementations - A system for proactive forced renewal of content protection implementations in devices includes a key generation facility to generate and allocate keys for the devices, and to generate revocation data corresponding to revoked keys in response to at least one of a security compromise and on a periodic basis independent of a security compromise; and a device manufacturer to receive the keys from the key generation facility, to embed the keys in content protection implementations for the devices, to distribute the devices, and to renew the content protection implementations in devices after the devices are distributed, in response to at least one of a security compromise and on a periodic basis independent of a security compromise. | 07-09-2009 |
20090210704 | SYSTEM AND METHOD FOR WITHDRAWING RIGHTS OBJECT OF THE DIGITAL CONTENTS - A system in which a source device can withdraw a Rights Object (RO) that a source device requested a target device to move through a Rights Issuer (RI) and operation method thereof are provided. The method includes transmitting a rights object withdrawal request message to a rights issuing server by a device, transmitting a rights object withdrawal response message to the device by the rights issuing server in response to the rights object withdrawal request message, and withdrawing and installing a corresponding rights object when receiving the rights object withdrawal response message by the device. | 08-20-2009 |
20090210705 | Revocation for direct anonymous attestation - Direct Anonymous Attestation involves a Signer using a credential supplied by an Issuer to anonymously prove to a Verifier, on the basis of a public key of the Issuer, the Issuer's attestation to the Signer's membership of a particular group. To facilitate membership revocation, the Issuer updates the public key at intervals, and also effects a complementary updating to the Signer's credential unless the Signer has ceased to be a legitimate group member. A non-updated credential is inadequate to enable the Signer to prove its Issuer attested group membership to a Verifier on the basis of the updated Issuer public key. | 08-20-2009 |
20090235071 | CERTIFICATE ASSIGNMENT STRATEGIES FOR EFFICIENT OPERATION OF THE PKI-BASED SECURITY ARCHITECTURE IN A VEHICULAR NETWORK - A system and method for assigning certificates and reducing the size of the certificate revocation lists in a PKI based architecture for a vehicle wireless communications system that includes separating a country, or other area, into geographic regions and assigning region-specific certificates to the vehicles. Therefore, a vehicle need only process certificates and certificate revocation lists for the particular region that it is traveling in. Vehicles can be assigned multiple certificates corresponding to more than one region in the vehicles vicinity as advance preparation for possible travel or transmission into nearby regions. Further, the expiration time of certificates assigned to vehicles corresponding to a given geographic region can be tailored to be inversely proportional to the distance from a registered home region of the vehicle. A scalable design for a back-end certifying authority with region-based certificates can also be provided. | 09-17-2009 |
20090249062 | METHOD AND APPARATUS FOR DISTRIBUTING CERTIFICATE REVOCATION LISTS (CRLs) TO NODES IN AN AD HOC NETWORK - A method and apparatus for distributing Certificate Revocation List (CRL) information in an ad hoc network are provided. Ad hoc nodes in an ad hoc network can each transmit one or more certificate revocation list advertisement message(s) (CRLAM(s)). Each CRLAM includes an issuer certification authority (CA) field that identifies a certification authority (CA) that issued a particular certificate revocation list (CRL), a certificate revocation list (CRL) sequence number field that specifies a number that specifies the version of the particular certificate revocation list (CRL) that was issued by the issuer certification authority (CA). Nodes that receive the CRLAMs can then use the CRL information provided in the CRLAM to determine whether to retrieve the particular certificate revocation list (CRL). | 10-01-2009 |
20090259843 | REVOCATION OF CRYPTOGRAPHIC DIGITAL CERTIFICATES - Different targets (c | 10-15-2009 |
20090265547 | REVOCATION OF CRYPTOGRAPHIC DIGITAL CERTIFICATES - Different targets (c | 10-22-2009 |
20090287924 | REVOCATION OF CRYPTOGRAPHIC DIGITAL CERTIFICATES - Different targets (c | 11-19-2009 |
20090319784 | DYNAMIC VERIFICATION VALUE SYSTEM AND METHOD - A method for forming a dynamic verification value. The method includes altering a first data string to form a second data string, and forming a first dynamic verification value using at least a portion of the second data string. The first dynamic verification value is used to authenticate a portable consumer device in a first transaction. The second data string is used to form a third data string. A second dynamic verification value is formed using at least a portion of the third data string. The second dynamic verification value is used to authenticate the portable consumer device in a second transaction. | 12-24-2009 |
20090327708 | CERTIFICATE DISTRIBUTION USING SECURE HANDSHAKE - A method, system, and computer usable program product for certificate distribution using a secure handshake are provided in the illustrative embodiments. A client sends an indication in a request, the request being a part of a secure data communication with a server. The indication indicates an ability of the client to accept a certificate as a part of a response from the server. The server retrieves a new certificate. The server sends as a result of the indication, a new certificate in the response corresponding to the request. The client receives as a result of the indication, the new certificate in a response that corresponds to the request. The client separates the new certificate from the response and uses the new certificate in the secure data communication with the server. The server uses the new certificate in the secure data communication with the client. | 12-31-2009 |
20100005292 | METHOD AND APPARATUS FOR EFFICIENT CERTIFICATE REVOCATION - Revocation of digital certificates in a public-key infrastructure is disclosed, particularly in the case when a certificate might need to be revoked prior to its expirations. For example, if an employee was terminated or switched roles, his current certificate should no longer be valid. Accordingly, novel methods, components and systems are presented for addressing this problem. A solution set forth herein is based on the construction of grounded dense hash trees. In addition, the grounded dense hash tree approach also provides a time-communication tradeoff compared to the basic chain-based version of NOVOMODO, and this tradeoff yields a direct improvement in computation time in practical situations. | 01-07-2010 |
20100023760 | METHOD, SYSTEM, AND DATA SERVER FOR CHECKING REVOCATION OF CONTENT DEVICE AND TRANSMITTING DATA - A method of checking revocation of a device and software, and transmitting data to a secure device and secure software whose keys have not been leaked is provided. The method includes receiving authentication information of a device requesting transmission of data, and authentication information of software accessing the data in the device; checking revocation of the device and the software, based on the received authentication information; and transmitting the data to the software of the device, when the device and the software are not revoked as a result of the checking. By doing so, during transmission of data, such as content or a license, it is possible to check security of a device and software being executed in the device, so that the data can be more safely transmitted. | 01-28-2010 |
20100049971 | Apparatus and Method for Using Secure Removable Media (SRM) in Digital Rights Management - An apparatus and a method for using a Secure Removable Media (SRM) in Digital Rights Management (DRM) are provided. The method for using the SRM in Digital Rights Management (DRM) includes determining, at a plurality of content service providers, an SRM usage rule and providing the determination to a trust authority using an eXtensible Markup Language (XML); receiving messages comprising the SRM usage rule from the content service providers and sending the messages to an apparatus together with an electronic signature; and receiving the messages comprising the SRM usage rule and changing an operation of the apparatus according to requirements of at least one content service provider. Thus, various content business models can be realized. | 02-25-2010 |
20100077208 | CERTIFICATE BASED AUTHENTICATION FOR ONLINE SERVICES - In one embodiment, a client computer system receives user credentials from a computer user. The client computer system formulates a system identifier that uniquely identifies the system, and sends the received user credentials with the system identifier to an authentication service running on a datacenter server. The authentication service is configured to authenticate the user credentials and generate an authentication certificate based on the user credentials and the system identifier. The client computer system receives the generated authentication certificate from the authentication service and stores the received authentication certificate. The computer system receives an authentication request to authenticate the user subsequent to storing the certificate and, in response to the authentication request, automatically sends the stored authentication certificate to indicate to the datacenter server that the user is authorized to access the datacenter-provided information, without prompting the user to provide user credentials for authentication. | 03-25-2010 |
20100082977 | SIP Signaling Without Constant Re-Authentication - A proxy server causes an authentication authority to authenticate a client in response to a first Session Initiation Protocol (SIP) request of the client on a connection. It does not cause the client to be authenticated in response subsequent requests on the connection as long as the underlying connection is not broken, the subsequent requests are on behalf of the same client, the client has not been removed from the system, the client's password has not changed, a “safety net” timer has not expired, or any other policy that the server chooses to enforce. This eliminates the overhead of constant re-authentication in response to each SIP request. | 04-01-2010 |
20100088508 | METHOD FOR PROTECTING CONTENT - Disclosed are a method of protecting content and a method of processing information. The method of protecting content can include service related information including revocation application information of content from the outside by employing a content management and protection system, and apply or not apply a content revocation process on the content according to the re- vocation application information. Accordingly, whether to apply a content revocation process can be controlled according to revocation application information. | 04-08-2010 |
20100106967 | METHOD AND ARRANGEMENT FOR PROVISIONING AND MANAGING A DEVICE - A system, method, and owner node for securely changing a mobile device from an old owner to a new owner, or from an old operator network to a new operator network. The old owner initiates the change of owner or operator. The old owner or operator then commands the mobile device to change a currently active first key to a second key. The second key is then transferred to the new owner or operator. The new owner or operator then commands the mobile device to change the second key to a third key for use between the mobile device and the new owner or operator. Upon completion of the change, the new owner or operator does not know the first key in use before the change, and the old owner does not know the third key in use after the change. | 04-29-2010 |
20100106968 | CONTENT DISTRIBUTION STORAGE SYSTEM, METHOD FOR OBTAINING CONTENT, NODE DEVICE, AND COMPUTER READABLE MEDIUM - A content distribution storage system includes: a first transmission unit configured to transmit a special content including certificate revocation list information indicating a list of at least an invalid electronic certificate to a first node group; a second transmission unit configured to transmit identification information for identifying the special content to a second node group; and a first node device. The first node device includes: a certificate obtaining unit configured to obtain the electronic certificate; an identification information obtaining unit configured, based on the obtained electronic certificate, to obtain the identification information of the special content comprising the certificate revocation list information corresponding to the obtained electronic certificate obtained; and a special content obtaining unit configured to obtain the special content from at least one node device of the first node group which stores the special content associated with the obtained identification information. | 04-29-2010 |
20100122081 | METHOD OF VALIDATION PUBLIC KEY CERTIFICATE AND VALIDATION SERVER - In response to a validation request that includes second information identifying the certificate authority, key information of the certificate authority at issuance of the public key certificate, and information identifying the public key certificate, if the second information identifying the certificate authority included in the validation request corresponds to the first information identifying the certificate authority included in the authority certificate, and the information identifying the public key certificate included in the validation request does not exist in the revocation information, the validation server creates a validation result indicating that the public key certificate corresponding to the information identifying the public key certificate included in the validation request is valid. | 05-13-2010 |
20100138652 | CONTENT CONTROL METHOD USING CERTIFICATE REVOCATION LISTS - Host devices present both the host certificate and the pertinent certificate revocation lists to the memory device for authentication so that the memory device need not obtain the list on its own. Processing of the certificate revocation list and searching for the certificate identification may be performed concurrently by the memory device. The certificate revocation lists for authenticating host devices to memory devices may be stored in an unsecured area of the memory device for convenience of users. | 06-03-2010 |
20100146265 | Method, apparatus and system for employing a secure content protection system - A method, apparatus and system for employing a secure content protection system is disclosed. In one embodiment, a certificate having a unique device identification associated with a first device is received, and, at a second device, a revocation list having unauthorized device identifications is received. The unique device identification is incrementally compared with the unauthorized device identifications of the revocation list, and media content is transmitted from the second device to the first device, if the unique device identification is not matched with the unauthorized device identifications of the revocation list. | 06-10-2010 |
20100153713 | Systems and methods for detecting exposure of private keys - A system and method can include comparing entities associated with public certificates and private keys in a keystore to detect compromised private keys. This increases security of systems implementing public key cryptography over a network. The comparison can be triggered by a trigger event in one embodiment. If a private key belonging to a certificate authority is detected, a notification can be generated. Alternatively or in addition, a revocation request can be generated for public certificates corresponding to the compromised private key. | 06-17-2010 |
20100153714 | USE OF MODULAR ROOTS TO PERFORM AUTHENTICATION INCLUDING, BUT NOT LIMITED TO, AUTHENTICATION OF VALIDITY OF DIGITAL CERTIFICATES - Authentication of elements (e.g. digital certificates | 06-17-2010 |
20100161972 | DEVICE AND METHOD FOR KEY BLOCK BASED AUTHENTICATION - The invention relates to a device ( | 06-24-2010 |
20100205431 | SYSTEM, METHOD AND PROGRAM PRODUCT FOR CHECKING REVOCATION STATUS OF A BIOMETRIC REFERENCE TEMPLATE - A system, method and program product for checking the revocation status of a biometric reference template. The method includes creating a revocation object for a reference template generated for an individual, where the revocation object contains first plaintext data providing a location for checking revocation status of the reference template and containing ciphertext data identifying the unique reference template identifier and a hash of the reference template. The method further includes providing the revocation object to a relying party requesting revocation status and sending a request to an issuer of the reference template for checking the revocation status of the reference template, without revealing identity of the individual. The method further includes returning results of the revocation status check to the relying party. In an embodiment, a random value is added to the ciphertext data for preserving privacy of the reference template holder. | 08-12-2010 |
20100235628 | System and Method for Accessing Keys for Secure Messaging - Methods and systems for handling on an electronic device a secure message to be sent to a recipient. Data is accessed about a security key associated with the recipient. The received data is used to perform a validity check related to sending a secure message to the recipient. The validity check may uncover an issue that exists with sending a secure message to the recipient. A reason is determined for the validity check issue and is provided to the mobile device's user. | 09-16-2010 |
20100250922 | METHOD AND SYSTEM FOR PROPAGATING TRUST IN AN AD HOC WIRELESS COMMUNICATION NETWORK - A method and system enable robust and scalable propagation of trust between a first organization and a second organization, both operating in an ad hoc wireless communication network. The method includes establishing at a first member node of the first organization pair-wise trust with a first member node of the second organization using a predetermined inter-organizational trust establishment device (step | 09-30-2010 |
20100275015 | ANONYMOUS REGISTER SYSTEM AND METHOD THEREOF - A uniform certificate revocation list managing apparatus is provided for managing canceled register information of all believable groups in a believable anonymous register system. Canceled register information includes canceled member information of each believable group, list information of unbelievable groups, and list information of unbelievable register service institutions. The uniform certificate revocation list managing apparatus interacts with each believable group and each register system, so as to update a certificate revocation list of each believable group in real time. | 10-28-2010 |
20100275016 | DATA SECURITY - In one embodiment, a method is provided that may include one or more operations. One of these operations may include, in response, at least in part, to a request to store input data in storage, encrypting, based least in part upon one or more keys, the input data to generate output data to store in the storage. The one or more keys may be authorized by a remote authority. Alternatively or additionally, another of these operations may include, in response, at least in part, to a request to retrieve the input data from the storage, decrypting, based at least in part upon the at least one key, the output data. Many modifications, variations, and alternatives are possible without departing from this embodiment. | 10-28-2010 |
20100287370 | REVOCATION OF CRYPTOGRAPHIC DIGITAL CERTIFICATES - Different targets (c | 11-11-2010 |
20100313014 | DOWNLOADABLE SECURITY BASED ON CERTIFICATE STATUS - A conditional access system (CAS) computer in a downloadable CAS receives a downloadable management certificate (DMC) and determines, using the DMC, security information including a DMC key size and an expiration time of a DMC subordinate certificate authority (sub-CA) certificate, for the client device. The CAS computer then determines whether the DMC is valid based on the expiration time of the DMC sub-CA certificate. If the DMC is determined to be valid, the CAS server sends a cryptographic identity for the client device and a CAS client to the client device protected using the DMC. At a later time, if the DMC key size is considered to be still sufficiently secure, the validity of the DMC is extended by issuing a new DMC sub-CA certificate with the same public key as the original DMC sub-CA certificate. | 12-09-2010 |
20100318790 | CARD MANAGEMENT DEVICE AND CARD MANAGEMENT SYSTEM - A card management device includes: a card device configured to include a controller on which a cryptographic IP is mounted in advance; and an individual information writing device configured to allow the card device to be connected to the individual information writing device in such a way that the card device is capable of data transfer to the individual information writing device, individual information assigned to the card device in advance being set in the individual information writing device, the individual information writing device being capable of writing the individual information to the card device connected to the individual information writing device. | 12-16-2010 |
20100318791 | CERTIFICATE STATUS INFORMATION PROTOCOL (CSIP) PROXY AND RESPONDER - Systems and methods are disclosed for providing certificate status information about a certificate includes receiving, at a Certificate Status Information Protocol (CSIP) proxy device the certificate identity information about the certificate of the second device. Then determining, using the CSIP proxy device, whether the certificate status information is stored in a CSIP proxy device memory. If the certificate status information is not stored in the CSIP proxy device memory, creating a CSIP request based on the certificate identity information and sending the CSIP request, including the certificate identity information, to a CSIP responder computer outside the local network domain. If the certificate status information is stored in the CSIP proxy device memory, sending the certificate status information to the first device. Also, a system and method are disclosed for using a CSIP responder computer. | 12-16-2010 |
20100325429 | SYSTEMS AND METHODS FOR MANAGING CRLS FOR A MULTI-CORE SYSTEM - The present invention is directed towards systems and methods for maintaining Certificate Revocation Lists (CRLs) for client access in a multi-core system. A first core may generate a secondary CRL corresponding to a master CRL maintained by the first core. The CRLs may identify certificates to revoke. The first core can store the secondary CRL to a memory element accessible by the cores. A second core may receive a request to validate a certificate. The second core can provisionally determine, via access to the secondary CRL, whether the certificate is revoked. The second core may also determine not to revoke the certificate. Responsive to the determination, the second core may request the first core to validate the certificate. The first core can determine whether to revoke the certificate based on the master CRL. The first core may send a message to the second core based on the determination. | 12-23-2010 |
20100332825 | System and Method for Dynamic Multi-Attribute Authentication - In accordance with the teachings of the present invention, a system and method for dynamic, multi-attribute authentication are provided. In a particular embodiment, a method for authentication includes receiving, at an authentication web server, an authentication request comprising a workstation message and a user message, wherein the workstation message comprises a workstation object and a workstation signature, the workstation object comprises a workstation certificate associated with a workstation, the user message comprises a user object and a user signature, and the user object comprises a copy of the workstation message and a user certificate associated with a user of the workstation. The method further includes verifying the workstation signature and user signature, validating the workstation certificate and the user certificate, retrieving one or more caveats associated with the workstation and one or more caveats associated with the user, and determining one or more caveats associated with both the workstation and the user. | 12-30-2010 |
20100332826 | Memory Device and Method for Updating a Security Module - A memory device and method for updating a security module are disclosed. In one embodiment, a memory device is provided comprising a memory operative to store content and a controller in communication with the memory. The controller is configured to send an identification of the memory device's security module to a host and receive an identification of the host's security module. If the memory device's security module is out-of-date with respect to the host's security module, the memory device receives a security module update from the host. If the host's security module is out-of-date with respect to the memory device's security module, the memory device sends a security module update to the host. | 12-30-2010 |
20110083011 | METHOD FOR A PUBLIC-KEY INFRASTRUCTURE FOR VEHICULAR NETWORKS WITH LIMITED NUMBER OF INFRASTRUCTURE SERVERS - A system, and method related thereto, for providing a vehicular communications network public-key infrastructure. The system comprises a plurality of communications infrastructure nodes and a plurality of vehicles each having a communications component. The communications component provides vehicle to vehicle (V2V) communications, and communications via infrastructure nodes. A communications security component in each of the plurality of vehicles provides security for the communications between the plurality of vehicles using a plurality of security modules. The security modules include a certificate management module. A public key interface module may include a public key, a private key, an anonymous key and a management key. The system further includes a detection and response module for attack detection and attack mitigation. The communications security component assigns and installs at least one security key, a certificate of operation, and a current certificate revocation list. The communications component provides secure communications between the plurality of vehicles. | 04-07-2011 |
20110107090 | System and Method for Flying Squad Re Authentication of Enterprise Users - Enterprise users access several applications and services routinely to carry out their work-related activities on a day-to-day basis. These applications and services could be hosted within an enterprise or on a third-party data center. The enterprise users login into the applications and services so as to gain access to the applications and services. In the case of single sign-on, it is expected that the users authenticate once to a specific application/service/system and obtain access to any other application/service/system. In such a scenario, it is important to ensure that during the course of this authenticated access grant, the right users are provided access to right information. This is achieved by a re-authentication system that demands minimum re-authentication effort from “right” users and maximum re-authentication effort from “non-right” users. A system and method of on the fly re-authentication involves a novel challenge-response mechanism. | 05-05-2011 |
20110126005 | DYNAMIC CONFIGURATION OF CONNECTORS FOR SYSTEM-LEVEL COMMUNICATIONS - A host device comprises a configurable connector. The host device connector can be connected to a configurable connector of an accessory device. The host device can select connector functions to be enabled for connecting to the accessory device connector. The selection of connector functions can be based on accessory device information such as accessory device power consumption, power configuration and application information. The accessory device can exclude connector functions supported by the accessory device from the list of accessory device functions sent to the host device. The accessory device can exclude connector functions based on information about the host and connector devices. Single or mutual authentication can be performed before connection functions are enabled at either device. Host and accessory devices can require that a host device be licensed to use an accessory device connector function or to gain access to accessory device resources. Tiered licensing policies can be supported. | 05-26-2011 |
20110145569 | METHOD AND SYSTEM FOR PROVISIONING MULTIPLE DIGITAL CERTIFICATES - A method of provisioning a first digital certificate and a second digital certificate based on an existing digital certificate includes receiving information related to the existing digital certificate. The existing digital certificate includes a first name listed in a Subject field and a second name listed in a SubjectAltName extension. The method also includes receiving an indication from a user to split the existing digital certificate and extracting the first name from the Subject field and the second name from the SubjectAltName extension of the existing digital certificate. The method further includes extracting the public key from the existing digital certificate, provisioning the first digital certificate with the first name listed in a Subject field of the first digital certificate and the public key, and provisioning the second digital certificate with the second name listed in a Subject field of the second digital certificate and the public key. | 06-16-2011 |
20110154026 | SYSTEMS AND METHODS FOR PARALLEL PROCESSING OF OCSP REQUESTS DURING SSL HANDSHAKE - The present invention is directed towards systems and methods for processing an Online Certificate Status Protocol (OCSP) request in parallel to processing a Secure Socket Layer (SSL) handshake. The method includes transmitting, by an OCSP responder of an intermediary device between a plurality of clients and one or more servers, an OCSP request to a OCSP server for a status of a client certificate responsive to receiving the client certificate from a client during a SSL handshake. The intermediary device may continue to perform remaining portions of the SSL handshake while the OCSP request to the OCSP server is outstanding. The intermediary device may establish an SSL connection for the SSL handshake. The intermediary device may determine whether to terminate or maintain the established SSL connection based on the status of the client certificate received via a response from the OCSP server. | 06-23-2011 |
20110154027 | METHOD AND SYSTEM FOR CO-TERMINATION OF DIGITAL CERTIFICATES - A method of renewing a plurality of digital certificates includes receiving, at a first time, a request from a user to renew a first digital certificate and determining an expiration date for the first digital certificate. The method also includes receiving, at a second time, a request from the user to renew a second digital certificate and determining an expiration date for the second digital certificate. The expiration date for the second certificate is later than the expiration date for the first certificate. The method further includes determining a new expiration date occurring after the first time and the second time and renewing the first digital certificate. An expiration date for the renewed first digital certificate is equal to the new expiration date. Moreover, the method includes renewing the second digital certificate. An expiration date for the renewed second digital certificate is equal to the new expiration date. | 06-23-2011 |
20110154028 | SYSTEM AND METHOD FOR ADMINISTERING DIGITAL CERTIFICATE CHECKING - Systems and methods for handling electronic messages. An electronic message that is associated with a digital certificate is to be processed. A decision whether to check the validity of the digital certificate is based upon digital certificate checking criterion. An IT administrator may provide to one or more devices configuration data that establishes the digital certificate checking criterion. | 06-23-2011 |
20110161663 | INTELLIGENT CACHING FOR OCSP SERVICE OPTIMIZATION - An online certificate status checking protocol (OCSP) system is provided for use with a first device, an end device and a certificate authority. The first device can provide a certificate. The end device can provide an OCSP request based on the certificate and process an OCSP response. The certificate authority can provide a CRL update. The certificate has a validity period. The OCSP system includes an OCSP responder, and OCSP proxy and a cache. The OCSP responder can provide the OCSP response. The OCSP proxy can receive the OCSP request from the end device, can send the OCSP request to the OCSP responder, can receive the OCSP response from the OCSP responder and can send the OCSP response to the end device. The cache can store information based on the OCSP response. The OCSP proxy can further store, in the cache, information based on the OCSP response and can send a proactive OCSP request to the OCSP responder based on a predetermined policy. The OCSP responder can further send a proactive OCSP response to the OCSP proxy in response to the proactive OCSP request. The OCSP proxy can further update the information in the cache based on the proactive OCSP response. The OCSP proxy can additionally provide, using the updated information in the cache, a second OCSP response to the end device in response to a subsequent request from the end device related to information of the certificate. | 06-30-2011 |
20110191581 | METHOD AND SYSTEM FOR USE IN MANAGING VEHICLE DIGITAL CERTIFICATES - A system and method is provided for managing digital certificates, the system including one or more a certificate authorities and a vehicle-bound digital certificate manager, the apparatus comprising: a mobile client having a wireless transceiver with internet protocol capabilities and a vehicle communication device; the client further including at least one processor and at least one non-transitory computer readable medium encoded with instructions, which when loaded on the at least one computer, establishes processes for information handling, comprising: establishing secure communications with a certificate authority to receive at least one of a Vehicle Identification Digital Certificate (“VIDC”), an Anonymous Vehicle digital Certificate (“AVDC”), and a Certificate Revocation Lists (“CRLs”); storage management of at least one of the VIDC, AVDCs, and CRLs; and forwarding of at least one of the VIDC, AVDCs, and CRLs received from the certificate authority to the digital certificate manager using the vehicle communication device. | 08-04-2011 |
20110213963 | USING AN OCSP RESPONDER AS A CRL DISTRIBUTION POINT - A certificate revocation list (CRL) distribution system receives a request from a client pertaining to a status of a certificate and determines whether the client is an online certificate status protocol (OCSP) compliant client. The certificate status distribution system sends the certificate status to the client using OCSP in response to a determination that the client is an OCSP compliant client and sends a certificate revocation list to the client in response to a determination that the client is not an OCSP compliant client. | 09-01-2011 |
20110213964 | AUTOMATICALLY DETERMINING AN ACCEPTABLE CRL SIZE BASED ON SYSTEM CAPABILITY - A certificate revocation list (CRL) deployment system loads a portion of test data that represents revoked certificates into a cache at periodic intervals and generates a CRL for a corresponding periodic interval using the test data that is loaded in the cache at that corresponding periodic interval. The CRL deployment system determines a CRL size that the server computing system is capable to support using the generated CRLs and notifies a user of the CRL size that the server computing system is capable to support. | 09-01-2011 |
20110213965 | IDENTITY MANAGEMENT CERTIFICATE OPERATIONS - A method and system for identity management certificate operations is described. | 09-01-2011 |
20110213966 | AUTOMATICALLY GENERATING A CERTIFICATE OPERATION REQUEST - A method and system for automatically generating a certificate operation request is described. | 09-01-2011 |
20110213967 | PRE-ENCODING A CACHED CERTIFICATE REVOCATION LIST - A method and system for pre-encoding a cached CRL is described. | 09-01-2011 |
20110213968 | System and Methods to Perform Public Key Infrastructure (PKI) Operations in Vehicle Networks using One-Way Communications Infrastructure - A set of certificate management methods designed to significantly reduce or eliminate reliance on infrastructure network connectivity after vehicles are sold uses techniques to support certificate management operations in order to reduce the frequency which vehicles need to communicate with the Certificate Authorities (CAs) and the amount of data that needs to be exchanged between vehicles and the CA. These methods include, for example, approaches to use one-way communications and vehicle-to-vehicle (V2V) communications to replace expired certificates, approaches to use one-way communications and V2V communications to replace revoked certificates, and use of a small subset of vehicles as proxies to help retrieve and distribute Certificate Revocation Lists (CRLs) and replacement certificates. The combination of these techniques leads to solutions that can eliminate the need for roadside infrastructure networks completely. | 09-01-2011 |
20110213969 | DYNAMIC CRYPTOGRAPHIC SUBSCRIBER-DEVICE IDENTITY BINDING FOR SUBSCRIBER MOBILITY - A method of authentication and authorization over a communication system is provided. The method performs a first authentication of a device based on a set of device identity and credentials. The first authentication includes creation of a first set of keying material. The method also includes performing a second authentication of a subscriber based on a set of subscriber identity and credentials. The second authentication includes creation of a second set of keying material. A set of compound key material is created with a key derivation mechanism that uses the first set of keying material and the second set of keying material. A binding token is created by cryptographically signing at least the device identity authenticated in the first authentication and the subscriber identity authenticated in the second authentication using the set of compound keying material. The signed binding token is exchanged for verification with an authenticating and authorizing party. | 09-01-2011 |
20110213970 | PROACTIVE FORCED RENEWAL OF CONTENT PROTECTION IMPLEMENTATIONS - A method, apparatus, and system for proactive forced renewal of content protection implementations in devices. The method includes, on a first substantially periodic basis, automatically pushing a new content protection implementation to a device that contains an existing content protection implementation; wherein the existing content protection implementation comprises (a) existing software for presenting protected content and (b) an existing key to facilitate presentation of protected content; and wherein the new content protection implementation comprises a new key to supersede the existing key for facilitating presentation of protected content. On a second substantially periodic basis, the method includes automatically pushing revocation data to the device, the revocation data to identify a plurality of revoked keys, each revoked key of the plurality of revoked keys comprising a key that has been superseded by the new key of the new content protection implementation. | 09-01-2011 |
20110219227 | AUTOMATED CERTIFICATE MANAGEMENT - A certificate management system provides automated management of certificate lifecycles and certificate distribution. Rather than depend upon an administrator to manually distribute and manage certificates, the system self-generates certificates, distributes the certificates to appropriate servers or other parties, and transitions from old certificates to new certificates in a well-defined manner that avoids breaking functionality. After generating one or more certificates, the system securely shares certificates in a way that parties that use them can find the new certificates without an administrator manually distributing the certificates. When it is time to update certificates, the system generates new certificates and shares the new certificates in a similar way. During a transition period, the system provides a protocol by which both old and new certificates can be used to perform authenticated access to resources, so that the transition from an old to a new certificate does not break services. | 09-08-2011 |
20110225420 | MODULE SIGNING FOR UNPRIVILEGED USERS TO CREATE AND LOAD TRUSTWORTHY KERNEL MODULES - A module building system, hosted by a server, receives a user script to be run to monitor software on a client using an introspection tool. The server adds safety constraints to the user script and generates a client kernel module using the user script which includes the safety constraints. The server signs the client kernel module and sends the signed client kernel module to the client. The signed client kernel module allows a user to use the introspection tool to load and execute the client module on the client for monitoring the software on the client. | 09-15-2011 |
20110246765 | Efficient, Secure, Cloud-Based Identity Services - An Identity Ecosystem Cloud (IEC) provides global, scalable, cloud-based, cryptographic identity services as an identity assurance mechanism for other services, such as data storage, web services, and electronic commerce engines. The IEC complements these other services by providing enhanced identity protection and authentication. An IEC performs identity services using surrogate digital certificates having encryption keys that are never exposed to the public. An individual requesting other services must meet an identity challenge before access to these other services is granted. Service requests to the IEC, and responses from the IEC, are securely encrypted. An IEC integrates smoothly into existing services by layering on top of, or being used in conjunction with, existing security measures. Identity transactions may be logged in a manner that complies with strict medical and financial privacy laws. | 10-06-2011 |
20110258435 | Threat Mitigation in a Vehicle-to-Vehicle Communication Network - A method is provided for obtaining a certificate revocation list (CRL) for a vehicle in a vehicle-to-vehicle communication system. A portable security unit is provided to access secured operations for the vehicle. The portable security unit is linked to a device having access to a communication network. The communication network is in communication with a certificate authority for issuing an updated CRL. The updated CRL is downloaded from the certificate authority to the portable security unit. At a later time, when a user enters the vehicle, a communication link is established between the portable security unit and a vehicle processor unit. Mutual authentication is exchanged between the portable security unit and the vehicle processing unit. The updated CRL stored in the portable security unit is downloaded to a memory of the vehicle communication system in response to a successful mutual authentication. | 10-20-2011 |
20110264911 | MEMORY DEVICE, HOST DEVICE, AND MEMORY SYSTEM - A memory device includes: a storage section configured to store public key information of a certificate authority for verifying a certificate and revocation information for revoking illegal devices and to include a secret area for storing data of which the confidentiality is to be guaranteed; and a control section configured to have a function of communicating with an external device and to control access to the secret area of the storage section at least in accordance with the revocation information. | 10-27-2011 |
20110302411 | METHOD AND SYSTEM FOR UPDATING AND USING DIGITAL CERTIFICATES - A method and system for updating and using a digital certificate, and the method comprises: a first terminal establishing a secure link with an access point and using the secure link to send a certificate updating request to the access point, where the certificate updating request includes a digital certificate to be updated which is currently used by the first terminal; and the access point sending the digital certificate to be updated to a local Authentication Service Unit which issues the certificate to be updated; and the local Authentication Service Unit which issues the digital certificate to be updated verifying the digital certificate to be updated, and after the digital certificate is verified to be valid, a local Authentication Service Unit corresponding to the access point generating a new digital certificate of the first terminal and sending the new digital certificate to the first terminal through the access point. | 12-08-2011 |
20110320809 | METHOD AND APPARATUS FOR KEY REVOCATION IN AN ATTRIBUTE-BASED ENCRYPTION SCHEME - A method and apparatus for key revocation in an attribute-based encryption scheme is provided herein. Prior to operation, a key management service performs a randomized setup algorithm resulting in the generation of public parameters and the key management service's master secret, MK. During operation, the key management service is provided with verified user attribute information. The key management service creates keys for users based on their list of attributes. The keys can then be used to decode appropriate ciphertext. During the key creation, each attribute is associated with a particular text string. As attributes are revoked, the text string is updated. | 12-29-2011 |
20110320810 | INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD, AND PROGRAM - An information processing device includes: a data processing unit that executes a process of reproducing content recorded in a medium; and a memory storing a content revocation list in which an identifier (ID) of revoked content is recorded, wherein the data processing unit compares a minimum allowable version of a content revocation list recorded in a token which is management data corresponding to content recorded in the medium with a version of a content revocation list acquired from the memory, and when the version of the content revocation list acquired from the memory is an old version lower than the minimum allowable version of the content revocation list recorded in the token, the data processing unit halts determination on revocation of content based on the content revocation list acquired from the memory and reproduction of content. | 12-29-2011 |
20110320811 | INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD, AND PROGRAM - An information processing device includes: a data processing unit that executes a process of reproducing content recorded in a medium, wherein the data processing unit acquires a token from the medium, the token being management data corresponding to content recorded in the medium, compares a server ID recorded in the acquired token with a server ID recorded in a server certificate acquired from a server from which the management data is acquired, and halts reproduction of content when the two server IDs are not identical. | 12-29-2011 |
20120017083 | GROUP SIGNATURE WITH LOCAL REVOCATION VERIFICATION WITH CAPACITY FOR LIFTING ANONYMITY - The cryptographic scheme subdivides time into periods with an index j=0, 1, 2, etc. A public key indicates elements u and v of a first cyclic group G | 01-19-2012 |
20120023329 | INFORMATION PROCESSING DEVICE, CONTROLLER, KEY ISSUING AUTHORITY, METHOD FOR JUDGING REVOCATION LIST VALIDITY, AND KEY ISSUING METHOD - A memory card | 01-26-2012 |
20120030461 | MOBILE CERTIFICATE DISTRIBUTION IN A PKI - A method of providing certificate issuance and revocation checks involving mobile devices in a mobile ad-hoc network (MANET). The wireless devices communicate with each other via Bluetooth wireless technology in the MANET, with an access point (AP) to provide connectivity to the Internet. A Certificate authority (CA) distributes certificates and certification revocation lists (CRLs) to the devices via the access point (AP). Each group of devices has the name of the group associated with the certificate and signed by the CA. A device that is out of the radio range of the access point may still connect to the CA to validate a certificate or download the appropriate CRL by having all the devices participate in the MANET. | 02-02-2012 |
20120036353 | TAG GENERATION METHOD IN BROADCAST ENCRYPTION SYSTEM - A tag generation method for generating tags used in data packets in a broadcast encryption system is provided. The method includes detecting at least one revoked leaf node; setting a node identification (node ID) assigned to at least one node among nodes assigned node IDs at a layer 0 and to which the at least one revoked leaf node is subordinate, to a node path identification (NPID) of the at least one revoked leaf node at the layer 0; generating a tag list in the layer 0 by combining the NPID of each of the at least one revoked leaf nodes at the layer 0 in order of increment of node IDs of the corresponding at least one revoked leaf nodes; and generating a tag list in a lowest layer by repeatedly performing the setting and generation operation down to the lowest layer. | 02-09-2012 |
20120036354 | Wireless communication system, terminal, method for reporting status of terminal, and progam - A wireless communication system includes a plurality of terminals connected to at least one wireless network on the basis of authority of security configuration parameters shared by the plurality of terminals. Each of the plurality of terminals revokes security configuration parameters of the terminal itself or security configuration parameters of another terminal in accordance with an agreement with said another terminal. | 02-09-2012 |
20120072720 | Certificate Revocation - A communication system includes a plurality of nodes, the communication system being arranged to assign each of the plurality of nodes a certificate by means of which it can authenticate itself to other nodes in the communication system and periodically distribute to the plurality of nodes an update formed by compressing a data set representing the validity of the certificates assigned to the plurality of nodes. The update is such that a node may not be able to unambiguously determine from the update whether or not a particular certificate is valid. The system further provides the plurality of nodes with a source of information about the validity of the plurality of certificates that is different from the update and by means of which a node may resolve an ambiguity in the update regarding a particular certificate's validity. | 03-22-2012 |
20120072721 | Certificate Revocation - A communication system includes a plurality of nodes, the communication system being arranged to assign each of the plurality of nodes a certificate by means of which it can authenticate itself to other nodes in the communication system. The communication system further includes an authentication node arranged to determine that a certificate should be revoked and to, responsive to that determination, write an indicator of that certificate's revocation to a location in the communication system that is external to the authentication node and to which the node assigned the revoked certificate is not permitted to write. | 03-22-2012 |
20120166796 | SYSTEM AND METHOD OF PROVISIONING OR MANAGING DEVICE CERTIFICATES IN A COMMUNICATION NETWORK - A certificate manager transmits a certificate service advertisement to a plurality of certificate clients. The certificate service advertisement identifies the certificate manager and includes segregation data. The segregation data indicates a set of services offered or a set of clients for which the certificate manager offers service. Responsive to the transmitting of the certificate service advertisement, the certificate manager receives a certificate service request from at least one certificate client of the plurality of certificate clients. The certificate manager verifies that the at least one certificate client is associated with the set of clients for which the certificate manager offers service, and the certificate manager fulfills the certificate service request. | 06-28-2012 |
20120210124 | CLIENT DEVICE AND LOCAL STATION WITH DIGITAL RIGHTS MANAGEMENT AND METHODS FOR USE THEREWITH - A current version certificate is stored that includes a corresponding current version identifier. A current instance certificate is received from the certificate authority, wherein the current instance certificate includes the current version identifier of the current version certificate and a current instance public key corresponding to the current instance private key. The current instance certificate is sent to a local station, during a registration with the local station. A request for video content is generated and sent to the local station. First encrypted data is received from the local station, wherein the first encrypted data includes a content key that is encrypted via the current instance public key. Second encrypted data is received from the local station, wherein the second encrypted data includes the video content that is encrypted via the content key. | 08-16-2012 |
20120233458 | INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND COMPUTER PROGRAM - An information processing apparatus and method that prior to using a digital certification considers a validity expiration date of the digital certificate as well as a usable deadline of an algorithm or a public key used in the digital certificate. | 09-13-2012 |
20120246469 | MASTER KEY TRUST GRANTS AND REVOCATIONS FOR MINOR KEYS - A method and apparatus is provided that allows code signed by a master key to grant trust to an arbitrary second key, and also allows code, referred to as an antidote and also signed by the master key to revoke permanently the trust given to the second key. | 09-27-2012 |
20120246470 | INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING SYSTEM, SOFTWARE ROUTINE EXECUTION METHOD, AND REMOTE ATTESTATION METHOD - Techniques for protecting memory locations within a stakeholder's engine according to the Multi-Stakeholder Model, and a protocol for remote attestation to a device supporting the Multi-Stakeholder Model that provides extra evidence of the identity of the three actors. | 09-27-2012 |
20120254610 | REMOTE DISABLING OF APPLICATIONS - The claimed subject matter provides a method for revoking licensed software in a computing environment. An exemplary method includes receiving a machine ID from a computer system. An application program and a license credential for the application program are sent to the computer system. Subsequently, upon theft or other loss of the computer system, a request to revoke the license credential is received. The request identifies the machine ID. When the computer system subsequently initiates a connection, the connection is detected based on the machine ID. An indication that the license credential for the application program is revoked is sent to the computer system. When the application program is later initiated, its operation is disabled because of the revocation of the license credential. | 10-04-2012 |
20120303952 | Dynamic Platform Reconfiguration By Multi-Tenant Service Providers - A manageability engine or adjunct processor on a computer platform may receive a request for activation and use of features embedded within that platform from a service provider authorized by the manageability engine's manufacturer. The manageability engine may initiate a request for authority through the service provider to a permit server. The permit server may provide, through the service provider, proof of the service provider's authority, together with a certificate identifying the service provider. Then the manageability engine may enable activation of the features on the platform coupled to the manageability engine, but only by the one particular service provider who has been authorized. | 11-29-2012 |
20120311323 | System and Method of Accessing Keys for Secure Messaging - Methods and systems for handling on an electronic device a secure message to be sent to a recipient. Data is accessed about a security key associate with the recipient. The received data is used to perform a validity cheek related to sending a secure message to the recipient. The validity check may uncover an issue that exists with sending a secure message to the recipient. A reason is determined for the validity check issue and is provided to the mobile device's user. | 12-06-2012 |
20120324218 | Peer-to-Peer Trusted Network Using Shared Symmetric Keys - A unique, strong, shared, symmetric network-wide key (or a limited number of group-wide keys) is generated by a central authority and initially provisioned to nodes in a network, which use it for ensuing traffic encryption. Nodes establish trust by sending each other authentication messages encrypted with the shared secret key, and thereupon adding each other to their respective trust lists. Also, an optional rekeying scheme whereby an existing shared secret key can be replaced by a new secret key that is introduced by the central authority and automatically propagated from node to node through the network. | 12-20-2012 |
20130019093 | CERTIFICATE AUTHORITYAANM Seidl; RobertAACI KonigsdorfAACO DEAAGP Seidl; Robert Konigsdorf DEAANM Goetze; NorbertAACI EichenauAACO DEAAGP Goetze; Norbert Eichenau DEAANM Bauer-Hermann; MarkusAACI MunichAACO DEAAGP Bauer-Hermann; Markus Munich DE - A protocol for issuing and controlling digital certificates is described in which an identity management system is used to identify a user requesting a digital certificate and is also used to issue the digital certificate itself. Accordingly, an IDM-based PKI system is provided. | 01-17-2013 |
20130031363 | GENERATING A CRL USING A SUB-SYSTEM HAVING RESOURCES SEPARATE FROM A MAIN CERTIFICATE AUTHORITY SUB-SYSTEM - A server computing system initiates a first sub-system to generate a certificate revocation list (CRL) using resources that are separate from resources of a second sub-system that performs certificate authority (CA) management functions other than generating a CRL. The first sub-system receives a command from the second sub-system to update revocation data in a cache that is coupled to the first sub-system and generates a CRL using the updated revocation data in the cache. The first sub-system provides the CRL to the second sub-system. | 01-31-2013 |
20130036303 | PRIVATE CERTIFICATE VALIDATION METHOD AND APPARATUS - Methods and apparatuses for validating the status of digital certificates include a relying party receiving at least one digital certificate and determining if the at least one digital certificate is to be validated against a private certificate status database. The relying party accesses the private certificate status database and cryptographically validates the authenticity of data in the private certificate status database. The relying party also validates the at least one digital certificate based on information in at least one of the private certificate status database and a public certificate status database. | 02-07-2013 |
20130054963 | METHOD AND TERMINAL FOR AUTHENTICATING BETWEEN DRM AGENTS FOR MOVING RO - A digital Rights Management (DRM), and particularly an apparatus and method of authentication between DRM agents for moving Rights Object (RO) is provided, whereby RO and contents can be moved between DRM agents after a simple authentication therebetween using specific authentication information received from a Rights Issuer (R | 02-28-2013 |
20130061043 | METHOD OF VALIDATION PUBLIC KEY CERTIFICATE AND VALIDATION SERVER - In response to a validation request that includes second information identifying the certificate authority, key information of the certificate authority at issuance of the public key certificate, and information identifying the public key certificate, if the second information identifying the certificate authority included in the validation request corresponds to the first information identifying the certificate authority included in the authority certificate, and the information identifying the public key certificate included in the validation request does not exist in the revocation information, the validation server creates a validation result indicating that the public key certificate corresponding to the information identifying the public key certificate included in the validation request is valid. | 03-07-2013 |
20130067221 | MASTER KEY TRUST GRANTS AND REVOCATIONS FOR MINOR KEYS - A method and apparatus is provided that allows code signed by a master key to grant trust to an arbitrary second key, and also allows code, referred to as an antidote and also signed by the master key to revoke permanently the trust given to the second key. | 03-14-2013 |
20130080771 | APPARATUS AND METHOD FOR DIRECT ANONYMOUS ATTESTATION FROM BILINEAR MAPS - A method and apparatus for direct anonymous attestation from bilinear maps. In one embodiment, the method includes the creation of a public/private key pair for a trusted membership group defined by an issuer; and assigning a unique secret signature key to at least one member device of the trusted membership group defined by the issuer. In one embodiment, using the assigned signature key, a member may assign a message received as an authentication request to prove membership within a trusted membership group. In one embodiment, a group digital signature of the member is verified using a public key of the trusted membership group. Accordingly, a verifier of the digital signature is able to authenticate that the member is an actual member of the trusted membership group without requiring of the disclosure of a unique identification information of the member or a private member key to maintain anonymity of trusted member devices. Other embodiments are described and claimed. | 03-28-2013 |
20130117561 | SECURE DESKTOP APPLICATIONS FOR AN OPEN COMPUTING PLATFORM - Example secure desktop applications for an open computing platform are disclosed. An example secure desktop method for a computing platform disclosed herein comprises establishing a secure communication connection between a secure desktop provided by the computing platform and a trusted entity, the secure communication connection being accessible to a trusted application authenticated with the secure desktop, the secure communication connection being inaccessible to an untrusted application not authenticated with the secure desktop, and securing data that is stored by the secure desktop in local storage associated with the computing platform, the stored data being accessible to the trusted application and inaccessible to the untrusted application. | 05-09-2013 |
20130124858 | METHOD, HOST APPARATUS AND MACHINE-READABLE STORAGE MEDIUM FOR AUTHENTICATING A STORAGE APPARATUS - A method, a host apparatus, and a machine-readable storage medium are provided for authenticating a storage apparatus. The method includes acquiring an identification of the storage apparatus based on a request for using content stored in the storage apparatus; determining whether authentication of the identification of the storage apparatus is revoked; determining whether usage of the content is allowed, based on at least one of additional information about the content and additional information about a certificate revocation of the storage apparatus, when the authentication of the identification of the storage apparatus is revoked; and receiving the content from the storage apparatus, when the usage of the content is allowed. | 05-16-2013 |
20130132718 | System And Method For Long-Term Digital Signature Verification Utilizing Light Weight Digital Signatures - Various embodiments of a system and method for long-term digital signature verification utilizing light weight digital signatures are described. Embodiments may include a verifying entity system that receives digitally signed data including a portion of data, signing time, and digital signature. The verifying entity system may receive a digital certificate that includes information for verifying the digital signature and an expiration time for the certificate. The verifying entity system may receive CRL that persists revocation information corresponding to ones of the revoked digital certificates that have already expired. The verifying entity system may utilize the CRL to determine that the digital signature is valid subsequent to its expiration time. The verifying entity system may evaluate the CRL to determine that the digital certificate was not revoked at the signing time. The verifying entity system may determine the digital signature is a valid digital signature and generate a corresponding result. | 05-23-2013 |
20130132719 | INFORMATION PROCESSING APPARATUS, INFORMATION STORAGE APPARATUS, INFORMATION PROCESSING SYSTEM, AND INFORMATION PROCESSING METHOD AND PROGRAM - An information processing apparatus includes a data processing unit which executes processing for decoding and reproducing encrypted content. The data processing unit executes processing for determining whether the content can be reproduced by applying an encrypted content signature file. The encrypted content signature file stores information on issue date of the encrypted content signature file and an encrypted content signature issuer certificate with a public key of an encrypted content signature issuer. In determining whether the content can be reproduced, the data processing unit compares expiration date of the encrypted content signature issuer certificate with the information on issue date of the encrypted content signature file, and does not perform processing for decoding and reproducing the encrypted content when the expiration date is before the issue date, and performs the processing for decoding and reproducing the encrypted content only when the expiration date is not before the issue date. | 05-23-2013 |
20130145157 | SYSTEM AND METHOD FOR ADJUSTING THE FREQUENCY OF UPDATING CERTIFICATE REVOCATION LIST - A method for adjusting the frequency of updating certificate revocation list is provided. The method is used in a certificate authority. The method includes: receiving a first information indicating security levels from neighbor certificate authorities in a neighborhood or a central certificate authority; detecting whether the certificate authority has received a signal indicating that a user is using a revoked certificate and generating a second information of a security level; calculating an index value or a set of index values by the first information indicating the security levels of neighborhoods and the second information indicating its own security level; and adjusting the update frequency of updating the certificate revocation list according to the calculated index values or the set of index values. | 06-06-2013 |
20130145158 | System and Web Security Agent Method for Certificate Authority Reputation Enforcement - Network security administrators are enabled to revoke certificates with their customizable certificate authority reputation policy store which is informed by an independent certificate authority reputation server when a CA is deprecated or has fraudulent certificate generation. The custom policy store overrides trusted root certificate stores accessible to an operating system web networking layer or to a third party browser. Importing revocation lists or updating browsers or operating system is made redundant. The apparatus protects an endpoint from a man-in-the-middle attack when a certificate authority has lost control over certificates used in TLS. | 06-06-2013 |
20130185553 | SYSTEM AND METHOD FOR ADMINISTERING DIGITAL CERTIFICATE CHECKING - Systems and methods for handling electronic messages. An electronic message that is associated with a digital certificate is to be processed. A decision whether to check the validity of the digital certificate is based upon digital certificate checking criterion. An IT administrator may provide to one or more devices configuration data that establishes the digital certificate checking criterion. | 07-18-2013 |
20130191633 | SYSTEM AND METHOD FOR SUPPORTING MULTIPLE CERTIFICATE STATUS PROVIDERS ON A MOBILE COMMUNICATION DEVICE - A method and system for supporting multiple digital certificate status information providers are disclosed. An initial service request is prepared at a proxy system client module and sent to as proxy system service module operating at a proxy system. The proxy system prepares multiple service requests and sends the service requests to respective multiple digital certificate status information providers. One of the responses to the service requests received from the status information providers is selected, and a response to the initial service request is prepared and returned to the proxy system client module based on the selected response. | 07-25-2013 |
20130212383 | Revocation Information for Revocable Items - Techniques for providing revocation information for revocable items are described. In implementations, a revocation service is employed to manage revocation information for various revocable items. For example, the revocation service can maintain a revoked list that includes revoked revocable items, such as revoked digital certificates, revoked files (e.g., files that are considered to the unsafe), unsafe network resources (e.g., a website that is determined to be unsafe), and so on. In implementations, the revocation service can communicate a revoked list to a client device to enable the client device to maintain an updated list of revocation information. | 08-15-2013 |
20130238897 | METHOD AND APPARATUS FOR PROVIDING EFFICIENT MANAGEMENT OF CERTIFICATE REVOCATION - A method for providing efficient management of certificate revocation may comprise storing a list of identifiers of digital certificates including a revocation list defining a list of revoked certificates in an accumulator, storing a witness value in association with at least some entries in the revocation list in which the witness value provides proof of the membership or non-membership of an identifier in the revocation list, enabling generation of a new accumulator and a new witness value responsive to each insertion or deletion of an entry in the revocation list, and enabling batch updates to the revocation list using a reduced bitlength value generated based on to a ratio of a value generated based on elements added to the revocation list to a value generated based on elements deleted from the revocation list. A corresponding apparatus is also provided. A method for certificate authorities (CA) that use Bloom filters for certificate revocation list (CRL) compression that enables the CA to hash only the entry that is to be un-revoked so that a good compression rate may be provided while avoiding computation of the entire CRL for each un-revocation. | 09-12-2013 |
20130246786 | CLIENT DEVICE AND LOCAL STATION WITH DIGITAL RIGHTS MANAGEMENT AND METHODS FOR USE THEREWITH - A current version certificate is stored that includes a corresponding current version identifier. A current instance certificate is received from the certificate authority, wherein the current instance certificate includes the current version identifier of the current version certificate and a current instance public key corresponding to the current instance private key. The current instance certificate is sent to a local station, during a registration with the local station. A request is generated and sent to the local station. First encrypted data is received from the local station, wherein the first encrypted data includes a content key that is encrypted via the current instance public key. | 09-19-2013 |
20130254535 | EMBEDDED EXTRINSIC SOURCE FOR DIGITAL CERTIFICATE VALIDATION - A computer uses the information included within a digital certificate to obtain a current date and time value from a trusted extrinsic trusted source and the computer compares the obtained current date and time value to a validity period included in the digital certificate to determine if the digital certificate is expired. The information included within the digital certificate specifying an extrinsic source for the current date and time value can be included in an extension of the digital certificate, and the information can specify a plurality of extrinsic sources. | 09-26-2013 |
20130290706 | SYSTEM AND METHOD FOR SECURING CONTROLLERS - A system includes a controller and a certificate authority. The controller is configured to control a process. The certificate authority (CA) is configured to issue and to revoke certificates, wherein the controller is configured to use the CA to mutually authenticate a user to enter into a secure mode of operation. | 10-31-2013 |
20130305043 | System and Methods to Perform Public Key Infrastructure (PKI) Operations in Vehicle Networks using One-Way Communications Infrastructure - A set of certificate management methods designed to significantly reduce or eliminate reliance on infrastructure network connectivity after vehicles are sold uses techniques to support certificate management operations in order to reduce the frequency which vehicles need to communicate with the Certificate Authorities (CAs) and the amount of data that needs to be exchanged between vehicles and the CA. These methods include, for example, approaches to use one-way communications and vehicle-to-vehicle (V2V) communications to replace expired certificates, approaches to use one-way communications and V2V communications to replace revoked certificates, and use of a small subset of vehicles as proxies to help retrieve and distribute Certificate Revocation Lists (CRLs) and replacement certificates. The combination of these techniques leads to solutions that can eliminate the need for roadside infrastructure networks completely. | 11-14-2013 |
20130311773 | SECURE CREDENTIAL STORE - A credential store provides for secure storage of credentials. A credential stored in the credential store is encrypted with the public key of a user owning the credential. A first user may provide a credential owned by the first user to a second user. The first user may add credentials owned by the first user to the credential store. An administrator may manage users of the credential store without having the ability to provide credentials to those users. | 11-21-2013 |
20130318344 | SYSTEM AND METHOD FOR PROCESSING ENCODED MESSAGES FOR EXCHANGE WITH A MOBILE DATA COMMUNICATION DEVICE - A system and method are provided for pre-processing encrypted and/or signed messages at a host system before the message is transmitted to a wireless mobile communication device. The message is received at the host system from a message sender. There is a determination as to whether any of the message receivers has a corresponding wireless mobile communication device. For each message receiver that has a corresponding wireless mobile communication device, the message is processed so as to modify the message with respect to one or more encryption and/or authentication aspects. The processed message is transmitted to a wireless mobile communication device that corresponds to the first message receiver. The system and method may include post-processing messages sent from a wireless mobile communications device to a host system. Authentication and/or encryption message processing is performed upon the message. The processed message may then be sent through the host system to one or more receivers. | 11-28-2013 |
20130346746 | SYSTEMS AND METHODS FOR GENERATING AND USING MULTIPLE PRE-SIGNED CRYPTOGRAPHIC RESPONSES - Systems and methods are disclosed for generating and using multiple pre-signed cryptographic responses. In one implementation, the method includes generating multiple cryptographic datasets. Each cryptographic dataset has a different validity period. The method further includes upon a user request, identifying one or more cryptographic datasets that are still valid among the multiple cryptographic datasets. The method further includes identifying a cryptographic dataset having the shortest validity period among the one or more cryptographic datasets that are still valid. The method also includes providing the identified cryptographic dataset to the user. | 12-26-2013 |
20130346747 | SYSTEMS, METHODS AND APPARATUSES FOR SECURING ROOT CERTIFICATES - The systems, methods and apparatuses described herein provide a computing environment that manages root certificates. An apparatus according to the present disclosure may comprise a non-volatile storage storing a plurality of root certificates and a supervisor. The supervisor may be configured to receive a message identifying one of the plurality of root certificates stored in the non-volatile storage to be revoked, verify the message being signed by at least two private keys corresponding to two root certificates stored in the non-volatile storage and revoke the root certificate identified in the message. | 12-26-2013 |
20140006777 | Establishing Secure Communication Between Networks | 01-02-2014 |
20140013111 | Systems and Methods for Controlling Electronic Document Use - One exemplary embodiment involves receiving a request for a document key for accessing a document on a client device. The request comprises a user identity identifying a requester requesting access to the document. The request also comprises information about the document. The exemplary embodiment further involves determining, at the server, whether access to the document by the requester is permitted. And, the exemplary embodiment further involves, if access to the document is permitted computing, at the server, the document key using the user identity and using the information about the document. The document key is document specific and, prior to the computing of the document key, the document key is not stored for access by the server. The exemplary embodiment further involves responding to the request by providing the document key for use in accessing the document on the client device. | 01-09-2014 |
20140068251 | METHOD AND DEVICE FOR DYNAMICALLY UPDATING AND MAINTAINING CERTIFICATE PATH DATA ACROSS REMOTE TRUST DOMAINS - A method and device is provided for dynamically maintaining and updating public key infrastructure (PKI) certificate path data across remote trusted domains to enable relying parties to efficiently authenticate other nodes in an autonomous ad-hoc network. A certificate path management unit (CPMU) monitors a list of sources for an occurrence of a life cycle event capable of altering an existing PKI certificate path data. Upon determining that the life cycle event has occurred, the CPMU calculates a new PKI certificate path data to account for the occurrence of the life cycle event and provides the new PKI certificate path data to at least one of a relying party in a local domain or a remote CPMU in a remote domain. | 03-06-2014 |
20140082353 | SCALABLE GROUPS OF AUTHENTICATED ENTITIES - Example embodiments provide various techniques for securing communications within a group of entities. In one example method, a request from an entity to join the group is received and a signed, digital certificate associated with the entity is accessed. Here, the signed, digital certificate is signed with a group private key that is associated with a certification authority for the group. The signed, digital certificate is added to a group roster, and this addition is to admit the entity into the group. The group roster with the signed, digital certificate is itself signed with the group private key and distributed to the group, which includes the entity that transmitted the request. Communication to the entity is then encrypted using the signed, digital certificate included in the group roster. | 03-20-2014 |
20140101442 | SYSTEM AND WEB SECURITY AGENT METHOD FOR CERTIFICATE AUTHORITY REPUTATION ENFORCEMENT - Network security administrators are enabled to revoke certificates with their customizable certificate authority reputation policy store which is informed by an independent certificate authority reputation server when a CA is deprecated or has fraudulent certificate generation. The custom policy store overrides trusted root certificate stores accessible to an operating system web networking layer or to a third party browser. Importing revocation lists or updating browsers or operating system is made redundant. The apparatus protects an endpoint from a man-in-the-middle attack when a certificate authority has lost control over certificates used in TLS. | 04-10-2014 |
20140122873 | CRYPTOGRAPHIC ENFORCEMENT BASED ON MUTUAL ATTESTATION FOR CLOUD SERVICES - In accordance with embodiments disclosed herein, there are provided systems, apparatuses, and methods for implementing cryptographic enforcement based on mutual attestation for cloud services. For example, in one embodiment, such means may include receiving, at the service provider, a request from a client, the request being for services from the service provider to the client; sending to a trust broker, from the service provider, a trust policy of the service provider against which trustworthiness attributes and capabilities of both the service provider and the client are to be evaluated by the trust broker; receiving, at the service provider, a certificate from the trust broker attesting to compliance of the service provider with the trust policy; sending the certificate from the service provider to the client for affirming mutual attestation of both the service provider and the client in compliance with the trust policy according to evaluation by the trust broker; establishing a connection between the service provider and the client for the service provider to render the requested services to the client; and encrypting information exchanged between the service provider and the client in fulfillment of the request for services from the client. Other related embodiments are further described. | 05-01-2014 |
20140129829 | UNAUTHORIZED CONNECTION DETECTING DEVICE, UNAUTHORIZED CONNECTION DETECTING SYSTEM, AND UNAUTHORIZED CONNECTION DETECTING METHOD - An unauthorized connection detecting device which detects an unauthorized charge/discharge device includes: a time information obtaining unit obtaining, as time information, information from a first charge/discharge device, the information indicating at least one of an issuing date of a first certificate which is a public key certificate and an issuing date of a certificate revocation list held by the first charge/discharge device; an expiration date obtaining unit obtaining expiration date information from a second charge/discharge device, the expiration date information indicating an expiration date of a second certificate which is a public key certificate held by the second charge/discharge device; and an unauthorization detecting unit detecting whether or not the second charge/discharge device is the unauthorized charge/discharge device by comparing the time information with the expiration date information. | 05-08-2014 |
20140149740 | DETERMINATION METHOD FOR CRYPTOGRAPHIC ALGORITHM USED FOR SIGNATURE, VERIFICATION SERVER AND PROGRAM - On the basis of revocation information of a certificate, information of a certification authority and of the certificate issued by the certification authority from a terminal device, and information of a cryptographic algorithm, validity of the certificate from the terminal device is determined. If the certificate is valid, a validation result treating the certificate as valid is created, and using information of the cryptographic algorithm from the terminal device and information of the cryptographic algorithm used for the signature of the certification authority which has been imparted to the revocation information of the certificate, a selection list of cryptographic algorithms used for the response signature to impart to the verification result of the certificate is created to determine the cryptographic algorithm used for the response signature to impart the verification result of the certificate on the basis of the created list and the cryptographic algorithms capable of being accommodated by the verification server. | 05-29-2014 |
20140201520 | ATTRIBUTE-BASED ACCESS-CONTROLLED DATA-STORAGE SYSTEM - The current application is directed to computationally efficient attribute-based access control that can be used to secure access to stored information in a variety of different types of computational systems. Many of the currently disclosed computationally efficient implementations of attribute-based access control employ hybrid encryption methodologies in which both an attribute-based encryption or a similar, newly-disclosed policy-encryption method as well as a hierarchical-key-derivation method are used to encrypt payload keys that are employed, in turn, to encrypt data that is stored into, and retrieved from, various different types of computational data-storage systems. | 07-17-2014 |
20140215207 | PROVISIONING AND MANAGING CERTIFICATES FOR ACCESSING SECURE SERVICES IN NETWORK - Systems and methods for provisioning and managing of certificates in a network are described. In one implementation, a signing certificate is generated by a network device based on a root certificate of the network device. Based on the signing certificate of the network device, a client-device certificate is signed for a client device. The signed client-device certificate is provided to the client device for allowing the client device to access a secure service provided by the network device. | 07-31-2014 |
20140223174 | SECURING A COMPUTING DEVICE ACCESSORY - Various embodiments are disclosed that relate to security of a computer accessory device. For example, one non-limiting embodiment provides a host computing device configured to conduct an initial portion of a mutual authentication session with an accessory device, and send information regarding the host computing device and the accessory device to a remote pairing service via a computer network. The host computing device is further configured to, in response, receive a pairing certificate from the remote pairing service, the pairing certificate being encrypted via a private key of the remote pairing service, and complete the mutual authentication with the accessory device using the pairing certificate from the remote pairing service. | 08-07-2014 |
20140237228 | SMART CARD RENEWAL - A method includes storing creating a smart card with an expiration date and renewing the smart card after the expiration date. The smart card may be created with data stored upon the smart card for use in the renewal process. The data may comprise a certificate. The smart card may be issued at the information technology department of an organization and may be renewed at a user workstation of the organization. The renewal process may include a renewal environment for authenticating the holder of the smart card. The card holder may be required to provide a personal identification number in order to enter into the renewal environment. The rights conferred by the renewed smart card may be more limited than the rights conferred by the original smart card, both in duration and access to data within the organization. | 08-21-2014 |
20140250299 | EGM AUTHENTICATION MECHANISM USING MULTIPLE KEY PAIRS AT THE BIOS WITH PKI - Executable applications on a gaming machine are verified before they can be executed, for security purposes and to comply with jurisdictional requirements. Unlike in prior systems for authenticating the executable applications, embodiments allow for new executable applications to be provided and verified over time with different private and public key pairs, even after the operating code of the gaming machine is certified by the jurisdiction and deployed in the field. | 09-04-2014 |
20140258714 | Federated Digital Rights Management Scheme Including Trusted Systems - Federated systems for issuing playback certifications granting access to technically protected content are described. One embodiment of the system includes a registration server connected to a network, a content server connected to the network and to a trusted system, a first device including a non-volatile memory that is connected to the network and a second device including a non-volatile memory that is connected to the network. In addition, the registration server is configured to provide the first device with a first set of activation information in a first format, the first device is configured to store the first set of activation information in non-volatile memory, the registration server is configured to provide the second device with a second set of activation information in a second format, and the second device is configured to store the second set of activation information in non-volatile memory. | 09-11-2014 |
20140281504 | Authorizing Use Of A Test Key Signed Build - Methods, apparatuses, and computer program products for authorizing use of a test key signed build are provided. Embodiments include transmitting to an update provider system, unique data associated with a target system; receiving from the update provider system, a signed update capsule file; determining, by the target system, that a signature within the signed update capsule file is valid; in response to determining that the signature is valid, determining that the validation data within the signed update capsule file matches the unique data associated with the target system; and in response to determining that the validation data matches the unique data, determining that the target system is authorized to use a test key signed build to update the firmware of the target system. | 09-18-2014 |
20140281505 | Augmenting Name/Prefix Based Routing Protocols With Trust Anchor In Information-Centric Networks - An apparatus comprising a memory, a processor coupled to the memory, wherein the memory contains instructions that when executed by the processor cause the apparatus to receive an information centric network (ICN) name prefix announcement message comprising a message prefix specific to a publisher, a public key certificate specific to the content publisher, and a signature specific to the content publisher, verify the signature with a name registration service (NRS), and update internal data indicating that the content publisher is a trusted publisher, wherein the internal data comprises the prefix, the public key, and the signature. | 09-18-2014 |
20140289512 | METHOD FOR CERTIFICATE GENERATION AND REVOCATION WITH PRIVACY PRESERVATION - Embodiments of the present invention are directed to methods and systems for generating and revoking, as well as validating, certificates used to protect communications within networks while maintaining privacy protection. In the context of a method, certificate generation and revocation with privacy preservation comprises determining a secret value to be used by a certificate authority and an entity; constructing a key tree based on the secret value, wherein the leaves of the key tree represent derived keys for the certificates for the entity; and generating certificates for the entity based in part on the key tree leaves. The method further comprises determining that one or more of the certificates should be revoked; determining a minimum key node set that covers the certificates to be revoked; adding the minimum key node set to a certificate revocation list; and providing the certificate revocation list to one or more entities. Corresponding apparatuses and computer program products are also provided. | 09-25-2014 |
20140298010 | PUBLIC-KEY CERTIFICATE MANAGEMENT SYSTEM AND METHOD - Methods and systems for public-key certificate management comprise storing digital certificates in data structures that allow the manager to provide a verifiable proof about the validity status of a certificate. The certificates are stored in two data structures in a database. One data structure stores items in chronological order and is queried to establish a proof that a later snapshot of the database is an extension of an earlier snapshot of the database. Another data structure is ordered by user identifier and is queried to establish a proof that a given digital certificate is currently valid. | 10-02-2014 |
20140325209 | SYSTEM AND METHOD FOR MANAGING NETWORK ACCESS BASED ON A HISTORY OF A CERTIFICATE - Provided is a system and method for managing network access based on a history of a Certificate. The system includes an Authentication System structured and arranged to receive from a User a request for network access, the request including a Certificate and at least one associated Characteristic distinct from the Certificate. A validation system is in communication with the Authentication System and structured and arranged to receive a request for validation of the Certificate, the Validation System evaluating the at least one Characteristic against a History for the Certificate to provide a positive or negative evaluation. The Validation System updates the History for the Certificate to include the request for validation of the Certificate. In response to a positive evaluation validating the Certificate, the Authentication System permits network access to the user. In response to a negative evaluation the Authentication System blocking network access to the user and the Certificate being restricted. An associated method of use is also provided. | 10-30-2014 |
20140325210 | APPARATUS AND METHODS FOR ACTIVATION OF COMMUNICATION DEVICES - A method that incorporates teachings of the subject disclosure may include, for example, storing, by a universal integrated circuit card including at least one processor, a digital root certificate locking a communication device to a network provider, and disabling an activation of the communication device responsive to receiving an indication of a revocation of the stored digital root certificate from a certificate authority, wherein the indication of the revocation of the stored digital root certificate is associated with a revocation of permission for an identity authority to issue a security activation information to the communication device on behalf of the network provide. Other embodiments are disclosed. | 10-30-2014 |
20140344567 | IDENTITY-BASED CERTIFICATE MANAGEMENT - Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein. | 11-20-2014 |
20140351581 | Revocation of Public Key Infrastructure Signatures - In one implementation, a public key infrastructure utilizes a two stage revocation process for a set of data. One stage authenticates or revokes the set of data based on the status of the digital signature and another stage authenticates or revokes the set of data based on the status of an individual signature by the digital certificate. For example, a digital certificate based is assigned a certificate number. A serial number is assigned for a signature for the set of data as signed by the digital certificate. A data transmission, data packet, or install package includes the set of data, the certificate number and the serial number. Therefore, individual instances of the signature may be revoked according to serial number. | 11-27-2014 |
20140380042 | COMPUTER NETWORK, NETWORK NODE AND METHOD FOR PROVIDING CERTIFICATION INFORMATION - A computer network for data transmission between network nodes, the network nodes being authenticatable to one another by authentication information of a public key infrastructure, with a root certificate authority configured to generate the authentication information for the public key infrastructure. The root certificate authority is arranged separate from the computer network and is not linked to the computer network. A network node of the computer network comprises an authentication information storage, a processor, a network communication device and an initialization device having an initialization communication device and a temporary authentication information storage that can be read out by the processor. | 12-25-2014 |
20150095641 | REVOCABLE PLATFORM IDENTIFIERS - A method includes receiving a request for a device to replace a unique identifier associated with the device with a revocable identifier, generating a revocable identifier for the device, wherein the revocable identifier comprises at least a cryptographic representation of the unique identifier associated with the device and a counter value, checking the generated revocable identifier to determine that the generated revocable identifier has not previously been generated for the device and associating the generated revocable identifier with the device. | 04-02-2015 |
20150121068 | APPARATUS AND METHOD FOR IMPLEMENTING COMPOSITE AUTHENTICATORS - A system, apparatus, method, and machine readable medium are described for implementing a composite authenticator. For example, an apparatus in accordance with one embodiment comprises: an authenticator for authenticating a user of the apparatus with a relying party, the authenticator comprising a plurality of authentication components; and component authentication logic to attest to the model and/or integrity of at least one authentication component to one or more of the other authentication components prior to allowing the authentication components to form the authenticator. | 04-30-2015 |
20150121069 | EMBEDDED EXTRINSIC SOURCE FOR DIGITAL CERTIFICATE VALIDATION - A computer uses the information included within a digital certificate to obtain a current date and time value from a trusted source extrinsic to the computer. The computer requests and receives the trusted current date and time value and compares the trusted current date and time value to a validity period included in the digital certificate, to determine if the digital certificate is expired. The information included within the digital certificate specifying an extrinsic source for the current date and time value can be included in an extension of the digital certificate, and the information can specify a plurality of extrinsic sources. | 04-30-2015 |
20150143108 | SYSTEM AND METHOD FOR UPDATING AN ENCRYPTION KEY ACROSS A NETWORK - Systems and methods are provided for generating subsequent encryption keys by a client device as one of a plurality of client devices across a network. Each client device is provided with the same key generation information and the same key setup information from an authentication server. Each client device maintains and stores its own key generation information and key setup information. Using its own information, each client device generates subsequent encryption keys that are common or the same across devices. These subsequent encryption keys are generated and maintained the same across devices without any further instruction or information from the authentication server or any other client device. Additionally, client devices can recover the current encryption key by synchronizing information with another client device. | 05-21-2015 |
20150149770 | TIME CHECK METHOD AND BASE STATION - A time check method and a base station are provided. The base station receives an authentication interaction message sent by an authentication interaction device; extracts time information in the authentication interaction message; and uses the time information to check local time. Before an Internet Key Exchange (IKE) connection is set up between the base station and a security gateway, relatively accurate time is obtained from an external authentication interaction device and is used for aligning the local time. Therefore, the cost of installing a clock component and a battery is saved, the time on the base station is trustworthy, and the security gateway is authenticated securely. | 05-28-2015 |
20150295721 | DEVICE AUTHENTICATION SYSTEM AND AUTHENTICATION METHOD - An authentication system according to the present disclosure includes a first controller connected to a first server via a first network, a second controller connected to a second server via a second network, and a device. The device compares a next issue date described in a first certificate revocation list acquired from the first controller and an issue date described in a second certificate revocation list acquired from the second controller thereby determining whether the first controller is invalid or not. | 10-15-2015 |
20150304310 | REVOCABLE SHREDDING OF SECURITY CREDENTIALS - Customers accessing resources and/or data in a multi-tenant environment can obtain assurance that a provider of that environment will honor only requests associated with the customer. A multi-tenant cryptographic service can be used to manage cryptographic key material and/or other security resources in the multi-tenant environment. The cryptographic service can provide a mechanism in which the service can receive requests to use the cryptographic key material to access encrypted customer data, export key material out of the cryptographic service, destroy key material managed by the cryptographic service, among others. Such an approach can enable a customer to manage key material without exposing the key material outside a secure environment. | 10-22-2015 |
20150312046 | CORRUPTING A HASH VALUE CORRESPONDING TO A KEY BASED ON A REVOCATION OF THE KEY - A request associated with a revocation of a key may be received. A hash value corresponding to the key that is stored in a memory may be identified. Furthermore, the hash value that is stored in the memory may be corrupted in response to the request associated with the revocation of the key. | 10-29-2015 |
20150318996 | SYSTEM AND METHOD FOR FILTERING DIGITAL CERTIFICATES - One example discloses a system for filtering digital certificates within a communications network, comprising: a first set of network-nodes, having a first attribute and a respective first set of digital certificates; a second set of network-nodes, having a second attribute and a respective second set of digital certificates; and a digital certificate authority, having a digital certificate validity list which includes the first and second sets of digital certificates; wherein the certificate authority filters the validity list based on the first attribute and transmits the filtered validity list to the first set of network nodes. Another example discloses a method for filtering digital certificates, comprising: maintaining a digital certificate validity list; identifying a set of network-nodes, having an attribute; filtering the validity list based on the attribute; and transmitting the filtered validity list to the set of network-nodes. | 11-05-2015 |
20150326401 | METHOD, APPARATUS, AND SYSTEM FOR INCREASING NETWORK SECURITY - Embodiments of the present invention disclose a method, an apparatus, and a system for increasing network security. The method for increasing network security includes: receiving, by a network management system, a certificate message reported by a network element; generating, by the network management system, a first list; when determining that a certificate corresponding to certificate information in the first list needs to be revoked, generating, by the network management system, a certificate revocation request file according to the certificate information, and removing the certificate information in the first list from the first list; and sending, by the network management system, the certificate revocation request file to a public key infrastructure (PKI) system. | 11-12-2015 |
20150341342 | AUTOMATED STEP-UP DIGITAL CERTIFICATE INSTALLATION PROCESS - Techniques are disclosed for rapidly securing a server in response to request for a high-assurance digital certificate. As described, a CA may issue a basic tier certificate after performing a verification process to confirm that a party requesting a certificate for a given network domain, in fact, has control of that domain. Once issued and provisioned on the server, the server can establish secure connections with clients. At the same time, the CA continues to perform progressive identity verification processes for progressively higher tiers of certificates. Once the identity verification process at each tier is complete, the CA issues a new certificate for the corresponding tier, which may then be provisioned on the server. After performing all of the identity verification processes, the server can issue the requested high-assurance certificate. | 11-26-2015 |
20150365241 | REVOCATION OF A ROOT CERTIFICATE STORED IN A DEVICE - The invention relates to a device for validating data using a root certificate, wherein a plurality of root certificates is stored in the device, each root certificate having a rank. The device is configured to receive revocation information indicating at least one revoked root certificate, to validate the revocation information using one of the root certificates stored in the device and to block the use of the revoked root certificate if the revocation information is successfully validated using a root certificate having a higher rank than the revoked root certificate. Moreover, the invention relates to a method for revoking a root certificate stored in a device. | 12-17-2015 |
20150381373 | BACKUP AND INVALIDATION OF AUTHENTICATION CREDENTIALS - A method for a re-issuance of an attribute-based credential of an issuer of the attribute-based credential for a user may be provided. The user is holding backup values derived from a first credential previously obtained from the issuer, wherein the first credential is built using at least a first value of at least one authentication pair. The method comprises receiving by the issuer from the user a set of values derived from the backup values comprising a second value of the at least one authentication pair, validating by the issuer that the second value is a valid authentication answer with respect to the first value and whether the set of values was derived from a valid first credential, and providing by the issuer a second credential to the user based on the first set of values. | 12-31-2015 |
20150381374 | Handling of Digital Certificates - A method for handling digital certificates in a communication network is described. The communication network comprises a first certificate authority ( | 12-31-2015 |
20150381375 | Revocation of Public Key Infrastructure Signatures - In one implementation, a public key infrastructure utilizes a two stage revocation process for a set of data. One stage authenticates or revokes the set of data based on the status of the digital signature and another stage authenticates or revokes the set of data based on the status of an individual signature by the digital certificate. For example, a digital certificate based is assigned a certificate number. A serial number is assigned for a signature for the set of data as signed by the digital certificate. A data transmission, data packet, or install package includes the set of data, the certificate number and the serial number. Therefore, individual instances of the signature may be revoked according to serial number. | 12-31-2015 |
20160072630 | AUTHENTICATION SYSTEM AND AUTHENTICATION METHOD - A device in an authentication system acquires a certificate revocation list along with a control command from an operating terminal to the device. The device determines the validity of the controller to which the device connects, based on the certificate revocation list acquired along with the control command. | 03-10-2016 |
20160072808 | REGISTRY APPARATUS, AGENT DEVICE, APPLICATION PROVIDING APPARATUS AND CORRESPONDING METHODS - A method for verifying trusted communication between an agent device and an application providing apparatus using a registry apparatus. The registry apparatus maintains a device registry comprising authentication information for uniquely authenticating at least one agent device. The method includes the steps of obtaining from the device registry the authentication information for the agent device identified by a device identifier specified in an the authentication request from the agent device, performing verification of the agent device using the authentication information obtained from the device registry, and if the verification is not successful, transmitting to at least one of the agent device and the application providing apparatus revocation information for denying the trusted communication between the agent device and the application providing apparatus. | 03-10-2016 |
20160094527 | METHODS AND SYSTEMS FOR AUTHORIZING AND DEAUTHORIZING A COMPUTER LICENSE - A system and method of deauthorizing a computer-based licensed product. During the deauthorization process, an end user device transmits an encrypted character string (i.e., the Proof Of Removal Code), including a Transaction ID, to a licensing authority. The licensing authority receives the Proof Of Removal Code from the end user device and decrypts the Transaction ID using a decryption key associated with a product for which the end user is seeking deauthorization. The licensing authority compares Transaction IDs and produces a Deauthorization number, which is sent to the end user device. Each product is associated with a different decryption key resulting in a different Deauthorization number being produced for each product based on the same Transaction ID. Thus, the same identical Transaction ID can be decrypted into as many different Deauthorization numbers as there are products. | 03-31-2016 |
20160099969 | ENFORCING POLICY COMPLIANCE ON A DEVICE - Disclosed herein is a method for enforcing policy compliance on a device that includes detecting a compliance action associated with an electronic device. The compliance action initiates verification that the electronic device is in compliance with a policy. The method also includes sending configuration information for the electronic device to a compliance authenticator in response to the compliance action. The compliance authenticator verifies that the configuration information complies with a policy. Further, the method includes receiving an authentication certificate in response to the compliance authenticator verifying the configuration information complies with the policy. The authentication certificate expires after a predetermined period of time. | 04-07-2016 |
20160105427 | Attesting Authenticity of Infrastructure Modules - A user device is provided that includes an authentication application that runs on the user device. A calibration device is also provided that includes authentication algorithm configuration information and an authentication token. The user device is connected to the calibration device to receive the authentication algorithm configuration information and the authentication token. The user device then supplies to a target device to be authenticated an authentication request that includes the authentication token. The user device receives an authentication response from the target device. The user device then analyzes the authentication response with the authentication application based on the authentication algorithm configuration information to determine whether the target device is authenticated. | 04-14-2016 |
20160112206 | System and Method for Vehicle Messaging Using a Public Key Infrastructure - An embodiment method for vehicle messaging includes obtaining initial trust information that includes a root public key (RPK), and obtaining a first pool of group certificate (GC) sets and a first vehicle authentication certificate that includes a first encrypted serial number. The method also includes: selecting from the first pool a first GC and a first group private key (Gpk); determining a first signature in accordance with a first message and a digest function; sending a first datagram that includes the first message and the first signature; receiving a second datagram that includes a second GC and a second signature, the second GC duplicating a GC in the first pool; receiving a third datagram that includes a third GC and a third signature, the third GC not duplicating any GC in the first pool; and verifying the second and third datagrams in accordance with the digest function and RPK. | 04-21-2016 |
20160112208 | SYSTEM AND METHOD FOR PROVIDING CONSENT MANAGEMENT - A system and method for managing consent for an enterprise to, for example, provide access to controlled data to another enterprise wherein the controlled data can be in the form of subject data records. The system includes a consent management module operative to associate a plurality of control levels with a subject data record and process a consent request requesting access to the controlled data. Access is determined based on the control levels associated with a subject of the controlled data, a requesting operator, and/or the controlled data itself, A control level data set comprising the control levels for use in controlling access to the controlled data and/or subject data records is stored in a database. | 04-21-2016 |
20160119150 | OUT-OF-BAND ENCRYPTION KEY MANAGEMENT SYSTEM - An encryption key management system includes an encryption IHS that is coupled to a network. The encryption key management system also includes a host processing system. An off-host processing system in the encryption key management system is coupled to the host processing system and is coupled to the encryption IHS through the network. The off-host processing system provides an encryption key request to the encryption IHS through the network, receives an encryption key from the encryption IHS through the network and stores the encryption key, provides the encryption key to the host processing system in response to authenticating a user, and revokes the encryption key in response to a revocation instruction received from the encryption IHS through the network. The providing the request, and the receiving, providing, and revoking the encryption key may be performed by the off-host processing system while the host-processing system is not in an operating mode. | 04-28-2016 |
20160119151 | METHOD AND SYSTEM FOR DETECTING MISBEHAVIOR FOR VEHICLE-TO-ANYTHING COMMUNICATION - A method for issuing a reliable certificate to a vehicle for a vehicle-to-anything (V2X) communication in a server on a network comprises receiving a certificate issue request including vehicle identification information and road-side unit (RSU) identification information from an RSU. Log information for the certificate issue request is extracted from a database. Normality or abnormality is determined according to whether a predetermined certificate issue criteria is satisfied by analyzing the certificate issue request and the log information. The certificate is issued and the certificate is transmitted to a vehicle communication module according to determination of normality, or certificate revocation information is registered according to determination of abnormality. | 04-28-2016 |
20160142215 | METHOD AND APPARATUS FOR MANAGING CERTIFICATES - A certificate management processor (CMP) in a public key infrastructure (PKI) receives a request for a certificate management operation. The CMP determines that the request is associated with at least one of an end entity and a service. The CMP identifies a certificate management identifier associated with at least one of the end entity and the service. The CMP retrieves at least one status associated with the certificate management identifier and/or at least one status associated with the certificate management operation. The CMP performs the certificate management operation on a certificate when the retrieved at least one status is determined to not be suspended. | 05-19-2016 |
20160182240 | DIGITAL HERITAGE NOTARY | 06-23-2016 |
20160182493 | Controlled Token Distribution to Protect Against Malicious Data and Resource Access | 06-23-2016 |
20160191241 | DISTRIBUTED PUBLIC KEY REVOCATION - Techniques for improving the security and availability of cryptographic key systems are described herein. A graph representation of a network of cryptographic key servers is created with vertices representing the servers and edges representing connections between pairs of servers. As cryptographic key events are received, the graph is used to locate the appropriate servers upon which to perform the operations associated with the events. In the event that the network requires repairing, the graph is first repaired obeying any constraints on the graph and then the network is updated to reflect alterations to the graph. | 06-30-2016 |
20160254910 | REVOCATION OF CRYPTOGRAPHIC KEYS IN THE ABSENCE OF A TRUSTED CENTRAL AUTHORITY | 09-01-2016 |
20160254919 | Systems, Methods and Apparatuses for Secure Time Management | 09-01-2016 |