Entries |
Document | Title | Date |
20080201575 | Systems and methods for automating certification authority practices - Systems and methods for efficiently verifying identities and for generating and signing digital certificates associated with those identities are disclosed. Generation of a digital certificate of an entity may begin by receiving a certificate signing request from the entity at a certification authority, the certificate signing request including verification information. The certificate signing request may be transmitted to a registration authority and the information of the certificate signing request may be processed. Whether to approve the certificate signing request may be determined, based on a result of the processing, and an approval may be granted when the certificate signing request is approved. A certificate associated with the entity may be generated when the approval is received, and the certificate may be transmitted to the entity. | 08-21-2008 |
20080209207 | AUTOMATED CERTIFICATE PROVISIONING FOR NON-DOMAIN-JOINED ENTITIES - A method of certificate provisioning is provided for entities that are not associated with a domain. In some implementations, certificate provisioning methods allow non-domain-joined entities to request and receive certificates through an automated process with a certificate provisioning portal. Through the automated process, the identity of the client may be verified using security identity information. The security identity information may include a pre-shared secret or a previously issued certificate from a trusted Certificate Authority. | 08-28-2008 |
20080209208 | Method and apparatus for managing digital certificates - Method and apparatus for managing digital certificates are described herein. In one embodiment, an encryption certificate is extracted from an email received from an owner of the encryption certificate, where the encryption certificate being issued from a trusted party other than the owner. Then the encryption certificate is associated with an entry of a directory based on an identity (ID) of the owner, where the directory provides directory services to one or more email servers. Other methods and apparatuses are also described. | 08-28-2008 |
20080222412 | Network data security system and protecting method thereof - The invention presents a network data security system and a protecting method applied in network data transmission. Meanwhile the network data security system includes a client, an authentication dispatching server and a number of distributed servers. The authentication dispatching server includes a first determination device and a user certificate generator; and each distributed server includes a second determination device, a second user certificate generator and a processor. The method for protecting data of the present invention introduces the authentication dispatching server providing the client with a user certificate in a valid period of time and further introduces an updated certificate mechanism for preventing the user certificate from being stolen and further preventing network data from being let out. | 09-11-2008 |
20080222413 | METHOD AND APPARATUS FOR INTEGRATED PROVISIONING OF A NETWORK DEVICE WITH CONFIGURATION INFORMATION AND IDENTITY CERTIFICATION - According to one aspect, a provisioning server comprises a configuration module that configures a network device and an identification certification module that certifies the identity of the network device. With use of the provisioning server, the network device does not require configuration with network connectivity in order to obtain its certified identity. In one embodiment, configuration module configures the device for operation at the device's point of deployment in a network. In one embodiment, the identity certification module is configured to generate a digital certificate for the network device and the configuration module is configured to automatically configure the network device based on its digital certificate. The provisioning server is coupled to the network device with a secure communication link. As a result, a more trusted network device is ultimately deployed into its network of operation. | 09-11-2008 |
20080229098 | ON-LINE TRANSACTION AUTHENTICATION SYSTEM AND METHOD - A system and method for authenticating an on-line user by authenticating the computing device being used by the user. The method may comprise reading device information from a computing device, creating a device credential from the device information; and, communicating the device credential to an authenticating body for authentication. The method may additionally comprise receiving personal information from a user; creating a user credential from the personal information and, communicating the user credential along with the device credential to the authenticating body for authentication. | 09-18-2008 |
20080235509 | METHOD FOR EXCHANGING MESSAGES AND VERIFYING THE AUTHENTICITY OF THE MESSAGES IN AN AD HOC NETWORK - A method for exchanging messages containing reliable information between nodes in an ad hoc network, such as a vehicle ad hoc network. The method includes the steps of providing a public key for a PKI encrypted certificate authority signature to all nodes known to transmit reliable information. Each node transmits a signal containing node identification information and the PKI encrypted certificate authority signature associated with that node. Each node also receives like signals from other nodes and then decrypts the certificate authority signatures from the received signals by using the certificate authority public key to ascertain the authenticity of the received certificate authority signatures and the reliability of the received message. Thereafter, the nodes receive and accept messages with a TESLA encrypted signature only with nodes identified to have authentic certificate authority signatures until the occurrence of a subsequent predefined event, such as a new node in the network or the elapse of a predetermined time period. | 09-25-2008 |
20080250241 | TRUSTED AND SECURE TECHNIQUES, SYSTEMS AND METHODS FOR ITEM DELIVERY AND EXECUTION - Documents and other items can be delivered electronically from sender to recipient with a level of trustedness approaching or exceeding that provided by a personal document courier. A trusted electronic go-between can validate, witness and/or archive transactions while, in some cases, actively participating in or directing the transaction. Printed or imaged documents can be marked using handwritten signature images, seal images, electronic fingerprinting, watermarking, and/or steganography. Electronic commercial transactions and transmissions take place in a reliable, “trusted” virtual distribution environment that provides significant efficiency and cost savings benefits to users in addition to providing an extremely high degree of confidence and trustedness. The systems and techniques have many uses including but not limited to secure document delivery, execution of legal documents, and electronic data interchange (EDI). | 10-09-2008 |
20080256358 | System and method for managing digital certificates on a remote device - A system and method for managing a digital certificate associated with a remote device is provided. The method includes providing a Web Service Application Programming Interface (API) and communicating digitally between the Web Service API and a remote device, including one of requesting the remote device to perform a task associated with managing digital certificates, and responding to a request from the remote device for performing a task associated with managing digital certificates. | 10-16-2008 |
20080270787 | BIOMETRIC IDENTIFICATION NETWORK SECURITY - Systems and methods for regulating user access in the context of a biometric security system are disclosed. One method disclosed includes receiving a remotely transmitted data packet containing an encryption key, utilizing a decryption component to decrypt the data packet, and utilizing the encryption component to encrypt biometric data. Another method disclosed includes utilizing a processor, within a client computing device, to perform an encryption function within a biometric security system, wherein the encryption function is incorporated into an authentication process that involves a transfer of biometric information between the client computing device and a remotely implemented server. | 10-30-2008 |
20080270788 | EXTENSION OF X.509 CERTIFICATES TO SIMULTANEOUSLY SUPPORT MULTIPLE CRYPTOGRAPHIC ALGORITHMS - A technique permitting an X.509 certificate to simultaneously support more than one cryptographic algorithm. An alterative public key and alternative signature are provided as extensions in the body of the certificate. These extensions define a second (or more) cryptographic algorithm which may be utilized to verify the certificate. These are not authenticated by the primary signature and signature algorithm in the primary cryptographic algorithm. These newly defined extensions are reviewed by a receiving entity if the entity does not support the cryptographic algorithm of the primary signature. | 10-30-2008 |
20080270789 | METHOD AND SYSTEM FOR MESSAGING SECURITY - An e-mail firewall applies policies to e-mail messages transmitted between a first site and a plurality of second sites. The e-mail firewall includes a plurality of mail transfer relay modules for transferring e-mail messages between the first site and one of the second sites. Policy managers are used to enforce and administer selectable policies. The policies are used to determine security procedures for the transmission and reception of e-mail messages. The e-mail firewall employs signature verification processes to verify signatures in received encrypted e-mail messages. The e-mail firewall is further adapted to employ external servers for verifying signatures. External servers are also used to retrieve data that is employed to encrypt and decrypt e-mail messages received and transmitted by the e-mail firewall, respectively. | 10-30-2008 |
20080276084 | Anonymity Revocation - Methods and systems for anonymity revocation, enabling a trusted entity to identify a user computer within an anonymous system. A system comprises an attester computer providing attestation value cert from a security module public key and an identifying value. The user computer having a module providing the module public key and a security module attestation value, the user computer providing a user public key, a user attestation-signature value derived from the attestation value cert, and an encryption computable under use of a trusted-entity public key and a module-generated-identifier value, the module-generated-identifier value relating to the identifying value; a verification computer verifying validity of received user attestation-signature value and the encryption; and a trusted entity having a trusted entity secret key, wherein the trusted entity is able to derive the module-generated-identifier value from the encryption, the module-generated-identifier value being usable to identify the user computer with the security module. | 11-06-2008 |
20080282085 | Method to Search for Affinities Between Subjects and Relative Apparatus - A method to search for affinities between subjects comprises the passages of effecting a step of registering a user with a certification authority ( | 11-13-2008 |
20080301438 | Peer-to-peer smime mechanism - A method and apparatus for sending a self-asserted certificate is described. In one embodiment, a mail client of a sender is configured to generate a public and private key pair, to create a self-signed certificate, and to form an introduction message addressed to a recipient to enable use of the self-signed certificate prior to corresponding with the recipient. A mail client of a recipient is configured to display an indicator of a receipt of the introduction message from the sender. The indicator comprises a user interface query to the recipient to verify and accept the sender-signed certificate in response to receiving the introduction message from the sender. | 12-04-2008 |
20080301439 | Validation Server, Program and Verification Method - A technique of managing public keys updated by a certificate authority and a plurality of hash algorithms is provided. | 12-04-2008 |
20080307221 | Event-Ordering Certification Method - An event-ordering certification system | 12-11-2008 |
20080307222 | Verifying authenticity of webpages - A certificate registry system is configured to issue authentication certificates issued to each one of a plurality of information providers and to maintain a root certificate corresponding to all of the authentication certificates. Each one of the authentication certificates links respective authentication information thereof to identification information of a corresponding one of the information providers. Each one of the authentication certificates is devoid of linkage between the corresponding one of the information providers and domain name information thereof. The authentication certificates of the certificate registry are associated in a manner at least partially dependent upon at least one of a particular type of information that the information providers provide, a particular organization that the information providers are associated with, a particular type profession in which the information providers are engaged and a particular geographical region in which the information providers are located. | 12-11-2008 |
20080313456 | Apparatus and method for irrepudiable token exchange - A server apparatus is operable in communication with mobile client apparatuses for securely recording the occurrence of a transactional exchange meeting between holders of the mobile client apparatuses. A token component sets up a meeting arrangement mediated by the server and to communicate a first issued token to a first mobile client apparatus and a second issued token to a second mobile client apparatus. A token validator component receives at least a portion of each of the tokens from the mobile client apparatuses. The token validator component validates that the at least a portion of the token received from the first mobile client apparatus matches at least a portion of the second issued token, and vice-versa. A transaction recorder component creates and maintains a secure record of at least the request, the response, the validation of the tokens, and a completion signal from each of the mobile client apparatuses. | 12-18-2008 |
20080320299 | ACCESS CONTROL POLICY IN A WEAKLY-COHERENT DISTRIBUTED COLLECTION - A system is disclosed for creating and implementing an access control policy framework in a weakly coherent distributed collection. A collection manager may sign certificates forming equivalence classes of replicas that share a specific authority. The collection manager and/or certain privileged replicas may issue certificates that delegate authority for control of item policy and replica policy. Further certificates may be signed that create one or more items, set policy for these one or more items, and define a set of operations authorized on the one or more items. The certificates issued according to the present system for creating and implementing a control policy framework cannot be modified or simply overridden. Once a policy certificate is issued, it may only be revoked by the collection manager or by a replica having revocation authority. | 12-25-2008 |
20090006844 | VERIFYING CRYPTOGRAPHIC IDENTITY DURING MEDIA SESSION INITIALIZATION - An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint's agent may create the signature over some fields of the message using an enterprise network's private key. The agent may insert the signature into the message and send the message to a recipient endpoint's authentication agent. The recipient agent may verify the signature, receive a certificate including a second public key, and challenge the identity of the originating endpoint in order to confirm that identity. This challenge may request a confirmation that the originating endpoint knows the private key corresponding to the second public key and may occur while running encrypted media at the endpoints. After the originating endpoint is authenticated, the endpoints may exchange encrypted and/or unencrypted media. | 01-01-2009 |
20090006845 | Management of Secure Access to a Secure Digital Content in a Portable Communicating Object - The invention concerns a terminal (T) comprising an agent (AS) for processing a secure content encrypted with a key (KCN) and transmitted by a first server (SCN). In order to manage a secure access to the secure content, an application (AG) of a portable communicating object, such as a chip card, associated with a terminal stores one type of related digital right (TDN) and a certificate and transmitted by the agent and stores an access right (DA) and the key (KCN) related to the secure content transmitted from a second server (SAD). The application adapts the access right and the key and modifies the secure content, based on the type of right, and produces a secure access file based on the adapted access right and the key and on the certificate, the produced file being accessible by the terminal so that the agent may process the modified content. | 01-01-2009 |
20090024845 | METHOD AND SYSTEM FOR ENCRYPTION OF MESSAGES IN LAND MOBILE RADIO SYSTEMS - A method and system for authentication of a plurality of sites in a land mobile radio (LMR) system and for encryption of messages exchanged by the sites. The plurality of sites are connected by a data network (e.g., IP network). The method includes transmitting by a first site its certificate. The certificate is created by a trusted authority by applying a selected function to the public key, the ID and other relevant information of the first site with the trusted authority's private key to generate a reduced representation and then encrypting the reduced representation with the trusted authority's private key. The method further includes receiving, by the other sites in the LMR system, the certificate transmitted by the first site. The method further includes decrypting, by the other sites, the certificate transmitted by the first site and authenticating the first site, wherein the certificate is decrypted using the trusted authority's public key. The method further includes generating a session key, encrypting the session key with the public key of the first site, and transmitting the encrypted session key to the first site. The method further includes decrypting, by the first site, the encrypted session key with the first site's private key, and transmitting, by the first site, a message encrypted with the shared session key. The method further includes multicasting the encrypted message over the data network. The method further includes receiving, by the other sites in the LMR system, the encrypted message transmitted by the first site, and decrypting the message with the session key. | 01-22-2009 |
20090031126 | Trust Management Systems and Methods - The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied. The certificates may be evaluated until the state of the root authority indicates that the request should be granted, or until further evaluation of the certificates is ineffective in changing the state of the principals. | 01-29-2009 |
20090037727 | METHOD AND APPARATUS FOR SECURELY EXCHANGING CRYPTOGRAPHIC IDENTITIES THROUGH A MUTUALLY TRUSTED INTERMEDIARY - A method of securely exchanging cryptographic identities through a mutually trusted intermediary is disclosed. Data, which specifies a petitioner's cryptographic identity and a petitioner's resource identifier, is received. Input, which specifies an authority's resource identifier, is received. The petitioner's cryptographic identity and the petitioner's resource identifier are sent to a destination that is associated with the authority's resource identifier. Data, which specifies the authority's cryptographic identity, is received. The authority's cryptographic identity is sent to a destination that is associated with the petitioner's resource identifier. | 02-05-2009 |
20090037728 | Authentication System, CE Device, Mobile Terminal, Key Certificate Issuing Station, And Key Certificate Acquisition Method - Provided is an authentication system for improving user-friendliness. An IC card ( | 02-05-2009 |
20090044008 | DRM SYSTEM AND METHOD OF MANAGING DRM CONTENT - The present invention relate to a DRM system and a method of managing DRM content, which allow the user of content protected by DRM to use DRM content even through an unconnected device, which is not connected to a network. The DRM system includes a DRM server for issuing a Public Key Infrastructure (PKI)-based certificate and a key pair to an unconnected device via a network client connected to the unconnected device so as to allow the unconnected device to share a right to DRM content with the network client and to authenticate the unconnected device and permit the unconnected device to join a domain on a basis of the certificate and the key pair via the network client. | 02-12-2009 |
20090063852 | AUTHENTICATION FOR AD HOC NETWORK SETUP | 03-05-2009 |
20090063853 | INFORMATION PROCESSING APPARATUS, SERVER APPARATUS, MEDIUM RECORDING INFORMATION PROCESSING PROGRAM AND INFORMATION PROCESSING METHOD - A client PC | 03-05-2009 |
20090077374 | Method and System for Secure Remote Transfer of Master Key for Automated Teller Banking Machine - A method for securely transferring a master key from a host to a terminal, such as an automated teller machine, is disclosed. Each of the host and terminal is initialized with a certificate, signed by a certificate authority, and containing a public key used in used in connection with public key infrastructure communication schemes. An identifier of an authorized host is stored in the terminal. Upon receiving a communication from a host including a host certificate, the terminal validates whether it is already bound to a host, if not, whether the host identifier of the remote host matches the preloaded authorized host identifier, before further communicating with the remote host, including the exchange of certificates. In this way, the terminal is protected against attacks or intruders. Following the exchange of certificates, the host may securely transfer the master key to the terminal in a message encrypted under the terminal's public key. The terminal may decrypt the message, including the master key, using its corresponding secret key. | 03-19-2009 |
20090083539 | Method for Securely Creating an Endorsement Certificate in an Insecure Environment - A method and system for ensuring security-compliant creation and signing of endorsement keys of manufactured TPMs. The endorsement keys are generated for the TPM. The TPM vendor selects an N-byte secret and stores the N-byte secret in the TPM along with the endorsement keys. The secret number cannot be read outside of the TPM. The secret number is also provided to the OEM's credential server. During the endorsement key (EK) credential process, the TPM generates an endorsement key, which comprises both the public key and a hash of the secret and the public key. The credential server matches the hash within the endorsement key with a second hash of the received public key (from the endorsement key) and the vendor provided secret. The EK certificate is generated and inserted into the TPM only when a match is confirmed. | 03-26-2009 |
20090083540 | Host device interfacing with a point of deployment (POD) and a method of processing Certificate status information - A host device interfacing with a point of deployment (POD) and a method of processing certificate status information are disclosed. A communication unit transmits/receives data via a network. A controller collects information associated with a certificate of the host device and information associated with a certificate of the POD, updates certificate status information on the basis of the collected information, and transmits the updated certificate status information via the communication unit when a request for the certificate status information is received via the communication unit. | 03-26-2009 |
20090089575 | Service Providing System, Outsourcer Apparatus, Service Providing Method, and Program - When an entrustor entrusts an outsourcer with the supply of a service for members, member information managed by the entrustor is kept secret from the outsourcer, and users can receive the service without communicating with the entrustor. For using the service, user apparatus | 04-02-2009 |
20090100263 | METHODS AND SYSTEMS FOR ENCOURAGING SECURE COMMUNICATIONS - Embodiments of the present invention enable a user to engage in secure communications using digital certificates and other cryptographic technologies in an easy way with a minimum of distracting interaction. In some embodiments of the present invention, webmail is enabled to allow users to obtain and use S/MIME certificates to secure his or her e-mails. Embodiments of the present invention can also be implemented to other forms of messaging, such as text messages, instant messages, etc. | 04-16-2009 |
20090106547 | AUTHENTICATION SYSTEM, AUTHENTICATION DEVICE, TERMINAL, AND VERIFYING DEVICE - An authentication system, including a service use device | 04-23-2009 |
20090106548 | METHOD FOR CONTROLLING SECURED TRANSACTIONS USING A SINGLE PHYSICAL DEVICE, CORRESPONDING PHYSICAL DEVICE, SYSTEM AND COMPUTER PROGRAM - A method is provided for controlling secure transactions using a physical device held by a user and bearing at least one pair of asymmetric keys, including a device public key and a corresponding device private key. The method includes, prior to implementing the physical device, certifying the device public key with a first certification key of a particular certifying authority, delivering a device certificate after verifying that the device private key is housed in a tamper-proof zone of the physical device; verifying the device certificate by a second certification key corresponding to the first certification key; and in case of a positive verification, registering the user with a provider delivering a provider certificate corresponding to the signature by the provider of the device public key and an identifier of the user. | 04-23-2009 |
20090106549 | METHOD AND SYSTEM FOR EXTENDING ENCRYPTING FILE SYSTEM - Users can share encrypted files without having access to other users' public key certificates, by specifying only the other users' identity information. A client agent interacts with a trusted service account to transparently add user encryption certificates to encrypted files after it was created. A header of each encrypted file includes signed encrypted data blocks, file system metadata, and a digital signature. When a user attempting to open an encrypted file is denied access, the client agent transmits the header data and the encryption certificate of the user to the trusted service account, with a request that the user encryption certificate be added to modify the encrypting file system metadata. After the trusted service account determines tampering has not occurred enroute and the user is authorized to access the file, the modified header data are returned to the client agent to enable the user to open the file. | 04-23-2009 |
20090106550 | EXTENDING ENCRYPTING WEB SERVICE - A data encryption service is provided over the Internet. Users specifying only authorized users' identity information can share encrypted information without sharing passwords or accessing public key certificates. A user sends data to be encrypted to a trusted EWS, along with authorization information. An encrypted data envelope including signed encrypted data blocks, authorization information, and a digital signature is returned to the user. When a second user attempts to access the data inside the encrypted data envelope, it is transmitted to the EWS. If the EWS authenticates the second user, determines that tampering has not occurred, and verifies the second user's identity against the authorization information in the data envelope, then the data are returned. The encrypted data envelope can be expressed as a raw byte stream or encoded within an HTML file to enable browser-based data envelope submission and retrieval. | 04-23-2009 |
20090119505 | Transaction method and verification method - In a method for performing an electronic transaction a first transaction part generates a digital signature and an encrypted digital signature. The second transaction party receives both signatures. The second party is enabled to verify the digital signature, but cannot verify or (re)generate the encrypted digital signature. A trusted third party is enabled to verify the encrypted digital signature if the digital signature is also provided, since the trusted third party cannot (re)generate the digital signature. Thus, no other party than the first transaction party can (re)generate both the digital signature and the encrypted digital signature. Therefore, no other party presenting himself as the first transaction party can be verified as being the first transaction party. | 05-07-2009 |
20090119506 | Method and Apparatus for Secure Assertion of Resource Identifier Aliases - A method and apparatus for secure assertion of a user identifier alias. The method comprises receiving at an application server from a first device a first user identifier, a first device identifier and a first authentication key associated with the first device; receiving at the application server from the first device a second user identifier, the first device identifier and a second authentication key associated with the first device; comparing the first authentication key to the second authentication key; and storing the second user identifier at the application server as an alias of the first user identifier if the first authentication key matches the second authentication key. | 05-07-2009 |
20090132810 | Distributed digital certificate validation method and system - A distributed digital certificate validation method of a client connectable in communication with a host is provided. The method comprises making a first connection with the host to establish data communication with the host, sending to the host a request for a certificate validation result, importing from the host a file containing at least the requested certificate validation result, and storing the imported file locally for later retrieval of at least the requested certificate validation result. | 05-21-2009 |
20090132811 | ACCESS TO AUTHORIZED DOMAINS - In a domain comprising a plurality of devices, the devices in the domain sharing a common domain key, a method of enabling a entity that is not a member of the domain to create an object that can be authenticated and/or decrypted using the common domain key, the method comprising providing to the entity that is not a member of the domain a diversified key that is derived using a one-way function from at least the common domain key for creating authentication data related to said object and/or for encrypting said object, the devices in the domain being configured to authenticate and/or decrypt said object using the diversified key. | 05-21-2009 |
20090132812 | METHOD AND APPARATUS FOR VERIFYING REVOCATION STATUS OF A DIGITAL CERTIFICATE - Verifying revocation status of a digital certificate is provided in part by a receiver verifying a security certificate for a sender. In an embodiment, an approach comprises receiving a first security certificate associated with the sender and storing the security certificate in a location accessible to the receiver; updating the first security certificate in the location accessible to the receiver if the first security certificate is changed or revoked; receiving a second security certificate from the sender when identity of the sender needs to be verified; comparing the second security certificate to the first security certificate; and confirming the sender's identity only if the second security certificate matches the first security certificate for the sender. | 05-21-2009 |
20090144540 | CERTIFICATE MANAGEMENT WITH CONSEQUENCE INDICATION - A certificate management operation request is managed on a device, access to which is governed by an authentication certificate. Upon receiving a request to perform a certificate management operation on a certificate, a consequence of performing the certificate management operation is determined and the consequence is indicated via a user interface of the device. For example, anytime a user attempts to use a certificate management application to delete, distrust or revoke a certificate, it is determined whether the certificate meets certain criteria, such as the certificate being the authentication certificate or being in the certificate chain of the authentication certificate. If the certificate meets the criteria, the user may be notified of a lack of permission to perform the requested operation and the operation may be prevented from completing. Alternatively, the user may be permitted to confirm the instruction to perform the requested operation, and the operation may be completed. | 06-04-2009 |
20090144541 | METHOD AND APPARATUS OF MUTUAL AUTHENTICATION AND KEY DISTRIBUTION FOR DOWNLOADABLE CONDITIONAL ACCESS SYSTEM IN DIGITAL CABLE BROADCASTING NETWORK - A method and apparatus of X.509 certificate-based mutual authentication and key distribution for a Downloadable Conditional Access System (DCAS) in a digital cable broadcasting network is provided for composing a software-based secure DCAS in various Conditional Access Systems (CASs) based on an embodiment form of Conditional Access (CA) application for CA of digital cable broadcasting. | 06-04-2009 |
20090144542 | SYSTEM FOR DISTRIBUTING DIGITAL MEDIA TO EXHIBITORS - A system for packaging digital media and distributing digital media to exhibitors is described, which system enables distribution by utilizing media content booking, media content packaging, encryption, and delivery components. | 06-04-2009 |
20090158030 | Doing business without SSN, EIN, and charge card numbers - This invention introduces encrypted identifiers to be used when the owner of an identifier wants to hide the original identifier away from public exposure but still be able to be uniquely identified through the encrypted form of the identifier. The logical requirement for such an encrypted identity is that it needs to be different for each user in order for it not to become public knowledge. The inventor refers to such changeable, proxy identifiers as “Pxy” identifiers. Pxy identifiers are generated using a Rule Number that references a user-specific algorithm and encryption key that is different for every user. To further privatize and facilitate tracing the ownership of a Pxy identifier to its owner, one or more identity-owner-specific passwords are also utilized. Pxy identity-identifiers examples include: PxySsn, PxyId, PxyEIN; and non-identity-identifier examples are: user-specific-encrypted-door-opener-codes, coded charge numbers, Pxy Software Keys, and so on. | 06-18-2009 |
20090158031 | Secure Certificate Installation on IP Clients - According to one embodiment of the invention, a method is deployed for loading a user CA certificate into the trusted certificate storage of a network device The method comprises a number of operations. A first operation involves a downloading of addressing information. Thereafter, a communication session is established using the addressing information for retrieval of a bootstrapping digital certificate that can be digitally verified by the network device using its factory settings. Keying information is extracted from the bootstrapping digital certificate and the keying information can be used to verify that the communication session is between the network device and a certificate server being different than a source for the addressing information. Upon verification that the network device is in communication with the certificate server, the user CA certificate is downloaded from the certificate server using a secure channel that is established based on the bootstrapping digital certificate. | 06-18-2009 |
20090158032 | Method and System for Automated and Secure Provisioning of Service Access Credentials for On-Line Services to Users of Mobile Communication Terminals - In a communications network including at least one authentication entity adapted to authenticating a network access requestor in order to conditionally grant thereto access to the communications network, wherein the authenticating is based on public key cryptography, a method for automatically provisioning the network access requestor with service access credentials for accessing an on-line service offered by an on-line service provider accessible through the communications network. The method includes: during the authenticating the network access requestor, having an authentication entity request to the on-line service provider the generation of the service access credentials; at the on-line service provider, generating the service access credentials, encrypting the service access credentials by exploiting a public encryption key of the network access requestor and providing the encrypted service access credentials to the authentication entity; and having the authentication entity cause the network access requestor to be provided with the encrypted service access credentials. | 06-18-2009 |
20090158033 | METHOD AND APPARATUS FOR PERFORMING SECURE COMMUNICATION USING ONE TIME PASSWORD - The invention relates to a communication method and system using a one time password (OTP). The communication system includes: a user computer that has an OTP generator for generating the OTP provided therein; a service server that performs user authentication using user information and an OTP value input from the user computer, and communicates with the user computer using the encoded data that is associated with the OTP value, when the user authentication succeeds; and an OTP integrated authentication server that verifies the OTP value between the user computer and the service server. | 06-18-2009 |
20090158034 | AUTHENTICATION GATEWAY APPARATUS FOR ACCESSING UBIQUITOUS SERVICE AND METHOD THEREOF - An authentication gateway apparatus for accessing a ubiquitous service includes: an authentication server of a service provider that receives an authentication data request message from a portable apparatus, and provides an authentication token; a first authentication device of the portable apparatus that transmits the authentication data request message to the authentication server, receives and stores an authentication token from the authentication server, and is used as a representative authentication device; and second authentication devices of ubiquitous apparatuses that are connected to the first authentication device of the portable apparatus by a wireless communication system, and have individual unique values. | 06-18-2009 |
20090172391 | COMMUNICATION HANDOVER METHOD, COMMUNICATION MESSAGE PROCESSING METHOD, AND COMMUNICATION CONTROL METHOD - There is disclosed a technique whereby, in a case wherein a mobile node (MN) performs a handover, between access points (APs) present on the links of different access routers (ARs), security is quickly established between the MN and the AP so as to reduce the possibility of a communication delay or disconnection due to the handover. According to this technique, before performing a handover, the MN | 07-02-2009 |
20090172392 | METHOD AND SYSTEM FOR TRANSFERRING INFORMATION TO A DEVICE - A system and method for transferring information include generating a public/private key pair for programming equipment and sending the programming equipment public key to a certificate authority. A programming equipment certificate is generated using the programming equipment public key and a private key of the certificate authority. The programming equipment certificate and a certificate authority certificate are sent to the programming equipment. Information is transferred to or from the programming equipment in response to an authentication using the programming equipment certificate and the certificate authority certificate. | 07-02-2009 |
20090187760 | Security Mechanism within a Local Area Network - A local area network server may issue security certificates to client devices on the network for two-way authentication across the network. The certificates may be issued through a transaction performed over the network and, in some cases, may be automated. The server may have a self signed or a trusted security certificate which may serve as a basis for issuing certificates to various clients. After a certificate is issued, future communications on the network may be authenticated by both the server and client, and the communications may be encrypted using the certificates. | 07-23-2009 |
20090187761 | Methods and systems for proofing identities using a certificate authority - A digital certificate is provided to a customer having an electronic account linked to the customer's physical address. Using the digital certificate, the customer performs electronic transactions with a third party. A proofing workstation receives a request from a third party to validate the digital certificate. The proofing workstation communicates with a proofing server that maintains a list of valid certificates and a list of revoked certificates. The proofing server sends a response to the proofing workstation, where it is received by the third party. | 07-23-2009 |
20090193249 | PRIVACY-PRESERVING INFORMATION DISTRIBUTION SYSTEM - A system, device and method for keeping the identity of a user secret, while managing requests for information, in an information distribution system. The identity of the user is kept secret by the use of a persistent pseudonym and a temporary pseudonym, which are associated with a user identity device. The process of information distribution is enhanced by the use of licenses and certificates, which the user obtains by representing himself with the permanent pseudonym. When accessing the requested information, the user is represented by the temporary pseudonym. | 07-30-2009 |
20090193250 | AUTHENTICATION SYSTEM, SIGNATURE CREATING DEVICE, AND SIGNATURE VERIFYING DEVICE - A signature generating device for generating digital signature data that certifies authenticity of information of a person, and making the information obfuscated. The signature generating device comprises: a storage unit that stores attribute information concerning the person and a private key corresponding to the attribute information; an obfuscated information generating unit that selects one or more pieces of dummy information in relation to the attribute information, and generates the obfuscated information that includes the attribute information and the dummy information; a public key obtaining unit that obtains a public key corresponding to the attribute information and public keys respectively corresponding to the dummy information; and a signature generating unit that generates digital signature data by performing a ring signature generation process to the obfuscated information, using the private key and the public key corresponding to the attribute information and using the public keys corresponding to dummy information. | 07-30-2009 |
20090204809 | INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD, AND COMPUTER-READABLE RECORDING MEDIUM - An information processing device is arranged to acquire a first public key certificate and a first secret key from a server device by acquiring an individual identification information which is uniquely discriminable for the information processing device from the information processing device and transmitting the individual identification information to the server device. The information processing device is arranged to determine whether the information processing device is permitted to transmit device information to the server device through an encryption communication using the first public key certificate and the first secret key, by acquiring the individual identification information from the information processing device and comparing the acquired individual identification information with the individual identification information associated with at least one of the first public key certificate and the first secret key. | 08-13-2009 |
20090204810 | Architecture and Design for Central Authentication and Authorization in an On-Demand Utility Environment - A Centralized Authentication & Authorization (CAA) system that facilitates secure communication between service clients and service providers. CAA comprises a Service Request Filter (SRF), a Service Client Authentication Program (SCAP), a Service Authorization Program (SAP), and an Authorization Database (ADB). The SRF intercepts service requests, extracts the service client's identifier from a digital certificate attached to the request, and stores the identifier in memory accessible to service providers. In the preferred embodiment, the SRF forwards the service request to a web service manager. The web service manager invokes SCAP. SCAP matches the identifier with a record stored in ADB. SAP queries ADB to determine if the service request is valid for the service client. If the service request is valid, SAP authorizes the service request and the appropriate service provider processes the service request. | 08-13-2009 |
20090210701 | Multi-Media Access Device Registration System and Method - A method for enabling an access device to securely access content from at least a content provider and prevent a cloned access device from accessing such content. During registration of the access device with the content provider, the access device requests from a designated certificate authority a certificate having a public key of the content provider therein. Upon authentication of the certificate, the access device generates a key and uses the public key to exchange the key with the content provider. The key is then used for subsequent secure communications between the access device and the content provider. In this manner, a cloned device does not have access to the key and is unable to download content from the content provider. | 08-20-2009 |
20090210702 | SECURE APPLICATION SIGNING - A system and method for facilitating approval of an application and for making the application available for download by mobile computing devices has a first module configured to receive a user input received from a software development environment, a second module configured to initiate an application approval process based on the user input, and a third module configured to make the application available for download by mobile computing devices based on the approval process. | 08-20-2009 |
20090217034 | Multi-step digital signature method and system - A multi-step signing system and method uses multiple signing devices to affix a single signature which can be verified using a single public verification key. Each signing device possesses a share of the signature key and affixes a partial signature in response to authorization from a plurality of authorizing agents. In a serial embodiment, after a first partial signature has been affixed, a second signing device exponentiates the first partial signature. In a parallel embodiment, each signing device affixes a partial signature, and the plurality of partial signatures are multiplied together to form the final signature. Security of the system is enhanced by distributing capability to affix signatures among a plurality of signing devices and by distributing authority us affix a partial signature among a plurality of authorizing agents. | 08-27-2009 |
20090222657 | Methods And Apparatus For Use In Obtaining A Digital Certificate For A Mobile Communication Device - In one illustrative scenario, a mobile device receives configuration information which includes information for use in constructing a request message for obtaining a digital certificate from a certificate authority (CA). After receipt of the configuration information, the mobile device constructs the request message for the digital certificate and causes it to be sent to a host server of a communication network. In response, the host server requests and obtains the digital certificate from the CA on behalf of the mobile device, and thereafter “pushes” the received digital certificate to the mobile device. The mobile device receives the digital certificate and stores it for use in subsequent communications. The host server may be part of a local area network (LAN) which includes a wireless LAN (WLAN) adapted to authenticate the mobile device based on the digital certificate, so that the mobile device may obtain access to the WLAN. | 09-03-2009 |
20090222658 | ROAMING UTILIZING AN ASYMMETRIC KEY PAIR - Techniques for generating a portion of a split private key are provided. A first symmetric key and a second symmetric key different than the first symmetric key are generated at a first location. The generated second symmetric key and a first one of multiple factors for generating the private key portion encrypted with the generated first symmetric key are transmitted. Then, at a second network location, the symmetric keys are again generated. The encrypted first factor is received at the second network location subsequent to a user authentication based upon the second symmetric key generated at the second network location. The received encrypted first factor is then decrypted with the first symmetric key generated at the second network location, the decrypted first factor usable to generate the portion of the split private key of the asymmetric key pair. | 09-03-2009 |
20090222659 | COMMUNICATION DEVICE AND COMMUNICATION METHOD - A communication device for performing communication by employing first and second communication units, includes: a reception unit for receiving a communication packet including a random number generated for every connection with another communication device, a certificate calculated with the random number, and authentication method information indicating whether or not an authentication method at the second communication unit is compatible with the public key system, through the first communication unit; and a method determining unit for determining whether or not an originator of the communication packet accepts public key encryption based on the authentication method information included in the communication packet; wherein in a case of the method determining unit determining that the originator of the communication packet does not accept the public key system, the random number included in the communication packet is replied to the originator as the identification information of the device itself. | 09-03-2009 |
20090235068 | Method and Apparatus for Identity Verification - A method for identity verification includes receiving a request for proof of identity from a service provider and receiving biometric information associated with a user of a communication device. The method also includes determining that the received biometric information matches a biometric profile that contains biometric information associated with a registered user of the communication device. The method also includes unlocking a private key associated with the registered user in response to determining that the received biometric information matches a biometric profile and sending a request for a digital certificate that is signed with the private key associated with the registered user. The method further includes receiving the digital certificate that includes a public key associated with the registered user and satisfies the request for proof of identity. The method also includes with forwarding the digital certificate to the service provider. | 09-17-2009 |
20090235069 | Arrangement of and method for secure data transmission - A method of and system for secure data transmission between a client and a third party computer arrangement. The method includes authenticating a user of the client by a security server via a communication session; making available a key pair by the security server, the key pair including a public key and a private key; and performing the secure data transmission between the client and the third party computer arrangement while using the key pair. The key pair having a limited life time defined by: a predetermined duration in time, a predetermined number of communication sessions, or a predetermined number of actions. | 09-17-2009 |
20090240936 | SYSTEM AND METHOD FOR STORING CLIENT-SIDE CERTIFICATE CREDENTIALS - A method and system is provided for storing a plurality of client certificate credentials via a client web browser into one or more keystore file(s). The client web browser is used to establish the secure data transfer link between the client and the server. The client web browser includes a plug-in software component. The plug-in software component is configured to generate the keystore file and a key pair. The method may continue with generating a certificate request on the client. The certificate request generated is then transmitted to a certificate server. The certificate server is configured to digitally sign the certificate request generated. The method continues with the client receiving a signed certificate request. The signed certificate request is received by the client via the client web browser. The method may conclude by storing the plurality of client certificate credentials associated with the signed certificate request in one or more keystore file(s). | 09-24-2009 |
20090249060 | DATA SECURITY MANAGEMENT SYSTEM AND METHODS - A system is provided for managing security rights of protected data having a plurality of security groups. The system comprises a client configured to generate the protected data, wherein a user of the client is a member of a subset of the plurality of security groups. The client comprising a key generator configured to generate a plurality of security group keys, wherein each membership key is associated with a security group selected by the user of the client and a combination key generator configured to generate a combination key based on the plurality of security group keys, wherein the client is configured to encrypt the protected data with the combination key. | 10-01-2009 |
20090249061 | CERTIFYING A VIRTUAL ENTITY IN A VIRTUAL UNIVERSE - An invention for certifying a virtual entity in a virtual universe is disclosed. A virtual business may opt to register with a security certificate administration center to obtain a security certificate. A user of another virtual entity is provided with an ability to initiate a verifying process to check whether a security certificate symbol or a graphic resembling a security certificate symbol represents a valid security certificate. Virtual universe client and server software may be modified to enable a secured connection between the user and the security certificate administration center for the verification. | 10-01-2009 |
20090259841 | Method for allocating multiple authentication certificates to vehicles in a vehicle-to-vehicle communication network - In a vehicle-to-vehicle communication network utilizing PKI security methods to protect communications and in which the PKI encryption utilizes a Certificate Authority having both a private key and a publicly distributed key, a method for allocating multiple certificates for each vehicle which are assigned to each vehicle in the communication network. The method includes the step of assigning a unique secret key k to each vehicle in the communication network. The Certificate Authority then creates a plurality of public key and private key encryption pairs for each vehicle and each encryption pair is associated with an index i. A plurality of certificates are then created with one certificate for each value of the index. A revocation list comprising the secret keys is maintained by the Certificate Authority so that all encryption pairs assigned to a particular vehicle may be revoked by the secret key k corresponding to that vehicle. | 10-15-2009 |
20090259842 | METHOD, PRODUCT AND APPARATUS FOR ACCELERATING PUBLIC-KEY CERTIFICATE VALIDATION - A validation authority for certificates searches for and verifies paths and certificate revocation lists periodically, and classifies the paths into valid paths and invalid paths in accordance with the results of the validations, so as to register the paths in databases beforehand. Besides, in a case where a request for authenticating the validity of a certificate has been received from an end entity, the validation authority judges the validity of the public key certificate by checking in which of the valid-path database and the invalid-path database a path corresponding to the request is registered. On the other hand, in a case where the path corresponding to the validity authentication request is not registered in either of the databases, the validity of the public key certificate is authenticated by performing path search and validation anew. | 10-15-2009 |
20090265544 | Method and system for using personal devices for authentication and service access at service outlets - Various embodiments of the present invention provide a method and an interaction system. A first set of information related to a user is received from a personal communication device with or without an embedded secure element, or from an independent secure element at a service outlet. The personal communication device and the secure element are associated with the user. Further, a trust is established between the service outlet and the secure element by a process of mutual authentication. If a personal communication device is used, a communication channel is established between the personal communication device and the service outlet. Thereafter, the user is provided access to multiple services offered by the service provider over the communication channel through the personal communication device. If a personal communication device is not used, the services are provided through the access point of the service outlet. | 10-22-2009 |
20090265545 | ELECTRONIC CERTIFICATE ISSUE SYSTEM AND METHOD - A registration part receives a product key of a program for performing a communication using a private key and a public key, and discrimination information of a computer using the program. The registration part registers in a management part, when an authentication of a license corresponding to the product key is completed in success, correspondence information between the product key and the discrimination information and other discrimination information regarding the correspondence information. A discrimination information sending part returns the other discrimination information to an electronic certificate issue apparatus. A checking part receives the other discrimination information and check whether the other discrimination information is registered in the management part. A certificate producing part produces, when the other discrimination information is registered in the management part, an individual certificate package containing the private key and the public key for each piece of the other discrimination information. | 10-22-2009 |
20090265546 | INFORMATION PROCESSING DEVICE, ELECTRONIC CERTIFICATE ISSUING METHOD, AND COMPUTER-READABLE STORAGE MEDIUM - An information processing device acquires first identification information of a computer to which the device is coupled, and records correspondence information indicating a correspondence between a product key of a predetermined program and the first identification information, and second identification information with respect to the correspondence information, in the device, if a license authentication with respect to the product key based on the first identification information is successful. The device generates an individual certificate package including a unique secret key and public key for each second identification information, and records the individual certificate package in the device in correspondence with each second identification information. | 10-22-2009 |
20090282240 | Secure Decentralized Storage System - A secure decentralized storage system provides scalable security by addressing the performance bottleneck of the security manager and the complexity issue of security administration in large-scale storage systems. The storage system includes: an application client for accessing a file system using a plurality of storage devices and transmitting a command to a storage device; a storage device for storing data and access control entries associated to the data, analyzing the command from the client and performing corresponding operations of the command; a metadata server for storing and managing metadata, such as location and length information of data and system configuration; and a security manager for storing and managing global access control entries and policies of the system and performing the access policy and privilege control according to the global access control entries and policies, such as changing the priority and inheritance rule of access control entries, adding and deleting the access control entries. | 11-12-2009 |
20090282241 | METHOD AND APPARATUS TO PROVIDE A USER PROFILE FOR USE WITH A SECURE CONTENT SERVICE - A secure content service available through a network comprising a user profile stored in a user profile store and a profile access controller to enforce access rights to the user profile, wherein the user profile is used to provide access rights to other content. | 11-12-2009 |
20090287923 | Reverse Mapping Method and Apparatus for Form Filling - In the presently preferred embodiment of the invention, every time a user submits a form the client software tries to match the submitted information with the stored profile of that user. If a match is discovered, the program tags the field of the recognized data with a corresponding type. The resulting profile can be used after that to help all subsequent users to fill the same form. | 11-19-2009 |
20090292916 | Certificate Management and Transfer System and Method - A method and system for Certificate management and transfer between messaging clients are disclosed. When communications are established between a first messaging client and a second messaging client, one or more Certificates stored on the first messaging client may be selected and transferred to the second messaging client. Messaging clients may thereby share Certificates. Certificate management functions such as Certificate deletions, Certificate updates and Certificate status checks may also be provided. | 11-26-2009 |
20090300348 | PREVENTING ABUSE OF SERVICES IN TRUSTED COMPUTING ENVIRONMENTS - Methods and systems for regulating services provided by a first computing entity, such as a server, to a second computing entity, such as a client are described. A first entity receives a request for a service from a second entity over a network. The first entity determines whether the second entity has a trusted agent by examining an attestation report from the second entity. The first entity transmits a message to the second entity. The trusted agent on the second entity may receive the message. A response is created at the second computing entity and received at the first entity. The first entity then provides the service to the second entity. The first entity may transmit an attestation challenge to the second entity and in response receives an attestation report from the second entity. | 12-03-2009 |
20090300349 | VALIDATION SERVER, VALIDATION METHOD, AND PROGRAM - A validation server using HSM, which reduces required process time from receiving a validation request to responding with a validation result, and comprises a first software cryptographic module | 12-03-2009 |
20090307486 | SYSTEM AND METHOD FOR SECURED NETWORK ACCESS UTILIZING A CLIENT .NET SOFTWARE COMPONENT - A method for self-service authentication of a client and a server. The method includes the server receiving an initialization command from the client. The initialization command may be transmitted to the server via a client web browser over an unsecured data transfer link. The method continues with requesting authentication information from the client. In response to receiving the authentication information from the client, the server transmits a client software component to the client. The client software component utilizes a client-side library installed on the operating system of the client to generate the various client credentials described above. Thereafter, the certificate signing request may be transmitted to a certificate server for signing the certificate signing request. The signed certificate signing request is then received by the client via the client web browser. The client utilizes the information associated with the signed certificate signing request with the client-side library installed on the client to generate a client certificate. | 12-10-2009 |
20090307487 | APPARATUS AND METHOD FOR PERFORMING TRUSTED COMPUTING INTEGRITY MEASUREMENT REPORTING - The present application discloses a method and apparatus for using trusted platform modules (TPM) for integrity measurements of multiple subsystems. The state of the platform configuration registers (PCR) after boot up are stored as the base state of the system. Base state in this context is defined as the state of the system when the startup of the system is complete and can only be changed when new software is loaded at the kernel level. This state itself can be reported to challengers who are interested in verifying the integrity of the operating system. Also disclosed is a method where the application that is to be verified, requests that its state be extended from the base state of the system. When such a request is received, the state of the system is extended directly from the base state PCR contents and not from the system state. | 12-10-2009 |
20090313468 | CERTIFICATE RENEWAL USING SECURE HANDSHAKE - A method, system, and computer usable program product for certificate renewal using a secure handshake are provided in the illustrative embodiments. A determination is made, forming an expiration determination, whether a validity period associated with a certificate ends within a predetermined period from a time of receiving the certificate. If the expiration determination is true, a holder of the certificate is notified about the expiration. The holder may be an application executing in a data processing system or the data processing system itself. A new certificate is requested on behalf of the holder. The requested new certificate is received. The new certificate is sent to the holder of the certificate over a network. | 12-17-2009 |
20090319779 | METHOD AND DEVICE FOR ENSURING INFORMATION INTEGRITY AND NON-REPUDIATION OVER TIME - The present invention relates to a method and a device for ensuring information integrity and non-repudiation over time. A basic idea of the present invention is to provide a mechanism for secure distribution of information, which information relates to an instance in time when usage of cryptographic key pairs associated with a certain brand identity commenced, as well as when the key pairs ceased to be used, i.e. when the key pairs were revoked. The mechanism further allows a company or an organization to tie administration of cryptographic key pairs and a procedure for verifying information integrity and non-repudiation to their own brand. This can be seen as a complement or an alternative to using a certificate authority (CA) as a trusted third party, which CA guarantees an alleged relation between a public key and the identity of the company or organization using the cryptographic key pair to which that public key belongs. | 12-24-2009 |
20090319780 | ESTABLISHING SECURE DATA TRANSMISSION USING UNSECURED E-MAIL - In one embodiment, a host entity may create a trusted connection with a guest entity. The host entity may encrypt a trusted connection invitation for an external guest entity using a proof of possession of a trusted token for the external guest entity. The host entity may transmit the encrypted trusted connection invitation to the external guest entity. A guest entity may decrypt the trusted token, and then use the proof of possession to decrypt the trusted connection invitation. | 12-24-2009 |
20090319781 | SECURE MESSAGE DELIVERY USING A TRUST BROKER - An email security system is described that allows users within different organizations to securely send email to one another. The email security system provides a federation server on the Internet or other unsecured network accessible by each of the organizations. Each organization provides identity information to the federation server. When a sender in one organization sends a message to a recipient in another organization, the federation server provides the sender's email server with a secure token for encrypting the message to provide secure delivery over the unsecured network. | 12-24-2009 |
20090319782 | Interconnectable personal computer architectures that provide secure, portable, and persistent computing environments - Disclosed are interconnectable personal computer architectures comprising secure, portable and persistent computing environments that provide secure computing sessions with persistence. The computing environments are implemented using a secure non-computing client device, such as a USB device, that interfaces with a host computer and, optionally, a trusted server. The secure non-computing client device is used to instantiate a secure BIOS and a secure cold or warm boot of the host computer, from the client device, in a host protected area of the host computer, or from the trusted server. The client device comprises a security device, such a trusted platform module, that encrypts and decrypts data transferred between the client apparatus and the host computer to provide a sealed computing environment on the host computer. The client device may implement keyboard logger attack prevention. The client device may also implement a high assurance guard to protect applications. The client device may also comprise security wrapper software that encapsulates malware processed by the host computer. Computing methods and software are also disclosed. | 12-24-2009 |
20090319783 | Method of Aggregating Multiple Certificate Authority Services - The disclosure relates to the management of PKI digital certificates, including certificate discovery, installation, verification and replacement for endpoints over an insecure network. A database of certificates may be maintained through discovery, replacement and other activities. Certificate discovery identifies certificates and associated information including network locations, methods of access, applications of use and non-use, and may produce logs and reports. Automated requests to certificate authorities for new certificates, renewals or certificate signing requests may precede the installation of issued certificates to servers using installation scripts directed to a particular application or product, which may provide notification or require approval or intervention. An administrator may be notified of expiring certificates, using a database or scanning or server agents. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims. | 12-24-2009 |
20090327703 | METHOD FOR PAYLOAD ENCRYPTION OF DIGITAL VOICE OR DATA COMMUNICATIONS - A security platform or network for transmitting end-to-end encrypted voice or data communications between at least a first digital device and a second device is disclosed. The network includes a network portal for registering the first digital device and the second device. The portal provides the first digital device and second device with at least first and second keys and receives requests from each device to communicate with each other. The portal searches for and receives authorization from the called device to set up a secure session with the calling device. The portal receives encrypted messages from the devices, decrypts the encrypted messages with the keys provided to the devices, and re-encrypts the received messages. The portal sends the re-encrypted messages to the other device. Accordingly, the devices are capable of securely communicating with each other by encrypting and decrypting the messages sent to and received from the portal. The intent is to provide a commercially feasible approach to protect sensitive information that is not government classified, with potential users including (a) Individuals—for protecting private information and conversations; (b) Companies—for protecting proprietary/sensitive information; and (c) Government—for protecting SBU conversations and information. | 12-31-2009 |
20090327704 | STRONG AUTHENTICATION TO A NETWORK - Embodiments for providing strong authentication to a network from a networked device are disclosed. In accordance with one embodiment, a method for authentication to a server includes sharing a session key between the networked device and the server. The method further includes sending an encrypted secret key that is encoded based on the session key to a memory of the networked device. The also method includes sending original data to the networked device for encryption into encrypted data using the secret key. The method additionally includes decrypting the encrypted data received from the networked device using the secret key to obtain decrypted data for comparison with the original data for determining access to networked resources. | 12-31-2009 |
20090327705 | ATTESTED CONTENT PROTECTION - The present invention extends to methods, systems, and computer program products for protecting content. Embodiments of the invention permit a local machine increased participation in authorizing access to protected content. An operating system attests to a computing environment at a corresponding computer system. If the computing environment is one permitted to access protected content, the operating system is permitted to regulate further (e.g., application) access to protected content in accordance with a procreation policy. As such, authorization decisions are partially distributed, easing the resource burden on a content protection server. Accordingly, embodiments of the invention can facilitate more robust and efficient authorization decisions when access to protected content is requested. | 12-31-2009 |
20090327706 | ACCOUNT MANAGEMENT SYSTEM, ROOT-ACCOUNT MANAGEMENT APPARATUS, DERIVED-ACCOUNT MANAGEMENT APPARATUS, AND PROGRAM - A root-account management apparatus generates an electronic signature based on a survival condition and a secret key when an authentication result of a user of a client apparatus is proper, and transmits derived-account credence element information including the survival condition, the electronic signature and a public key certificate to a derived-account management apparatus. The derived-account management apparatus creates derived-account information which becomes valid when the survival condition is satisfied so that the derived-account information includes both the derived-account credence element information which becomes invalid when a validity term of the public key certificate expires and a biometric information template of the user which is valid regardless of this validity term. Accordingly, even if an authentication element as a root (public key certificate) becomes invalid, a derived authentication element (biometric information template) can be prevented from becoming invalid. | 12-31-2009 |
20100005291 | APPLICATION REPUTATION SERVICE - The claimed subject matter is directed to the use of an application reputation service to assist users with minimizing their computerized machines' exposure to and infection from malware. Specifically, the claimed subject matter provides a method and system of an application reputation service that contains the reputations for elements that are known to be non-malicious as well as those known to be malicious. | 01-07-2010 |
20100011208 | CRYPTOGRAPHIC CONTROL AND MAINTENANCE OF ORGANIZATIONAL STRUCTURE AND FUNCTIONS - Methods, systems and devices for cryptographic control and maintenance of organizational structure and functions are provided. A method for control and maintenance of an operational organizational structure, the method includes associating entities with cryptographic capabilities; organizing entities within the organizational structure as roles; and maintaining roles within the organizational structure. The system may involve at least a Public Key Infrastructure operation. Elements in said organizational structure may be assigned to roles and/or groups within said organizational structure. | 01-14-2010 |
20100017597 | SECURE NETWORK ADDRESS PROVISIONING - A network in which a client receives a network credential, such as a valid network address, following an exchange of messages with a credential server that includes security information. The security information may validate the credential, avoiding rogue devices inadvertently or maliciously distributing credential information that can interfere with clients attempting to connect to the network or with the network itself. If obtaining a network credential requires an exchange of information about the configuration of the client that could reveal security vulnerabilities, the security information may be used to ensure the confidentiality of that configuration information. The security information may be incorporated into messages according to a known protocol, such as by incorporating it into options fields of DHCP messages. | 01-21-2010 |
20100017598 | Secure E-Mail Messaging System - According to one embodiment, a secure e-mail messaging system includes an e-mail relay server coupled to a secure client configured on a secure domain and an external client configured on an external domain. The e-mail relay server has a memory for storage of an actual address of the secure client, a first certificate associated with the actual address, an alias address associated with the actual address, and a second certificate associated with the alias address. The e-mail relay server receives an e-mail message that includes the alias address from the external client and decrypts the e-mail message according to the second certificate. The e-mail messaging server then replaces the alias address with the actual address to form a modified e-mail message, encrypts the modified e-mail message according to the first certificate, and transmits the modified e-mail message to the secure client. | 01-21-2010 |
20100017599 | SECURE DIGITAL CONTENT MANAGEMENT USING MUTATING IDENTIFIERS - Methods and system for managing manipulation of digital content stored in a content server. One method includes receiving a first mutating identifier at a content manipulation device. The first mutating identifier includes a first secret key. The method also includes generating a content request for digital content stored in the content server at the content manipulation device, the content request encrypted with the first secret key and including an identifier of the digital content; transmitting the content request to an authenticator over at least one communication link; transmitting access rights from the authenticator to the content manipulation device over at least one communication link; transmitting the digital content from the content server to the content manipulation device; manipulating the digital content at the content manipulation device based on the access rights; and marking the first mutating identifier as used at the authenticator. | 01-21-2010 |
20100023755 | METHOD AND APPARATUS FOR SECURE INFORMATION TRANSFER TO SUPPORT MIGRATION - A system and method are disclosed for providing and maintaining a high level of security during migration of data from one platform to another. The disclosed system combines user and equipment authentication with equipment environment authorization guaranteed by a security module such as supported by a trusted platform module (TPM) in parallel, for secure information transfer to support migration between platforms. | 01-28-2010 |
20100023756 | SPLITTING AN SSL CONNECTION BETWEEN GATEWAYS - A system for secure communication, including a first security computer communicatively coupled with a client computer via an SSL connection, including a certificate creator, for receiving certificate attributes of a server computer certificate and for creating a signed certificate therefrom, and an SSL connector, for performing an SSL handshake with the client computer using the signed certificate created by said certificate creator, and a second security computer communicatively coupled with a server computer via an SSL connection, and communicatively coupled with the first security computer via a non-SSL connection, including an SSL connector, for performing an SSL handshake with the server computer using a signed certificate provided by the server computer, and a protocol appender, for appending attributes of the signed certificate provided by the server computer within a message communicated to the first security computer. A method is also described and claimed. | 01-28-2010 |
20100023757 | METHODS AND SYSTEMS FOR SENDING SECURE ELECTRONIC DATA - A method and system for providing encryption are provided, involving a) transmitting a request from a sender to a database for a public key for a selected recipient, the database being configured to store for each member in a plurality of members a member public key for encrypting electronic data; b) determining if the selected recipient is in the plurality of members, and; c) if the selected recipient is in the plurality of members, then executing a member procedure, the member procedure comprising transmitting from the database to the sender the member public key stored in the database for the selected recipient; d) if the selected recipient is not in the plurality of members, then executing a non-member procedure, the non-member procedure comprising determining if at least one predetermined criterion is met, and, if the at least one predetermined criterion is met, generating a non-member public key for encrypting electronic data and a non-member private key for decrypting the electronic data encrypted using the non-member public key; otherwise, if the at least one predetermined criterion is not met the non-member public key and the non-member private key are not generated. | 01-28-2010 |
20100023758 | DOCUMENT AUTHENTICATION USING ELECTRONIC SIGNATURE - Embodiments of authenticating an electronic document are disclosed. A document authentication system is operatively connected with a professional system, a license management system and a certification authority system, for authenticating an electronic document of a client response to a request from a client system. An authentication unit included in the document authentication system receives the electronic document from the client system for review and seal thereof, transmits the electronic document to receive the electronic document with the electronic signature implemented and transmits the electronic signature to the license management system to verify license validity of the professional based on the electronic signature. Further, the authentication unit transmits the electronic document to the client system with the electronic signature including a seal imprint image of the professional if the license of the professional is valid. | 01-28-2010 |
20100023759 | METHOD AND SYSTEM FOR AUTHORIZING CLIENT DEVICES TO RECEIVE SECURED DATA STREAMS - A method and system for authorizing client devices to receive secured data streams through the use of digital certificates embedded in the client devices. A freely distributed cryptographically signed group file with an embedded expiration date is associated with each individual digital certificate. A single group file can be associated with more than one digital certificate but each digital certificate is associated with a single group file. The group file contains cryptographic keys that can be used to decrypt a section of the digital certificate revealing a set of client keys. The client keys are then used to encrypt a program key which are then sent back to the client device. When the client device requests a specific data stream or digital content, an issuance timestamp associated with the content is compared to the expiration date in the group file. If the issuance timestamp is after the expiration date, the client device is declined. If the issuance timestamp is before the expiration date, the requested content, encrypted utilizing the program key, is sent to the client device. | 01-28-2010 |
20100031024 | METHOD FOR REAL-TIME DATA AUTHENTICATION - A digital signature is applied to digital data in real-time. The digital signature serves as a mark of authenticity assuring a recipient that the digital data did in fact originate from an indicated source. The digital signature may be applied to any digital data, including video signals, audio signals, electronic commerce information, data pertaining to land vehicles, marine vessels, aircraft, or any other data that can be transmitted and received in digital form. | 02-04-2010 |
20100031025 | Method and system to authorize and assign digital certificates without loss of privacy, and/or to enhance privacy key selection - A method and system for public key infrastructure key and certificate management provides anonymity to certificate holders and protects the privacy of certificate holders from the compromise of a certificate authority. Functional separation is provided in the authorization of a certificate request and the assignment of certificates and key pairs. The authorizing certificate authority approves or denies each certificate request from a requestor whose identity is not made available to the assigning certificate authority. The assigning certificate authority, upon approval from the authorizing certificate authority, issues one or more certificates and optionally generates and provides the associated key pairs to the requester without disclosing these certificates and key pairs to the authorizing certificate authority. In another aspect, a distributed method is disclosed that allows individual nodes and/or units in a network to select certificates for broadcasting messages to a community of interest with a non-unique key. | 02-04-2010 |
20100031026 | METHOD AND SYSTEM FOR TRANSFERRING INFORMATION TO A DEVICE - A system and method for transferring information to a device include sending a first challenge from an information provider to programming equipment, and responding to the first challenge by the programming equipment. A second challenge is sent from the programming equipment to the information provider, which responds to the second challenge. Information is encrypted by the information provider and sent from the information provider to the programming equipment. | 02-04-2010 |
20100031027 | METHOD AND DEVICE FOR DISTRIBUTING PUBLIC KEY INFRASTRUCTURE (PKI) CERTIFICATE PATH DATA - A method and device for distributing public key infrastructure (PKI) certificate path data enables relying nodes to efficiently authenticate other nodes in an autonomous ad-hoc network. The method includes compiling, at a certificate path management unit (CPMU), the PKI certificate path data (step | 02-04-2010 |
20100031028 | SYSTEMS AND METHODS FOR SELECTING A CERTIFICATE FOR USE WITH SECURE MESSAGES - Systems and methods for selecting a certificate for use in securing a message to be transmitted from a computing device is described herein. A set of certificates is determined and the certificates are ranked based on one or more predetermined ranking criteria. At least the highest ranking certificate is displayed, and a certificate is selected for securing the message. | 02-04-2010 |
20100031029 | TECHNIQUES TO PROVIDE ACCESS POINT AUTHENTICATION FOR WIRELESS NETWORK - According to an example embodiment, an apparatus may include a client device including a processor and memory. The client device may be configured to obtain, via a secure communication, a certificate identifying a publically accessible wireless access point (AP) and a public key for the AP, the AP being publically accessible. The client (or client device) may be configured to generate a challenge, send the challenge to the AP, wherein the AP has a private key securely stored in a hardware security module of the AP. The private key may correspond to the public key for the AP. The client may be configured to receive a response from the AP, the response being generated by the AP based on the challenge and the private key for the AP, and authenticate the AP based on the response. | 02-04-2010 |
20100031030 | METHOD AND SYSTEM FOR MANAGING NETWORK IDENTITY - A method and a system for managing network identity are provided. The method and the system realize a management mechanism of temporary identification (ID) and real ID, which simultaneously achieves functionalities such as anonymity, accounting, and authorization. A short-term certificate and a corresponding public/private key pair are used to protect a temporary ID usable for accounting. This protection prevents the temporary ID from theft. The user generates a digital signature in the reply to a charge schedule statement from the visited network. This procedure is incorporated into an existing authentication framework based on Transport Layer Security (TLS) in order to provide an undeniable payment mechanism. The payment mechanism is applicable in an environment of multiple network operators and reduces the difficulty of integrating network operators. The method and the system do not have to consult a certificate revocation list (CRL) for authentication and thus are able to shorten authentication time. | 02-04-2010 |
20100031031 | SYSTEMS, METHODS AND COMPUTER-ACCESSIBLE MEDIA FOR ACQUIRING AND AUTHENTICATING PUBLIC KEY CERTIFICATE STATUS - Exemplary embodiments of systems, methods and computer-accessible medium can be provided for obtaining and verifying a public key certificate status. In particular, it is possible to construct and send a certificate query request, construct and send a combined certificate query request, construct and send a combined certificate status response, deliver a certificate status response, perform a verification by the general access point, and/or perform a verification by the user equipment. The exemplary embodiments address some of the deficiencies of conventional methods which have a complicated implementation as well as likely inability of such conventional methods to be applied to the network architecture of user equipment, a general access point and a server. The exemplary embodiments of the systems, methods and computer-accessible medium can obtain a user certificate status to provide certificate statuses of the user or the user equipment and the general access point when the user equipment accesses the network via the general access point. Message exchanges can be reduced, bandwidth and calculation resources can be saved, and higher efficiency can be achieved. According to another exemplary embodiment, by way of adding random numbers into the certificate query request and the combined certificate query request, as well as the message m, freshness of the certificate status response can be facilitated and even ensured, and security protection can be enhanced. | 02-04-2010 |
20100042830 | Method for Controlling a Consumption Limit Date of Digital Contents Device for Consuming Such Contents, Means of Controlling Consumption and Server Distributing Such Contents - This invention relates to a method for controlling the consumption limit date of a digital content which is transferred from distribution means ( | 02-18-2010 |
20100049969 | System and method for providing security in mobile WiMAX network system - A system for providing security in a mobile Microwave Access (WiMAX) network system is constructed with a licensed certification authority providing a certificate and a first encryption module storing the certificate provided by the licensed certification authority, encrypting a traffic encryption key and a message generated by the first encryption module with the stored certificate, and transmitting the encrypted traffic encryption key and message to a destination. When receiving a message encrypted with a traffic encryption key, the first encryption module decrypts the received message with the traffic encryption key generated by the first encryption module and processes the message. The system is further constructed with a second encryption module. When receiving the message encrypted with the certificate from the first encryption module, the second encryption module decrypts the received message with the certificate provided by the licensed certification authority to detect the traffic encryption key, and encrypts a message with the detected traffic encryption key to transmit the encrypted message. | 02-25-2010 |
20100049970 | METHODS AND SYSTEMS FOR SECURE COMMUNICATIONS USING A LOCAL CERTIFICATION AUTHORITY - A local network traffic processor and an application are resident on a common computer system. The application is configured to trust a server certificate issued by a local network traffic processor, the local network traffic processor operatively being paired with a remote network traffic processor. A proxy server certificate, generated using identification information of a server associated with the remote network traffic processor and signed by the local certification authority, is used to establish a secure session between a local network traffic processor and the application. | 02-25-2010 |
20100064135 | Secure Negotiation of Authentication Capabilities - A network ( | 03-11-2010 |
20100070760 | TICKET-BASED SPECTRUM AUTHORIZATION AND ACCESS CONTROL - Aspects describe spectrum authorization, access control, and configuration parameters validation. Devices in an ad-hoc or peer-to-peer configuration can utilize a licensed spectrum if the devices are authorized to use the spectrum, which can be determined automatically. Aspects relate to distribution of authorization tickets by an authorization server as a result of validating a device's credentials and services to which the device is entitled. An exchange and verification of authorization tickets can be performed by devices as a condition for enabling a validated wireless link using the spectrum. | 03-18-2010 |
20100070761 | RELIABLE AUTHENTICATION OF MESSAGE SENDER'S IDENTITY - A method is provided in a telecommunications network for authenticating a sender ( | 03-18-2010 |
20100077207 | COMMUNICATIONS APPARATUS, COMMUNICATIONS SYSTEM, AND METHOD OF SETTING CERTIFICATE - An apparatus in a system which includes at least a high-level apparatus and a plurality of low-level apparatuses, said apparatus being one of the low-level apparatuses. The apparatus includes a storage unit configured to store an individual certificate set and a common certificate set and a communication unit configured to transmit own authentication information to the high level apparatus to allow the high level apparatus to perform decryption to authenticate the validity of the apparatus. | 03-25-2010 |
20100082974 | PARALLEL DOCUMENT PROCESSING - Documents distributed in parallel are processed. One or more digital document packages are received, where each digital document package includes a content portion and an identity-verification code (IVC) verifying an identity of a source from which the digital document package is received. Each IVC may be a private-key encryption of a content-verification code hashed from the content portion of each digital document package. A master digital document package is created, which includes a master content portion equivalent to the content portion in each unmodified digital document package, and one or more different IVCs, each IVC obtained from a digital document package received from a different source. | 04-01-2010 |
20100088507 | SYSTEM AND METHOD FOR ISSUING DIGITAL CERTIFICATE USING ENCRYPTED IMAGE - The present invention relates to a system and method for issuing a digital certificate using an encrypted image, in which a digital certificate is sealed in a digital envelope image so as to protect a digital certificate user from damages caused by hacking, phishing attacks and the like in the course of issuance, update and re-issuance of the digital certificate, and the method for issuing a digital certificate comprises the steps of: storing a user select image for issuing the digital certificate, by a proxy server or a certificate server; and requesting the certificate server to issue the digital certificate and, if the digital certificate is issued, creating a sealed digital envelope image by combining the digital certificate with the user select image and transmitting the digital envelope image to a user terminal. | 04-08-2010 |
20100100728 | METHOD OF HANDLING A CERTIFICATION REQUEST - In a certification request, a user device includes an object identifier. When a certification authority generates an identity certificate responsive to receiving the certification request, the certification authority includes the object identifier, thereby allowing improved management of the identity certificate at the user device and elsewhere. | 04-22-2010 |
20100100729 | Distribution medium for professional photography - The display of very high definition still images on a high definition television is achieved through the decryption of received images within a DRM capable decryption device embedded within a high definition TV. The decryption device stores a pre-set decryption key, decrypts the incoming high definition still image content, and applies pre-set licensing parameters against the decrypted content. If the license for the encrypted content is determined to be valid the very high definition still images are displayed on the TV, otherwise the TV will display a lack of authorization message if the licensing is determined to be not valid. The embedded DRM decryption device is capable of determining and enforcing a number of licensure conditions for any and all received encrypted imagery. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract. | 04-22-2010 |
20100100730 | SYSTEM AND METHOD FOR SEARCHING AND RETRIEVING CERTIFICATES - A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one broad aspect, a method is provided in which a certificate search request is received, a search of one or more certificate servers for certificates satisfying the request is performed, located certificates are retrieved and processed at a first computing device to determine data that uniquely identifies each located certificate, and search result data comprising the determined data is communicated to a second device (e.g. a mobile device) for use in determining whether each located certificate is already stored on the second device. | 04-22-2010 |
20100106965 | DELIVERY OF MULTIPLE THIRD-PARTY SERVICES TO NETWORKED DEVICES - Systems and methods for authenticating a media device or other information handling system so as to be able to receive content from one or more media content providers. Authenticating the device includes determining what authentication information the media content providers require for access and then to generating and providing to the media device an authentication token that includes the required information. In some embodiments this may be accomplished by a service center, which removes the need for additional authentication steps to be performed by the media device or the media content providers. In addition, the service center may also determine when changes are made to the authentication information and may then ensure that the authentication token is changed or updated to reflect these changes. This ensures that the media device is at least partially immune to changes to authentication. | 04-29-2010 |
20100106966 | Method and System for Registering and Verifying the Identity of Wireless Networks and Devices - The present invention discloses a method for registering a wireless network's identity using a central server. The central server receives a request for registration of an identifier of a wireless network. If the identifier has not been previously registered, the central server creates an association between the identifier and the wireless network, which is stored in a database maintained by the central server. The present invention also discloses a method for verifying a wireless network's identity by a wireless device. A central server comprising a database is provided, which registers an identifier of the wireless network. The central server receives from a wireless device an authentication request of the identifier. The authentication request arrives through a gateway of the wireless network. The central server then authenticates the identifier. | 04-29-2010 |
20100115266 | METHOD AND DEVICE FOR ENABLING A TRUST RELATIONSHIP USING AN UNEXPIRED PUBLIC KEY INFRASTRUCTURE (PKI) CERTIFICATE - A method and device are useful for enabling a trust relationship using an unexpired public key infrastructure (PKI) certificate, where a current status of the PKI certificate is unavailable. The method includes determining at a relying party that a certificate status update for the PKI certificate is unavailable (step | 05-06-2010 |
20100115267 | METHOD AND DEVICE FOR ENABLING A TRUST RELATIONSHIP USING AN EXPIRED PUBLIC KEY INFRASTRUCTURE (PKI) CERTIFICATE - A method and device are useful for enabling a trust relationship using an expired public key infrastructure (PKI) certificate. The method includes determining at a relying party a maximum permissible grace period during which the PKI certificate can be conditionally granted a valid status (step | 05-06-2010 |
20100115268 | Network Device and Computer Readable Medium Therefor - A network device, connectable with a service providing server and an authentication sever via a network, includes an acquisition information storage storing acquisition information for acquiring a certificate corresponding to each of services the service providing server provides, a certificate storage storing certificates acquired from the authentication server, a determining unit that, in response to acceptance of a request for utilizing a service, determines whether a certificate necessary for utilizing the requested service is stored in the certificate storage, and a controller that, when the necessary certificate is not stored, reads out acquisition information for the necessary certificate from the acquisition information storage, makes a certificate acquiring unit acquire the necessary certificate from the authentication server using the acquisition information, and stores the necessary certificate into the certificate storage. When the necessary certificate is stored, the controller makes the certificate acquiring unit acquire the necessary certificate from the certificate storage. | 05-06-2010 |
20100122079 | COPYRIGHT PROTECTION SYSTEM, REPRODUCTION APPARATUS AND METHOD - The object of the present invention is to provide a reproduction apparatus that is capable of preventing personal information of users from being transmitted to an external apparatus that is under management of a malicious person. | 05-13-2010 |
20100122080 | PSEUDONYM CERTIFICATE PROCESS SYSTEM BY SPLITTING AUTHORITY - The present invention can't independently know real name information of a user unless a server of an authority treating real name certificate and a server of an authority treating pseudonym certificate collaborate mutually, so that privacy of a user isn't infringed. The present invention can acquire real name information of a user with collaboration of real name certification sever and pseudonym certification sever only if you need real name information for a user. | 05-13-2010 |
20100146264 | METHOD AND SYSTEM FOR AUTHENTICATING A USER - The invention relates to a system and a method for authenticating a user. A removable storage medium ( | 06-10-2010 |
20100153710 | METHOD OF PREVENTING UNAUTHENTICATED VIEWING USING UNIQUE INFORMATION OF SECURE MICRO - A method of verifying a validity of a Secure Micro (SM) is provided. The method of verifying a validity of an SM, the method including: storing and maintaining a validity verification message used to verify the validity of the SM, the validity verification message being generated by a Trusted Authority (TA) based on unique information of the SM, and the SM and the TA sharing the unique information of the SM; and verifying the validity of the SM using the validity verification message and the unique information shared by the SM, when an SM client is executed. | 06-17-2010 |
20100153711 | DOWNLOADABLE CONDITIONAL ACCESS SYSTEM EFFICIENTLY DETECTING DUPLICATED DCAS HOST - A technology that may efficiently detect a duplicated Downloadable Conditional Access System (DCAS) host in a DCAS is provided. | 06-17-2010 |
20100153712 | SIGNATURE SCHEMES USING BILINEAR MAPPINGS - Methods and systems are provided for generating and verifying signatures of digital messages communicated between signers and verifiers. Using bilinear mappings, such as Weil or Tate pairings, these methods and systems enable generation and verification of efficient multisignatures, identity-based ring signatures, hierarchical proxy signatures, and hierarchical online/offline signatures. | 06-17-2010 |
20100161968 | Delivering content in digital postal envelope - Methods and apparatus, including computer program products, for generating and processing a digital document. The digital document includes private content that is accessible only upon a request for the private content, and presentation data that is accessible without the request for the private content. The presentation data defines a graphical representation of an addressed postal envelope that has a stamp side on which one or more intended recipients of the private content are represented as addressees. | 06-24-2010 |
20100161969 | NETWORK DEVICE AUTHENTICATION - The present invention relates to using digital certificates to allow network devices to authenticate themselves upon being accepted into and forming part of a communication network. | 06-24-2010 |
20100161970 | USER TERMINAL AND METHOD OF MANAGING USER INFORMATION - A user terminal and a method of managing user information are provided. The method includes issuing a request for issuance of a certificate for a user to a certification authority; generating a document including at least part of user information using a certificate issued by the certification authority; and issuing a subscription request to a desired web service provider by providing the document including the at least part of the user information to the desired web service provider. Therefore, it is possible to strengthen the user's right to self-determination and control over the exposure and use of his or her personal information. In addition, it is possible to improve the reliability of user information provided to each website by the user. | 06-24-2010 |
20100161971 | AUTOMATED PROCESS FOR A WEB SITE TO RECEIVE A SECURE SOCKET LAYER CERTIFICATE - The present invention provides systems and methods for enabling encrypted communication capabilities for a Subscriber's Web Site, thereby allowing Customers to access the Subscriber's Web Site in a secure manner. A Hosting Provider, that hosts the Subscriber's Web Site, and a Certificate Authority (CA), that verifies the identity of the Subscriber, provide the Subscriber's Web Site with Secure Sockets Layer (SSL) encrypted communications capability. The Hosting Provider and CA communicate directly with each other as needed, typically via the Internet, without using the Subscriber as an intermediary in their communications. | 06-24-2010 |
20100169641 | Trust Authority Supporting Digital Communication - A trust authority includes a network connected server executing trust service software stored in a machine-readable medium, one or more network ports for communicating on the network, and a data repository coupled to the server, the repository storing indications of trustworthiness for one or both of enterprises and agents of enterprises. Queries from remote entities, the queries pertaining to one or both of enterprises and agents, are received at the server, and the trust service software, in response to the queries, provides to the remote entities providing the queries indications of trustworthiness for the one or both of enterprises and agents. | 07-01-2010 |
20100185849 | METHOD AND ARRANGEMENT FOR CERTIFICATE HANDLING - The present invention relates to a method and an arrangement for authentication and authorization in an access network. In an initial phase of the method according to the invention the user equipment and the security gateway exchange information on available certificate(s). If the user equipment and the security gateway lack matching certificates, the attempted authentication of the security gateway can not take place according to existing protocols and arrangements. According to the invention, if a certificate mismatch is identified, a certificate server is engaged. The certificate server, which is a separate entity from the security gateway, assists in at least part of the authentication procedure. Once the authentication is confirmed a secure tunnel can be established between the user equipment and the security gateway and payload traffic can be transferred. | 07-22-2010 |
20100185850 | METHOD AND DEVICE FOR AUTHENTICATING LEGAL NEIGHBOR IN GROUP KEY MANAGEMENT - Method and device for authenticating a legal neighbor in group key management (GKM) are disclosed. The method includes: members on a local network that needs the automatic GKM service store a group shared key and a group authentication algorithm; an authenticating member receives a first authentication value and authentication information of an authenticated member sent from the authenticated member, where the first authentication value is calculated by the authenticated member by using the group shared key and the authentication information of the authenticated member according to the group authentication algorithm; the authenticating member calculates a second authentication value by using the authentication information of the authenticated member and the group shared key according to the group authentication algorithm; the authenticating member authenticates the authenticated member as a legal neighbor when confirming that the first authentication value is the same as the second authentication value. | 07-22-2010 |
20100191960 | TOKEN BASED TWO FACTOR AUTHENTICATION AND VIRTUAL PRIVATE NETWORKING SYSTEM FOR NETWORK MANAGEMENT AND SECURITY AND ONLINE THIRD PARTY MULTIPLE NETWORK MANAGEMENT METHOD - A two-factor network authentication system uses “something you know” in the form of a password/Pin and “something you have” in the form of a key token. The password is encrypted in a secure area of the USB device and is protected from brute force attacks. The key token includes authentication credentials. Users cannot authenticate without the key token. Four distinct authentication elements that the must be present. The first element is a global unique identifier that is unique to each key. The second is a private credential generated from the online service provider that is stored in a secure area of the USB device. The third element is a connection profile that is generated from the online service provider. The fourth element is a credential that is securely stored with the online service provider. The first two elements create a unique user identity. The second two elements create mutual authentication. | 07-29-2010 |
20100199087 | SYSTEM AND METHOD FOR GENERATING A DIGITAL CERTIFICATE - A system and method for generating a digital certificate is provided wherein a new digital record is received and is assigned a sequence value. A first composite digital value is generated by applying a first deterministic function to the digital records stored in a repository. The sequence value and first composite digital value are included in a first certificate. After the digital record is added to the repository, a second composite digital value is generated by applying a second deterministic function to the digital records in the repository. This second composite digital value, and a composite sequence value, are published. An interval digital value which is based upon the first and second composite digital values, and the sequence value, are included in a second certificate which thus verifies the authenticity and sequence value of the digital record. | 08-05-2010 |
20100205429 | SYSTEM AND METHOD FOR VERIFYING THAT A REMOTE DEVICE IS A TRUSTED ENTITY - Methods and systems are provided for verifying that a remote device is a trusted entity. The method comprises receiving a first digital certificate from a first certificate authority, wherein the first certificate authority is a trusted entity, receiving a second digital certificate from the remote device during a first handshake procedure for establishing a secure connection, the second digital certificate corresponding to a second certificate authority, determining if the second digital certificate was issued by the first certificate authority based on at least a portion of the contents of the first digital certificate, and storing the second digital certificate to enable subsequent authentication of additional digital certificates received from the remote device, if the second digital certificate was issued by the first certificate authority. | 08-12-2010 |
20100205430 | Network Reputation System And Its Controlling Method Thereof - A network reputation system and its controlling method are provided. A credentials and exchange component permits a user to generate credentials and exchange matching keys with those persons having a social relationship with the user. A reputation evaluation component enables other users to make evaluations about an estimatee via the sharing of social network information. A query and response component receives a query from a person having a social relationship with the user for requesting an evaluation about the estimatee, and responds an associated evaluation result to the person having a social relationship with the user, via the sharing of social network information and the evaluations made by the other users about the estimatee. | 08-12-2010 |
20100211772 | Collaborative Reconciliation of Application Trustworthiness - A mobile terminal receives trustworthiness information for a software application by receiving a voucher that indicates the trustworthiness of that application as represented by a third party. To ensure the integrity of this information, the mobile terminal authenticates the voucher and verifies that the software application is the one having its trustworthiness indicated by the voucher. Given such indications of trustworthiness, a user of the mobile terminal may decide whether install and run it. If decided in the affirmative, the user may form his or her own basis for the trustworthiness of the software application. Accordingly, the mobile terminal may also create a new voucher that indicates the trustworthiness of the software application as represented by the user. With third parties representing the trustworthiness of software applications in this manner, their development is not hindered by the imposition of security requirements on application developers. | 08-19-2010 |
20100211773 | Validating the Origin of Web Content - Described herein is a technique of protecting users against certain types of Internet attacks. The technique involves obtaining certificates from visited web sites and qualifying communications with those web sites based on the content of the certificates. | 08-19-2010 |
20100228968 | SPLIT TERMINATION OF SECURE COMMUNICATION SESSIONS WITH MUTUAL CERTIFICATE-BASED AUTHENTICATION - A method and apparatus are provided for split-terminating a secure client-server communication connection when the client and server perform mutual authentication by exchanging certificates, such as within a Lotus Notes environment. When the client submits a certificate to the server, an intermediary device intercepts the certificate and submits to the server a substitute client certificate generated by that intermediary. A certificate authority's private key is previously installed on the intermediary to enable it to generate public keys, private keys and digital certificates. With the private key corresponding to the substitute certificate, the intermediary extracts a temporary key from a subsequent server message. The intermediary uses the temporary key to read a session key issued later by the server. Thereafter, the intermediary shares the session key with another intermediary, and together they use the session keys to access and optimize (e.g., accelerate) messages sent by the client and the server. | 09-09-2010 |
20100228969 | CUSTOMIZABLE PUBLIC KEY INFRASTRUCTURE AND DEVELOPMENT TOOL FOR SAME - A public key infrastructure comprises a client side to request and utilize certificates in communication across a network and a server side to administer issuance and maintenance of said certificates. The server side has a portal to receive requests for a certificate from a client. A first policy engine to processes such requests in accordance with a set of predefined protocols. A certification authority is also provided to generate certificates upon receipt of a request from the portal. The CA has a second policy engine to implement a set of predefined policies in the generation of a certificate. Each of the policy engines includes at least one policy configured as a software component e.g. a Java bean, to perform the discreet functions associated with the policy and generate notification in response to a change in state upon completion of the policy. | 09-09-2010 |
20100228970 | Public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium - A public key certificate issuing system is disclosed which comprises a certificate authority for issuing a public key certificate used by an entity, and a registration authority which, on receiving a public key certificate issuance request from anyone of entities under jurisdiction thereof, transmits the received request to the certificate authority. The certificate authority, having a plurality of signature modules each executing a different signature algorithm, selects at least one of the plurality of signature modules in accordance with the public key certificate issuance request from the registration authority, and causes the selected signature module to attach a digital signature to message data constituting a public key certificate. | 09-09-2010 |
20100235625 | TECHNIQUES AND ARCHITECTURES FOR PREVENTING SYBIL ATTACKS - Techniques and architectures for preventing Sybil attacks are provided. A node authenticates to a local certificate authority associated with a social networking group. The local certificate authority issues an encrypted certificate with a secret to the node. The node then makes a request to participate in another external group via a remote certificate authority. The remote certificate authority verifies the secret and grants permission to the node to participate in the external group. Also, a dynamic architecture permits local nodes in a social networking group self organize with some nodes becoming local certificate authorities and others becoming regular participants. | 09-16-2010 |
20100235626 | APPARATUS AND METHOD FOR MUTUAL AUTHENTICATION IN DOWNLOADABLE CONDITIONAL ACCESS SYSTEM - A mutual authentication apparatus in a Downloadable Conditional Access System (DCAS) includes an announce protocol processor to authenticate SecurityAnnounce information using an Authentication Proxy (AP) and to transmit the authenticated SecurityAnnounce information to a Secure Micro (SM), a keying protocol processor to relay KeyRequest information and KeyResponse information between a Trusted Authority (TA) and the SM in response to the SecurityAnnounce information, a decryption unit to decrypt the KeyResponse information using the SM, an authentication protocol processor to determine whether a first encryption key of the KeyResponse information is identical to a second encryption key generated by the AP, and a download protocol processor to control DownloadInfo to be transmitted from the AP to the SM, the DownloadInfo permitting the SM to download SM Client Image information. | 09-16-2010 |
20100235627 | SECURING COMMUNICATIONS SENT BY A FIRST USER TO A SECOND USER - A computer-implemented method of securing communications sent by a first user to a second user may include receiving, by a first user from a trusted third party, at least one public cryptographic value corresponding to the first user and at least one private cryptographic value corresponding to the first user, providing, by the first user to a second user, a plurality of values corresponding to an identification device identified by an identifier, deriving, by the first user, a shared key, using the at least one private cryptographic value of the first user, and at least one of the plurality of values corresponding to the identification device identified by the identifier and protecting communications sent by the first user to the second user with the shared key. | 09-16-2010 |
20100241851 | SYSTEM AND METHOD FOR VALIDATING CERTIFICATE ISSUANCE NOTIFICATION MESSAGES - To validate a received certificate issuance notification message, a device may verify that the certificate issuance notification message conforms to expected norms or authenticate a signature associate with the certificate issuance notification message. Upon validating, the device may then transmit a uniform resource locator, extracted from the certificate issuance notification message, to a network entity configured for processing certificate issuance. | 09-23-2010 |
20100241852 | Methods for Producing Products with Certificates and Keys - The embodiments described herein provide methods for producing products with certificates and keys. In one embodiment, a requesting entity transmits a request for a plurality of certificates and corresponding keys to a certifying entity that generates the certificates and corresponding keys. The request preferably includes information for use by the certifying entity to verify an identity of the requesting entity rather than information to verify unique product identifiers of the respective products. The requesting entity then receives the plurality of certificates and corresponding keys from the certifying entity, preferably in a plurality of organized sets instead of in a single series of certificates. The requesting entity then stores the certificates and corresponding keys in respective products. Each stored certificate is thereafter useable for both identification and authentication of the respective product in which it is stored. | 09-23-2010 |
20100268942 | Systems and Methods for Using Cryptographic Keys - Systems and methods for using cryptographic keys read an existing digital certificate from a hardware cryptographic device and extract a public key from the existing digital certificate. A certificate request message is generated that identifies a new usage and/or certificate field associated with the public key. The certificate request message is signed and communicated to a certification authority. A new digital certificate is received from the certification authority that includes the new usage/field. The new digital certificate is then applied to cryptographic operations, such as signing procedures, encryption procedures and so forth using the existing key pair. | 10-21-2010 |
20100268943 | Method and System for Source Authentication in Group Communications - A method and system for authentication is provided. A central node for issuing certificates to a plurality of nodes associated with the central node in a network is also provided. The central node receives a first key from at least one node from among the plurality of nodes and generates a second key based on the received first key and generates a certificate for the at least one node. The generated certificate is transmitted to the at least one node. | 10-21-2010 |
20100275012 | SERVER CERTIFICATE ISSUING SYSTEM AND PERSON AUTHENTICATION METHOD - A server certificate issuing system in which existence of a Web server for which a certificate is to be issued can be confirmed and security is further improved is realized, wherein the user authentication is carried out using a test certificate having the SSL certificate format. Servers transmit server certificate request to the registration server which transmits the test certificate request to the test certificate issuing authority. The test certificate issuing server transmits the generated test certificate to the registration server which transmits the test certificate to the corresponding server and requests to install the test certificate. Then, the registration server accesses with SSL protocol to the server and verifies whether or not the session of the SSL protocol has been established. The registration server transmits the CSR to the certificate issuing server only when the SSL protocol has been established. | 10-28-2010 |
20100275013 | Method for Communicating Certificates to Computers - A method includes receiving at a first computer a new certificate which is to replace an old certificate associated with the first computer and associating by the first computer the new certificate with the first computer. In response to the first computer associating the new certificate with the first computer, the first computer accesses an email address book of the first computer having information identifying a second computer as having received the old certificate to determine from the information that the second computer is to associate the new certificate in place of the old certificate with the first computer. In turn, the first computer transmits the new certificate to the second computer for the second computer to associate the new certificate with the first computer. | 10-28-2010 |
20100281253 | ISSUING A PUBLISHER USE LICENSE OFF-LINE IN A DIGITAL RIGHTS MANAGEMENT (DRM) SYSTEM - A publishing user publishes digital content and issues to itself a corresponding digital publisher license to allow itself to render the published digital content. The publishing user is supplied with a publishing certificate from a digital rights management (DRM) server, where the publishing certificate allows the publishing user to so publish the digital content and to so issue the publisher license. | 11-04-2010 |
20100287369 | ID SYSTEM AND PROGRAM, AND ID METHOD - [PROBLEMS] To appropriately authenticate a user, a biometric device, and an authentication timing of a client side and prevent leak or tampering of the biometric information. | 11-11-2010 |
20100293371 | GENERATING PKI EMAIL ACCOUNTS ON A WEB-BASED EMAIL SYSTEM - The present invention provides systems and methods for allowing an Email User to create a Public Key Infrastructure (PKI) Email Account and thereafter to digitally sign, send, verify and receive PKI encrypted emails over a computer network, such as the Internet. The systems and methods preferably include a Web-based Email System and a Certificate Authority that coordinate their actions to make the process of creating, maintaining and using the PKI Account as easy as possible for the Email User. In a preferred embodiment, a Keystore System may also be used to enhance the management and use of digital keypairs. | 11-18-2010 |
20100299520 | COMMUNICATION SYSTEM AND METHOD IN PUBLIC KEY INFRASTRUCTURE - In a communication system wherein a device and a client communicate data with each other through a network, the device holds a root certificate including a public key in a pair of the public key and a private key and signed with the public key. When data is sent, a certificate creator creates a second certificate including the root certificate designated as a certificate authority at a higher level and signed with the root certificate, and the second certificate is sent to the client. In the client, the root certificate has been stored beforehand, and a verifier verifies the signature of the second certificate with the root certificate. | 11-25-2010 |
20100306531 | Hardware-Based Zero-Knowledge Strong Authentication (H0KSA) - Systems and methods are provided for a device to engage in a zero-knowledge proof with an entity requiring authentication either of secret material or of the device itself. The device may provide protection of the secret material or its private key for device authentication using a hardware security module (HSM) of the device, which may include, for example, a read-only memory (ROM) accessible or programmable only by the device manufacturer. In the case of authenticating the device itself a zero-knowledge proof of knowledge may be used. The zero-knowledge proof or zero-knowledge proof of knowledge may be conducted via a communication channel on which an end-to-end (e.g., the device at one end and entity requiring authentication at the other end) unbroken chain of trust is established, unbroken chain of trust referring to a communication channel for which endpoints of each link in the communication channel mutually authenticate each other prior to conducting the zero-knowledge proof of knowledge and for which each link of the communication channel is protected by at least one of hardware protection and encryption. | 12-02-2010 |
20100306532 | AUTHENTICATION VERIFYING METHOD, AUTHENTICATION VERIFYING MEMBER AND AUTHENTICATION VERIFYING MEMBER PRODUCING METHOD - Authentication verifying for an object to be certified is carried out. An authentication verifying chip in which authentication verifying information is stored is mounted non-removably on a certificate. A confirmation chip in which the authentication verifying information is encrypted by a crypt key of a certificate issuer and is stored is mounted non-removably on the object to be certified. When verifying the authenticity of the object to be certified, the encrypted authentication verifying information in the confirmation chip is decrypted by the crypt key of the certificate issuer, and it is compared to the authentication verifying information in the authentication verifying chip. | 12-02-2010 |
20100306533 | SYSTEM, METHOD, AND APPARATA FOR SECURE COMMUNICATIONS USING AN ELECTRICAL GRID NETWORK - A secure communications and location authorization system using a power line or a potion thereof as a side-channel that mitigates man-in-the-middle attacks on communications networks and devices connected to those networks. The system includes a power grid server associated with a substation, or curb-side distribution structure such as a transformer, an electric meter associated with a structure having electric service and able to communicate with the power grid server, a human authorization detector input device connected to the electric meter and the power grid server. The human authorization detector is able to receive an input from a user physically located at the structure and capable of communicating with the power grid server via the electric meter. The user's physical input into the device causing a request to be sent to the power grid server that then generates a location certificate for the user. Without the location certificate, access to the communications network and devices connected to those networks can be denied. | 12-02-2010 |
20100318787 | Method for Certifying a Public Key by an Uncertified Provider - The invention concerns a method for guaranteeing certification of a user's public key by reducing requests to key-certifying appropriate authorities. More particularly, the invention concerns a method for managing a public key of a user capable of being implemented in an asymmetric cryptosystem. According to the invention, a certification, or validation of the correspondence between a public key and a user, is performed by a validating entity, a provider separate from the certifying authority via a validation step. The password is verifiable by the validating entity, but without the latter being aware of it. | 12-16-2010 |
20100318788 | METHOD OF MANAGING SECURE COMMUNICATIONS - An exemplary method of managing secure communications between nodes includes receiving a public key of a node associated with a certification authority. A root node certificate is provided to the node responsive to the received public key. The root node certificate indicates that the received public key belongs to the node. A root self-signed certificate corresponding to a public key of the certification authority is also provided to the node. | 12-16-2010 |
20100318789 | METHOD AND SYSTEM FOR LICENSE MANAGEMENT - System and method are disclosed for securing and managing individual end-user platforms as part of an enterprise network. The method/system of the invention has three main components: a security module, a manager appliance, and a console appliance. The security module enforces the enterprise licenses and security policies for the end-user platforms while the manager appliance provides secure, centralized communication with, and oversight of, the security module. The console appliance allows an administrator to access the manager appliance for purposes of monitoring and changing the licenses. Security is established and maintained through an innovative use of data encryption and authentication procedures. The use of these procedures allows the appliances to be uniquely identified to one another, which in turn provides a way to dynamically create unique identifiers for the security modules. These various components together form an infrastructure over the enterprise network to securely manage the end-user platforms. | 12-16-2010 |
20100325426 | PROTECTED SOFTWARE IDENTIFIERS FOR IMPROVING SECURITY IN A COMPUTING DEVICE - A computing device is operated in a manner such that, where application software includes a unique software identifier, this can be taken from an unprotected range (which can be allocated to any application software) or from a protected range (which can only be used by digitally signed software). On installation, the unique software identifiers are checked to ensure they do not clash with any belonging to software already on the device, and that, if they are from the protected range, the software being installed was digitally signed. Checks for ownership of the unique identifiers can also made at the time an application is signed. | 12-23-2010 |
20100325427 | METHOD AND APPARATUS FOR AUTHENTICATING A MOBILE DEVICE - An approach is provided for authenticating a mobile device. A mobile device initiates transmission of a request to an authentication platform for generating a public-key certificate to access a service from the mobile device. The mobile device receives an identity challenge and responds by initiating transmission of a tag specific to the mobile device to the authentication platform. The authentication platform uses the tag to generate a public-key certificate. | 12-23-2010 |
20100325428 | System and Method for Authentication of a Hardware Token - A method for authentication. A computer obtains a random number R generated by a hardware token. The computer forms and returns to the hardware token a signature Ck′(R) formed using the random number R with a computer secret key Ck′. The computer receiving from the hardware token authentication of the signature Ck′(R) that is performed by the hardware token using a computer public key Ck stored in the hardware token. | 12-23-2010 |
20100332824 | SYSTEM AND METHOD OF MOBILE LIGHTWEIGHT CRYPTOGRAPHIC DIRECTORY ACCESS - A system for handling an LDAP service request to an LDAP server for an LDAP service comprises a client program executable on a client system and a handler program executable on a handler system. The client program is operable to generate LDAP service request data corresponding to the LDAP service and provide the LDAP service request data for transmission from the client system, and further operable to receive LDAP service reply data in response to the LDAP service request data. The handler program is operable to receive the LDAP service request data transmitted from the client system and execute the LDAP service request to the LDAP server, receive LDAP service reply data from the LDAP server during one or more passes, and upon completion of the LDAP service, provide the LDAP service reply data for transmission to the client system in a single pass. | 12-30-2010 |
20110004753 | CERTIFICATE GENERATING/DISTRIBUTING SYSTEM,CERTIFICATE GENERATING/DISTRIBUTING METHOD AND CERTIFICATE GENERATING/DISTRIBUTING PROGRAM - In a certificate generating/distributing system, an authentication apparatus includes token transmitting means transmitting, to a service mediating apparatus, a certificate generation request token, which is information corresponding to a first certificate valid in the service mediating apparatus, together with the first certificate. The service mediating apparatus includes mediating apparatus token forwarding means forwarding the certificate generation request token to a service providing apparatus. The service providing apparatus includes certificate requesting means transmitting the certificate generation request token to the authentication apparatus when requesting a second certificate valid in the service providing apparatus. The authentication apparatus includes certificate transmitting means transmitting, to the service providing apparatus , the second certificate generated based on the first certificate in response to the request of the second certificate by the certificate requesting means. | 01-06-2011 |
20110010540 | Method for Providing Information Security for Wireless Transmissions - A wireless communication system includes a pager or similar device that communicates to a home terminal. The home terminal confirms the identity of the pager and attaches a certificate to the message for ongoing transmission. Where the recipient is also a pager, an associated home terminal verifies the transmission and forwards it in a trusted manner without the certificate to the recipient. | 01-13-2011 |
20110016312 | SYSTEM AND METHOD FOR ACCESSING HOST COMPUTER VIA REMOTE COMPUTER - In a peer-to-peer fashion, various host computers communicate with various remote computers using the Internet so that user inputs from the remote computers are transferred to the host computers as if the user inputs occurred locally, and information generated by the host computers is displayed on the remote computers. Thus, a remote computer is able to access all of the information and application programs on the host computer. | 01-20-2011 |
20110022838 | Method and system for secure remote login of a mobile device - A system to securely login a mobile device may include a storage means for storing an encrypted file, a certification system to receive the encrypted file from the storage means, and a customer transaction system in communication with the certification system. The system may also include the mobile device to transmit the encrypted file from the storage means to the certification system to allow the mobile device to securely log into the customer transaction system. | 01-27-2011 |
20110029771 | Enrollment Agent for Automated Certificate Enrollment - Automated generation of certificates from a Certificate Authority through the use of an Enrollment Agent. Devices needing certificates generate the necessary keys and package public key information with other identifying information about the device and send this information to an Enrollment Agent. The Enrollment Agent takes this information and submits it on behalf of the device to a Certificate Authority, managing the interaction with the Certificate Authority on behalf of the device. The Certificate Authority signs the request, returning a certificate to the Enrollment Agent. The Enrollment Agent packages the certificate along with the other certificates needed to establish a chain of trust and returns these to the device. Certificates may be stored in the device in flash memory. The process is secure as long as the communications path between the devices and the Enrollment Agent is secure; a secure VPN or HTTPS: connection allows the devices and the Enrollment Agent to be in separate locations. | 02-03-2011 |
20110040965 | ENTERPRISE SECURITY SYSTEM - A platform of Trust Management software which is a single, customizable, complete distributed computing security solution designed to be integrated into an enterprise computing environment. Digital Network Authentication (DNA) is the centerpiece of the system of the present invention. It is a unique means to authenticate the identity of a communicating party and authorize its activity. The whole mechanism can be thought of as a trusted third party providing assurances to both clients and servers that each communicating entity is a discrete, authenticated entity with clearly defined privileges and supporting data. Furthermore, the level of trust to be placed in the authorization of every entity communicating within the system is communicated to every entity within a distributed computing environment. | 02-17-2011 |
20110047373 | USER AUTHENTICATION SYSTEM AND METHOD FOR THE SAME - At the user authentication apparatus | 02-24-2011 |
20110047374 | METHOD AND APPARATUS FOR A CONFIGURABLE ONLINE PUBLIC KEY INFRASTRUCTURE (PKI) MANAGEMENT SYSTEM - A method and apparatus are provided for generating identity data to be provisioned in product devices that are a part of a project. The method includes establishing a template associated with each CA in a hierarchical chain of CAs having a root CA at a highest level in the chain and a signing CA at a lowest level in the chain. The template associated with the signing CA inherits mandatory attribute fields specified in the root CA and any intermediate CA in the hierarchical chain. The mandatory attribute fields are user-specifiable fields to be populated with PKI data. A configuration file is generated upon receipt of an order for digital certificates using PKI data provided by a user to populate the mandatory attribute fields of the template associated with the signing CA. The digital certificates requested in the order are generated using the PKI data in the configuration file. | 02-24-2011 |
20110055555 | LICENSING AND CERTIFICATE DISTRIBUTION VIA SECONDARY OR DIVIDED SIGNALING COMMUNICATION PATHWAY - In one embodiment, the present invention is directed to the use of separate communication pathways over different types of networks to handle bearer and control signaling in connection with a license transaction. | 03-03-2011 |
20110055556 | METHOD FOR PROVIDING ANONYMOUS PUBLIC KEY INFRASTRUCTURE AND METHOD FOR PROVIDING SERVICE USING THE SAME - Provided is a method for providing an anonymous public key infrastructure (PKI) in a user terminal. The method includes receiving a real-name certificate from a real-name PKI service domain, requesting an anonymous certificate to an anonymous PKI service domain, and receiving the anonymous certificate from the anonymous PKI service domain. Accordingly, the method can ensure anonymity when a user uses a service by providing the anonymous certificate in association with the PKI-based real-name certificate. | 03-03-2011 |
20110055557 | COMMUNICATION APPARATUS MEDIATING COMMUNICATION BETWEEN INSTRUMENTS - A communication apparatus makes a request to issue an electronic certificate of a first instrument to a certificate authority and acquires the electronic certificate from the certificate authority. The communication apparatus communicates with a second instrument using the electronic certificate of the first instrument in response to reception of a request for communication with the second instrument from the first instrument. Therefore, the communication apparatus mediates information communication between the second instrument and the first instrument. | 03-03-2011 |
20110066847 | Just In Time Trust Establishment and Propagation - Trust relationships in an online service system are established at a domain level, and propagated to components of domains as they attempt cross domain communication. In attempting to communicate across domains, a first component in a first domain attempts to validate a certificate of a second component in a second domain. Where the attempt to validate the certificate indicates that a trust relationship does not exist between the first component and the second domain, the first component determines whether a domain level trust relationship exists between the two domains. The first component propagates the trust status between the first and second domains to itself. If there is an existing trust relationship between the first and second domains, the first component validates the certificate of the second component in response. The second component executes the same process to complete the connection. | 03-17-2011 |
20110066848 | REMOTE CERTIFICATE MANAGEMENT - A system for managing security certificates on a plurality of remote computers comprises a certificate manager that can determine in accordance with at least one preestablished criterion whether a security certificate on a remote computer is to be managed. The system also includes an installer module that can access an account of the remote computer to manage the security certificate. Methods of using the system are also provided. | 03-17-2011 |
20110066849 | METHOD AND SYSTEM FOR VERIFYING THE IDENTITY OF A COMMUNICATION PARTNER - A method for verifying the identity of a communication partner, in particular in real-time communications, wherein a caller (A) sends a message towards a callee (B), and wherein the caller (A) attaches a self-signed certificate to the message, characterized in that the caller (A) and the callee (B) are part of a web-of-trust, wherein certificates of users within the web-of-trust are stored by one or more key-servers ( | 03-17-2011 |
20110072260 | METHOD AND SYSTEM OF DOWNLOADABLE CONDITIONAL ACCESS USING DISTRIBUTED TRUSTED AUTHORITY - Disclosed is a downloadable conditional access system (DCAS) and an operational method thereof that distributes a part of a function of a Trusted Authority to each multiple system operator (MSO) to enable the MSO server to process authentication with respect to a secure micro (SM) chip and a transport processor (TP) chip, and thus, a normal DCAS service is possible even when there is a problem with a security, and a DCAS host terminal for rental use is effectively operated. | 03-24-2011 |
20110072261 | PROVIDING SECURITY BETWEEN NETWORK ELEMENTS IN A NETWORK - A first network element receives a message from a second network element. The message is modified by the first network element by inserting a certificate into the message, wherein the certificate includes an identity of the first network element and a digital signature produced by the first network element. The modified message is sent to a third network element. | 03-24-2011 |
20110078439 | APPARATUS AND METHOD FOR USER IDENTITY AUTHENTICATION IN PEER-TO-PEER OVERLAY NETWORKS - Disclosed is a method for user identity authentication for a peer device joining a peer-to-peer overlay network. In the method, a credential server of the overlay network receives a registered user identity from a joining peer device. The credential server verifies the registered user identity with an identity provider. Upon receiving, at the credential server, successful verification of the registered user identity from the identity provider, the credential server issues to the joining peer device a signed certificate for use by an authenticated peer device in the overlay network to authenticate the registered user identity of the joining peer device, wherein the signed certificate is signed by a private key of the credential server. | 03-31-2011 |
20110087881 | APPARATUS AND METHOD FOR MONITORING CERTIFICATE ACQUISITION - A system that incorporates teachings of the present disclosure may include, for example, a set-top-box (STB) having a controller to transmit a request to a remote management server for status information associated with a x.509 certificate intended for the STB, wherein at least one of the STB and the remote management server operate in an interactive television (iTV) network, and receive the status information associated with the x.509 certificate from the remote management server, wherein events associated with the status information are received by the remote management server from at least one of the STB, a certificates proxy, an external certificate web service, and a certificate authority, and wherein the status information comprises at least a portion of the received events. Other embodiments are disclosed. | 04-14-2011 |
20110087882 | APPARATUS AND METHODS FOR PROTECTING NETWORK RESOURCES - Apparatus and methods are provided for protecting network resources, particularly in association with automatic provisioning of new client devices. A global PKI (Public Key Infrastructure) scheme is rooted at a globally available server. Roots of PKIs for individual organizations also reside at this server or another globally available resource. To enable access to an organization's network, one or more authenticators are deployed, which may be co-located with access points or other network components. After a client device enabler (CDE) and an authenticator perform mutual authentication with certificates issued within the global PKI, the CDE is used to provision a new client device for the organization. After the client is provisioned, it and an authenticator use certificates issued within the per-organization PKI to allow the client access to the network. | 04-14-2011 |
20110087883 | SELF-SIGNED IMPLICIT CERTIFICATES - There are disclosed systems and methods for creating a self-signed implicit certificate. In one embodiment, the self-signed implicit certificate is generated and operated upon using transformations of a nature similar to the transformations used in the ECQV protocol. In such a system, a root CA or other computing device avoids having to generate an explicit self-signed certificate by instead generating a self-signed implicit certificate. | 04-14-2011 |
20110099367 | KEY CERTIFICATION IN ONE ROUND TRIP - Certification of a key, which a Trusted Platform Module (TPM) has attested as being non-migratable, can be performed in a single round trip between the certificate authority (CA) and the client that requests the certificate. The client creates a certificate request, and then has the TPM create an attestation identity key (AIK) that is bound to the certificate request. The client then asks the TPM to sign the new key as an attestation of non-migratability. The client then sends the certificate request, along with the attestation of non-migratability to the CA. The CA examines the certificate request and attestation of non-migratability. However, since the CA does not know whether the attestation has been made by a trusted TPM, it certifies the key but includes, in the certificate, an encrypted signature that can only be decrypted using the endorsement key of the trusted TPM. | 04-28-2011 |
20110099368 | CABLE MODEM AND CERTIFICATE TESTING METHOD THEREOF - A cable modem stores certificates including a root certificate authority (CA) certificate, a root CA public key, a manufacturer CA certificate, and a cable modem certificate. The cable modem reads the root CA public key, determines whether the root CA public key complies with a key industry standard, determines whether the manufacturer CA certificate is generated according to the root CA certificate, and determines whether the cable modem certificate is generated according to the manufacturer CA certificate. | 04-28-2011 |
20110099369 | FILE ENCRYPTION SYSTEM AND METHOD - An electronic document comparison system and method converts a test file into a compressed file having a specific format. A public key of the CA certificate of a user is obtained and a random key is generated using a random function. Furthermore, the compressed file is symmetrically encrypted using the random key, and the random key is asymmetrically encrypted using the public key to generate an asymmetric encryption key. A header of the compressed file is attached with the asymmetric encryption key and data length of the asymmetric encryption key. | 04-28-2011 |
20110107089 | METHODS AND SYSTEMS FOR IMPLEMENTING POLICY BASED TRUST MANAGEMENT - This disclosure describes, generally, methods and systems for implementing policy based trust management. The method includes receiving, at an host server, a trust request from a partner, and identifying, at the host server via a trust policy enforcer, parameters and attributes associated with the partner. The method further includes identifying, at the host server via the trust policy enforcer, parameters and attributes associated with the requested resource, and accessing, by the trust policy enforcer, a policy database. Furthermore, the method includes retrieving, by the trust policy enforcer, one or more trust policies associated with the requested resource, and based on the attributes and parameters of the partner, applying, by the trust policy enforcer, the one or more associated trust policies to the request. Further, the method includes based on conformity with the one or more trust policies, providing the partner with access to the requested resource. | 05-05-2011 |
20110113238 | CERTIFICATE ENROLLMENT WITH PURCHASE TO LIMIT SYBIL ATTACKS IN PEER-TO-PEER NETWORK - A system may protect against Sybil attacks on a peer-to-peer (P2P) network based on each one the nodes in the P2P network being identified by a corresponding certificate. In particular, a node may receive a license key, where the license key is evidence of a purchased product license. The node may transmit a message included in the license key to a certificate authority. The node may receive a certificate from the certificate authority in response to authentication of the message. The node may be identified in the P2P network with a node identifier included in the certificate. | 05-12-2011 |
20110113239 | RENEWAL OF EXPIRED CERTIFICATES - A method and system for renewal of expired certificates is described. In one embodiment, a method, implemented by a computing system programmed to perform operations, includes receiving, at a certificate manager of a computing system from a requester, a certificate renewal request for an original digital certificate that has already expired, and renewing the expired certificate as a renewed certificate by the certificate manager when the certificate renewal request is approved. The renewed certificate comprises the same key pair as the original certificate, but includes a new expiration date, and wherein the renewed certificate is functionally identical to the original certificate. | 05-12-2011 |
20110113240 | CERTIFICATE RENEWAL USING ENROLLMENT PROFILE FRAMEWORK - A method and system for renewing digital certificates using an enrollment profile framework is described. | 05-12-2011 |
20110113241 | IC CARD, IC CARD SYSTEM, AND METHOD THEREOF - An IC card includes: a common key set upon issuance of a card by an IC card issuer; a public key certificate of a parent IC card issued by an authentication station; a signed public key which has been signed by using the parent IC card secret key; a key storage unit which stores the secret key; a data transmission/reception unit which receives at least the public key certificate and the signed public key from the parent IC card; an encryption calculation unit which decodes encrypted user biometric information received from the parent IC card; and a biometric information storage unit which stores first biometric information which has been decoded. The use of the IC card is limited depending on whether biometric information is correct. | 05-12-2011 |
20110119485 | METHOD AND APPARATUS FOR PROVIDING RADIO COMMUNICATION WITH AN OBJECT IN A LOCAL ENVIRONMENT - A method and apparatus for providing radio communication with an electronic object in a local environment are disclosed. For example the method receives via a mobile endpoint device of a user at least one first digital certificate associated with the local environment from a trusted source, and a second digital certificate from the electronic device deployed in the local environment via a wireless connection. The method then authenticates the electronic device using the at least one first digital certificate and the second digital certificate. | 05-19-2011 |
20110119486 | METHOD AND APPARATUS FOR MANAGING ACCESS RIGHTS TO INFORMATION SPACES - An approach is provided for managing access rights of users to information spaces using signatures stored in a memory tag. A signature manager caused reading of a memory tag to initiate a request, from a device, for an initial access to an information space. The request includes an authorization signature associated with the device. The signature manager determines a level of access to the information space by comparing the authorization signature against a lattice of signature primitives associated with the information space. The signature manager then modifies the authorization signature based on the determination and stores the modified authorization signature for validation of subsequent access to the information space by the device. | 05-19-2011 |
20110126001 | AUTOMATIC CERTIFICATE RENEWAL - A method and system for automatic certificate renewal is described. | 05-26-2011 |
20110126002 | TOKEN RENEWAL - A method and system for renewing certificates stored on tokens is described. | 05-26-2011 |
20110126003 | SSL CLIENT AUTHENTICATION - A client authentication system receives an authentication request from a server for a session between a client and the server. The authentication system determines whether a storage device contains a configuration that corresponds to the authentication request. The authentication system configures client authentication based on whether the storage device contains the corresponding configuration and displays in a graphical user interface (GUI) a status indicator to show the client authentication configuration for the session. The GUI allows a user to change the client authentication configuration for the session. | 05-26-2011 |
20110126004 | DEVICE MANAGEMENT SYSTEM, SITE MONITORING APPARATUS AND METHOD - A server certificate and root certificate for performing secure communication with monitoring target devices are issued in a site monitoring apparatus. Using a secret key that is paired with a public key, a digital signature is issued based on communication destination information in which the site monitoring apparatus is the communication destination and the issued root certificate, and the communication destination information, root certificate, and digital signature are transmitted to the monitoring target devices. The monitoring target devices receive the communication destination information, root certificate, and digital signature from the site monitoring apparatus. Authentication is performed on the received digital signature using the public key, and in accordance with successful authentication, the communication destination for device monitoring information is changed from a management server to the site monitoring apparatus and secure communication is performed with the site monitoring apparatus, using the received communication information and root certificate. | 05-26-2011 |
20110145567 | METHOD AND SYSTEM TO COMBINE MULTIPLE DIGITAL CERTIFICATES USING THE SUBJECT ALTERNATIVE NAME EXTENSION - A method for forming a digital certificate includes receiving contact information associated with the digital certificate. The contact information includes at least a name, a mailing address, and an email address. The method also includes receiving billing information associated with the digital certificate and receiving a Certificate Signing Request (CSR) for the digital certificate. The method further includes receiving a first name for use in forming the digital certificate and receiving a second name for use in forming the digital certificate. Moreover, the method includes receiving an indication of a vendor of web server software, receiving an indication of a service period for the digital certificate, and forming the digital certificate. The first name is stored in a Subject field of the digital certificate and the second name is stored in the SubjectAltName extension of the digital certificate. | 06-16-2011 |
20110145568 | HANDLING OF THE USAGE OF SOFTWARE IN A DISCONNECTED COMPUTING ENVIRONMENT - A method, computer program product and system of handling usage of software in a disconnected computing environment. A digital certificate including time frame constraints is generated, signed by a certificate authority and associated to the software. To be executed, the digital certificate previously signed must be validated by the certificate authority by checking public keys and the time frame constraints must be simultaneously satisfied in the disconnected computing environment. The use of software is controlled in disconnected computing environments and/or read-only computing environments, i.e. environments which are not modifiable or in which brought modifications are not persistent. The data collected by the software may be further encrypted and thus be controlled. | 06-16-2011 |
20110154024 | METHOD AND APPARATUS FOR SELECTING A CERTIFICATE AUTHORITY - A certificate authority selection unit implements a method for selecting one of a plurality of certificate authorities servicing a plurality of administrative domains in a communication system. The method includes: receiving, from an end-entity via an interface, a certificate service request associated with an identifier; selecting, based on the identifier, one of the plurality of administrative domains in the communication system, wherein the plurality of administrative domains are serviced by a plurality of certificate authorities; retrieving a security profile for the end-entity; and selecting, based on the security profile for the end-entity, one of the plurality of certificate authorities to process the certificate service request. | 06-23-2011 |
20110154025 | COMPUTER IMPLEMENTED METHOD FOR AUTHENTICATING A USER - The invention relates to a computer implemented method for performing a user authentication, wherein an asymmetric cryptographic key pair is associated with the user, said key pair comprising a public key and a private key, wherein the method comprises selecting the user to be authenticated using a pseudonym of said user, wherein said pseudonym comprises the public key of the user, the method further comprising performing a cryptographic authentication of the user using the asymmetric cryptographic key pair. | 06-23-2011 |
20110161659 | METHOD TO ENABLE SECURE SELF-PROVISIONING OF SUBSCRIBER UNITS IN A COMMUNICATION SYSTEM - A method to enable remote, secure, self-provisioning of a subscriber unit includes, a security provisioning server: receiving, from a subscriber unit, a certificate signing request having subscriber unit configuration trigger data; generating provisioning data for the subscriber unit using the subscriber unit configuration trigger data; and in response to the certificate signing request, providing to the subscriber unit the provisioning data and a subscriber unit certificate having authorization attributes associated with the provisioning data, to enable the self-provisioning of the subscriber unit. | 06-30-2011 |
20110161660 | TEMPORARY REGISTRATION OF DEVICES - In a method of temporarily registering a second device with a first device, in which the first device includes a temporary registration mode, the temporary registration mode in the first device is activated, a temporary registration operation in the first device is initiated from the second device, a determination as to whether the second device is authorized to register with the first device is made, and the second device is temporarily registered with the first device in response to a determination that the second device is authorized to register with the first device, in which the temporary registration requires that at least one of the second device and the first device delete information required for the temporary registration following at least one of a determination of a network connection between the first device and the second device and a powering off of at least one of the first device and the second device. | 06-30-2011 |
20110161661 | ENHANCED AUTHORIZATION PROCESS USING DIGITAL SIGNATURES - A method is provided for enhancing security of a communication session between first and second endpoints which employs a key management protocol. The method includes sending a first message to a first end point over a communications network requesting a secure communication session therewith. The message includes an identity of a second end point requesting the authenticated communication session. A digital certificate is received from the first endpoint over the communications network. The digital certificate is issued by a certifying source verifying information contained in the digital certificate. The digital certificate includes a plurality of fields, one or more of which are transformed in accordance with a transformation algorithm. A reverse transform is applied to the one or more transformed fields to obtain the one or more fields. The digital certificate is validated and a second message is sent to the first endpoint indicating that validation is complete. | 06-30-2011 |
20110161662 | SYSTEM AND METHOD FOR UPDATING DIGITAL CERTIFICATE AUTOMATICALLY - A system and method for automatically updating a digital certificate prompts a user of a client computer to update a current digital certificate if a period of validity of the current digital certificate elapses or is about to elapse, and creates a new digital certificate if the current digital certificate needs to be updated. The system and method further deletes the current digital certificate, and loads the new digital certificate into a storage system of the client computer. | 06-30-2011 |
20110167256 | ROLE-BASED ACCESS CONTROL UTILIZING TOKEN PROFILES - A method and system for managing role-based access control of token data using token profiles is described. | 07-07-2011 |
20110167257 | Method for issuing, verifying, and distributing certificates for use in public key infrastructure - The invention relates to a method for issuing, verifying, and distributing digital certificates for use in Public Key Infrastructure, in which a requester | 07-07-2011 |
20110167258 | Efficient Secure Cloud-Based Processing of Certificate Status Information - A cloud-based system having a secure database of certificate information and associated methods are provided. The system and methods may be used to supplement or replace traditional OCSP processing systems. Responses to OCSP requests are digitally signed and cached in a cloud database server remote from the requester. Other servers in the cloud may access the cached OCSP responses from the database server, rather than the originating certificate authority. Thus, the work traditionally done by the certificate authority is moved to the cloud, which eliminates a single point of failure and improves the resources available to perform transactional processing. | 07-07-2011 |
20110179268 | PROTECTING APPLICATIONS WITH KEY AND USAGE POLICY - One or more files of an application are obtained and configured as a virtual storage volume. An application package is generated by encrypting, using a key, the one or more files configured as a virtual storage volume. A license generation module generates a license including both a usage policy for the application and the key. A computing device, to run the application, obtains and attempts to authenticate the application package. If the application package is authenticated, then a license associated with the application package is obtained and at least part of the application package is decrypted using the key in the license. A virtual storage volume that includes the application is mounted, and the application is executed in accordance with the usage policy in the license. However, if the application is not authenticated, then the application is not executed. | 07-21-2011 |
20110179269 | SIGNATURE SYSTEMS - A signature system includes a public key certificate obtainment device | 07-21-2011 |
20110185171 | CERTIFICATE AUTHENTICATING METHOD, CERTIFICATE ISSUING DEVICE, AND AUTHENTICATION DEVICE - A terminal device | 07-28-2011 |
20110185172 | GENERATING PKI EMAIL ACCOUNTS ON A WEB-BASED EMAIL SYSTEM - The present invention provides systems and methods for allowing an Email User to create a Public Key Infrastructure (PKI) Email Account and thereafter to digitally sign, send, verify and receive PKI encrypted emails over a computer network, such as the Internet. The systems and methods preferably include a Web-based Email System and a Certificate Authority that coordinate their actions to make the process of creating, maintaining and using the PKI Account as easy as possible for the Email User. In a preferred embodiment, a Keystore System may also be used to enhance the management and use of digital keypairs. | 07-28-2011 |
20110191579 | TRUSTED NETWORK CONNECT METHOD FOR ENHANCING SECURITY - A trusted network connect method for enhancing security, it pre-prepares platform integrity information, sets an integrity verify demand. A network access requestor initiates an access request, a network access authority starts a process for bi-directional user authentication, begins to perform the triplex element peer authentication protocol with a user authentication service unit. After the success of the bi-directional user authentication, a TNC server and a TNC client perform bi-directional platform integrity evaluation. The network access requestor and the network access authority control ports according to their respective recommendations, implement the mutual access control of the access requestor and the access authority. The present invention solves the technical problems in the background technologies: the security is lower relatively, the access requestor may be unable to verify the validity of the AIK credential and the platform integrity evaluation is not parity. The present invention may simplify the management of the key and the mechanism of integrity verification, expand the application scope of the trusted network connect. | 08-04-2011 |
20110191580 | METHOD AND SYSTEM FOR EXECUTION MONITOR-BASED TRUSTED COMPUTING - A system and method to ensure trustworthiness of a remote service provided by a service provider. The method includes monitoring runtime dependencies invoked during execution of a service transaction associated with the remote service, the service transaction being requested by a service requester. The method further includes determining whether a deviation exists between the runtime dependencies and a trusted list of dependencies associated with the remote service. The method also includes blocking execution of the service transaction based on determining that the deviation between the runtime dependencies and the trusted list of dependencies exists. | 08-04-2011 |
20110197061 | CONFIGURABLE ONLINE PUBLIC KEY INFRASTRUCTURE (PKI) MANAGEMENT FRAMEWORK - A method and apparatus is provided for establishing a process for provisioning a digital certificate service delivered by a PKI system. The method includes receiving a request for a digital certificate service and receiving data specifying a project that includes at least one product to be provisioned with a digital certificate. Data specifying an identification of an owner organization of the project and at least one participant organization participating in the project is also received. Attributes with which PKI data to be included in the digital certificates is to comply is received from the owner organization. Based on the received data and attributes, an account is established for each of the organizations associated with the project through which users associated with each of the organizations can respectively request digital certificates for the at least one product in accordance with the attributes received from the owner organization. | 08-11-2011 |
20110202759 | CERTIFICATE REMOTING AND RECOVERY - Certificate remoting and recovery may be provided. A computer may identify required security certificates and determine whether at least one required security certificate is not available. If the certificate is not available, the computer may identify a peer server and request the missing certificate from the peer server. The computer may also be operative to receive certificate management instructions from other computers. | 08-18-2011 |
20110208961 | SECURE MESSAGING SYSTEM - A method for secure data transactions over a computer network is described. In one embodiment, the act of generating at the first party a document, which authorizes the data transaction to proceed is performed. In one embodiment, the document content is signed using a computer network with audit-level encryption digital certificates. In one embodiment, a signed digital message (and/or document) is sent from the first party to the network transfer system electronically, and can be authenticated via the ICN certificate authorities to demonstrate the authorities of the signer of the signed document in assent to the transaction. In one embodiment, a copy of the signed digital document can be stored in a database associated with the transfer network system. In one embodiment, the system uses rules (patterns) of exchange agreed upon within and between organizations. These rules enable the exchange to progress smoothly and drive systematically the attention of participants to demands and problems etc. as a given transaction goes along. | 08-25-2011 |
20110208962 | STREAMLINED PROCESS FOR ENROLLMENT OF MULTIPLE DIGITAL CERTIFICATES - The enrollment process for purchasing multiple digital certificates configured using different cryptographic algorithms or hashing algorithms is streamlined. A certificate purchaser wishing to purchase two or more certificates is prompted to provide answers to common enrollment questions, such as the purchaser's contact information, payment details, web sever software, and the like, using a simplified and streamlined enrollment process. Each certificate is optionally configured using a different hashing algorithm. | 08-25-2011 |
20110213961 | DYNAMIC USER INTERFACE GENERATION BASED ON CONSTRAINTS OF A CERTIFICATE PROFILE - A method and system for dynamic user interface generation based on constraints of a certificate profile is described. | 09-01-2011 |
20110213962 | DOMAIN MANAGEMENT FOR DIGITAL MEDIA - In accordance with the domain management for digital media, a device obtains multiple pieces of protected content from multiple content providers, where two or more of the content providers employ different digital rights management systems. The device also accesses a license server to obtain, for each piece of protected content, a content license that is bound to a domain. The content license permits the device to play back a piece of protected content. | 09-01-2011 |
20110238982 | Trust-Management Systems and Methods - The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied. The certificates may be evaluated until the state of the root authority indicates that the request should be granted, or until further evaluation of the certificates is ineffective in changing the state of the principals. | 09-29-2011 |
20110271100 | UNATTENDED CODE UPDATE OF STORAGE FACILITY - Various embodiments for providing an update to at least one storage facility in a computing storage environment are provided. In one embodiment, a security verification is performed on the update via a certificate authentication mechanism to confirm a validity of the update. Subsequent to confirming the validity of the update, a safety verification on the update is performed to confirm a suitability of the update to the at least one storage facility. If the security and safety verifications are validated, the update is provided and installed in the at least one storage facility. | 11-03-2011 |
20110271101 | Method, system and terminal device for realizing locking network by terminal device - A method, system and terminal device implement locking a terminal device onto a network. This method comprises a procedure of locking onto the network during accessing the network, namely performing locking-onto-network configuration verification in a network accessing authentication process, and if the locking-onto-network configuration verification is successful, allowing for verification for an authentication certificate, or else refusing the terminal device of access to the network. The method, system and terminal device in the present invention perform locking-onto-network configuration verification when performing authentication, and the terminal device and server uniformly configure a locking-onto-network character string, and thus it has a great security. Besides, the present invention also can implement unlocking and locking again after accessing the network via an air interface management in the OTA way, and thus it has high flexibility and applicability, and can satisfy the requirements of 4G networks such as the WiMAX network and LTE network. | 11-03-2011 |
20110276798 | SECURITY MANAGEMENT METHOD AND SYSTEM FOR WAPI TERMINAL ACCESSING IMS NETWORK - The present invention discloses a security management method and a security management system for a WAPI terminal accessing an IMS network. The method comprises: an authentication service unit (ASU) sending, under the circumstance that an access point and the WAPI terminal pass the verification of the ASU, a security information request message to a home subscriber server (HSS) (S | 11-10-2011 |
20110283103 | ONE TIME PASSWORDS WITH IPSEC AND IKE VERSION 1 AUTHENTICATION - A system adapted to condition access to a network over an IPsec session to clients providing a proper one-time-password, even though the network access control uses IKEv1, which does not support one-time-passwords. An authentication service receives from a client an access request including the one-time-password, and provides the one-time-password to a service that checks the password. The one-time-password service returns a cookie when the password is successfully validated and the client is properly authenticated. The cookie is passed on to the client computer, which uses the cookie as part of a request for a certificate. A certificate authority generates a certificate if a request for a certificate is received from an authenticated client, which in turn may be used to form the IPsec session for access to the network. | 11-17-2011 |
20110289315 | Generic Bootstrapping Architecture Usage With WEB Applications And WEB Pages - A method includes receiving at a network application function a request related to a generic bootstrapping architecture key originated from a user equipment. The received request includes a network application function identifier that includes a uniform resource locator, where the network application function has a fully qualified domain name. The method further includes causing a generic bootstrapping architecture key to be generated for the user equipment based at least in part on the uniform resource locator that is part of the network application function identifier. Apparatus and computer programs for performing the method are also disclosed. | 11-24-2011 |
20110296171 | KEY RECOVERY MECHANISM - A method and system for server-side key generation for non-token clients is described. | 12-01-2011 |
20110296172 | SERVER-SIDE KEY GENERATION FOR NON-TOKEN CLIENTS - A method and system for server-side key generation for non-token clients is described. | 12-01-2011 |
20120017081 | METHOD FOR AUTHENTICATING DEVICE CAPABILITIES TO A VERIFIED THIRD PARTY - A system, devices and methods for verifying an administrator computing device to a guest computing device, verifying the guest device to the administrator device and outputting a list of the guest device capabilities for the administrator device such that the guest device is capable of verifying the administrator device, for example to ensure it does not divulge its capabilities to imposters, and the administrator device is capable of identifying whether the list of device capabilities is authentic. Verification can be achieved through cryptographic hashes of private certificates, digital signatures or expected output from verified modules. The list of device capabilities may be restricted based on the authorization granted to the administrator computer and may be altered or watermarked for verification. A failure to verify the administrator device may restrict execution of instructions on the guest device to prevent unauthorized access to the guest device's capabilities. | 01-19-2012 |
20120017082 | Virtual Private Supply Chain - A generic Internet based system for viewing supply chain data is provided. The system includes an Internet based data viewing engine and a data store that holds both viewable data and metadata associated with the viewable data. The metadata can be employed by the Internet based data viewing engine to control the presentation of the viewable data. The generic Internet based supply chain data viewing engine may be employed in a virtual private supply chain (VPSC). A VPSC includes a data acceptor that can receive supply chain data items from supply chain members, a supply chain data store that can store transformed, validated supply chain data items received from the supply chain members and a data accessor operable to selectively present supply chain data items stored in the supply chain data store to viewing supply chain members. One example of the data accessor is the generic Internet based viewing engine. | 01-19-2012 |
20120023326 | AUTOMATED PROVISIONING OF A NETWORK APPLIANCE - Network communication and provisioning systems and methods are provided to enable automatic provisioning of an appliance to provide encryption services for email messages and other types of electronic messages addressed to or from an email domain. | 01-26-2012 |
20120023327 | INFORMATION PROCESSING APPARATUS - An information processing apparatus includes: an acquiring unit that acquires specific information; a preparation unit that makes out a certificate signing request based on the specific information, wherein the preparation unit makes out a first type certificate signing request including extensions and makes out a second type certificate signing request not including extensions; a display control unit that displays a selection screen on a display unit; and an output unit that is configured to output one of the first type certificate signing request and the second type certificate signing request to an outside according to selecting by a user in the selection screen. | 01-26-2012 |
20120023328 | Trust Information Delivery Scheme for Certificate Validation - A unique TIO based trust information delivery scheme is disclosed that allows clients to verify received certificates and to control Java and Javascript access efficiently. This scheme fits into the certificate verification process in SSL to provide a secure connection between a client and a Web server. In particular, the scheme is well suited for incorporation into consumer devices that have a limited footprint, such as set-top boxes, cell phones, and handheld computers. Furthermore, the TIO update scheme disclosed herein allows clients to update certificates securely and dynamically. | 01-26-2012 |
20120030460 | Authority-Neutral Certification for Multiple-Authority PKI Environments - A method for facilitating electronic certification, and systems for use therewith, are presented in the context of public key encryption infrastructures. Some aspects of the invention provide methods for facilitating electronic certification using authority-neutral service requests sent by an application, which are then formatted by a server comprising a middleware that can convert the authority-neutral request into certification authority specific objects. The server and middleware then return a response from a selected certification authority back to the service requesting application. Thus, the server and/or middleware act as intermediaries that facilitate user transactions in an environment having multiple certification authorities without undue burden on the applications or the expense and reliability problems associated therewith. | 02-02-2012 |
20120042161 | SYSTEM AND METHOD FOR SENDING SECURE MESSAGES - Electronic messages are sent from a sending system to an identified recipient and are encrypted using information contained in a certificate for that recipient. An electronic device and method are provided for detecting receipt of a command to initiate transmission of a composed message to a recipient, and after said detection but prior to transmitting the message, determining that no valid digital certificate for said recipient is available at the communication device; retrieving a valid digital certificate for said recipient from a source over a network; and encrypting said composed message using the valid digital certificate; then initiating transmission of the encrypted, composed message to the recipient. Retrieval of the valid digital certificate can include repeated retrieval and validation of certificates until a valid certificate is obtained. | 02-16-2012 |
20120047363 | Implicit Certificate Verification - A method of computing a cryptographic key to be shared between a pair of correspondents communicating with one another through a cryptographic system is provided, where one of the correspondents receives a certificate of the other correspondents public key information to be combined with private key information of the one correspondent to generate the key. The method comprises the steps of computing the key by combining the public key information and the private key information and including in the computation a component corresponding to verification of the certificate, such that failure of the certificate to verify results in a key at the one correspondent that is different to the key computed at the other correspondent. | 02-23-2012 |
20120060026 | CERTIFICATE MANAGEMENT AND TRANSFER SYSTEM AND METHOD - A method and system for Certificate management and transfer between messaging clients are disclosed. When communications are established between a first messaging client and a second messaging client, one or more Certificates stored on the first messaging client may be selected and transferred to the second messaging client. Messaging clients may thereby share Certificates. Certificate management functions such as Certificate deletions, Certificate updates and Certificate status checks may also be provided. | 03-08-2012 |
20120060027 | CERTIFYING THE IDENTITY OF A NETWORK DEVICE - According to one aspect, a method for certifying the identity of a network device. The method includes an initial step of coupling the network device to a provisioning device via a physically secure communications link. The provisioning device then certifies the identity of the network device including generating a cryptographic private key for the network device and sending the generated private key to the network device over the physically secure communications link. | 03-08-2012 |
20120060028 | SIGNATURE DEVICE, SIGNATURE VERIFICATION DEVICE, ANONYMOUS AUTHETICATION SYSTEM, SIGNING METHOD, SIGNATURE AUTHENTICATION METHOD, AND PROGRAMS THEREFOR | 03-08-2012 |
20120066492 | METHOD FOR MAKING SECURITY MECHANISMS AVAILABLE IN WIRELESS MESH NETWORKS - The invention relates to a method for making safety mechanisms available in wireless mesh networks which have a plurality of nodes that are interconnected by multi-hop communication in a wireless network meshed by mesh routing in the MAC layer, every node being active as a router to forward the data traffic of the other nodes. At least two differentiated levels of confidence are defined by a type of protection (ToP) the value of which represents a specific level of confidence for the nodes and data packets, the data packets being labeled with a ToP value in the mesh header, and at least one ToP value being allocated to the participating nodes, the nodes forwarding the data packet in the mesh network using the ToP values of the node and of the data packet if this ToP value combination is admissible in the node. | 03-15-2012 |
20120072716 | MULTITENANT-AWARE PROTECTION SERVICE - Implementing a data protection service. One method includes receiving a request to provision a first tenant among a plurality of tenants managed by a single data protection service. A tenant is defined as an entity among a plurality of entities. A single data protection service provides data protection services to all tenants in the plurality of tenants. A first encryption key used to decrypt the first tenant's data at the data store is stored. The first encryption key is specific to the first tenant and thus cannot be used to decrypt other tenants' data at the data store from among the plurality of tenants. Rather each tenant in the plurality of tenants is associated with an encryption key, not usable by other tenants, used at the data store to decrypt data on a tenant and corresponding key basis. | 03-22-2012 |
20120072717 | Dynamic identity authentication system - An authenticating device ( | 03-22-2012 |
20120072718 | System And Methods For Online Authentication - A method of establishing a communication channel between a network client and a computer server over a network is described. The network client may be configured to communicate with the computer server over the network and to communicate with a token manager. The token manager may be configured with a parent digital certificate that is associated with the token manager. The token manager or network client generates a credential from the parent digital certificate, and transmits the credential to the computer server. The credential may be associated with the computer server. The network client may establish the communications channel with the computer server in accordance with an outcome of a determination of validity of the credential by the computer server. | 03-22-2012 |
20120072719 | Method Enabling Real-Time Data Service, Realization, Real-Time Data Service System and Mobile Terminal - The present invention discloses a method for implementing a real-time data service, a real-time data service system and a mobile terminal. Said method for implementing a real-time data service includes the following steps: before encapsulating a Media Access Control Protocol Data Unit (MPDU), a Wireless Local Area Network Privacy Infrastructure (WPI) module in an Access Point (AP) needs to determine the type of the data to be encapsulated in the MPDU; if the data is a control signalling message of a real-time data service, the WPI module encrypts said data, then encapsulates the encrypted data in a data (e.g. PDU) field of the MPDU, and transmits the encapsulated data to the mobile terminal; if the data is an audio/video data message of a real-time data service, the data is not to be encrypted, but is encapsulated directly into the data (e.g. PDU) field of the MPDU in plaintext, and then transmitted to the mobile terminal. The present invention can reduce the processing load and the software and hardware costs of the AP and the mobile terminal. | 03-22-2012 |
20120079267 | Securing Locally Stored Web-based Database Data - The present invention extends to methods, systems, and computer program products for locally storing Web-based database data in a secure manner. Embodiments of the present invention permit Web-based database data to be locally stored at a computer system to increase the efficiency of rendering the Web-based database data within a Web browser at the computer system. Web-based database data can be sandboxed per domain to mitigate (and possibly eliminate) the exposure of the Web-based database data to malicious computer systems. A web server may be required to authenticate itself before it may present database data to be locally stored at a computer system. A web server may be required to authenticate itself before being allowed to access database data stored locally at a computer system. | 03-29-2012 |
20120079268 | SEPARATING AUTHORIZATION IDENTITY FROM POLICY ENFORCEMENT IDENTITY - The present invention extends to methods, systems, and computer program products for separating authorization identity from policy enforcement identity. Embodiments of the invention extend the consumption phase for protected information. Two identities, an authorization identity and a policy enforcement identity, are used for acquiring, issuing and enforcing usage license instead of one identity certificate. The authorization identity is used to evaluate against usage policy. The authorization identity is similar to identification information in an identity certificate. The policy enforcement identity is used to ensure the confidentiality of granted permissions and content key. The policy enforcement identity enforces a usage license on an authorization principal's (e.g., recipient's) machine. The policy enforcement identity's enforcement of a usage license is similar use of a cryptographic key in an identity certificate. | 03-29-2012 |
20120079269 | SYNCHRONIZING CERTIFICATES BETWEEN A DEVICE AND SERVER - Systems and methods for processing messages within a wireless communications system are disclosed. A server within the wireless communications system maintains a list of certificates contained in devices that use the server. The server synchronizes or updates the list of certificates based on information contained in message to and from the device. By providing a server with certificates associated with devices that use the server, and providing a system and method for synchronizing the certificates between the device and server, the server can implement powerful features that will improve the efficiency, speed and user satisfaction of the devices. The exemplary embodiments also enable advantageous bandwidth savings by preventing transmission of certificates unnecessarily | 03-29-2012 |
20120084556 | SYSTEM AND METHOD FOR RETRIEVING RELATED CERTIFICATES - A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one embodiment, all certificates related to an identified certificate are retrieved from the certificate servers automatically by the certificate synchronization application, where the related certificates comprise at least one of one or more CA certificates and one or more cross-certificates. Embodiments described herein facilitate at least partial automation of the downloading and establishment of certificate chains, thereby minimizing the need for users to manually search for individual certificates. | 04-05-2012 |
20120084557 | TAMPERING MONITORING SYSTEM, CONTROL DEVICE, AND TAMPERING CONTROL METHOD - Provided is a tampering monitoring system that can identify a monitoring module that has been tampered with among a plurality of monitoring modules. A management apparatus is provided with an acquisition unit that acquires a new monitoring module that has not been tampered with, a generation unit that generates a decoy monitoring module by modifying the acquired monitoring module, a transmission unit that transmits the decoy monitoring module to the information security device and causes the information security device to install the decoy monitoring module therein, a reception unit that receives from the information security device, after the decoy monitoring module has been installed, monitoring results generated by the monitoring modules monitoring other monitoring modules, and a determination unit that identifies, by referring to the received monitoring results, a monitoring module that determines the decoy monitoring module to be valid and determines the identified monitoring module to be invalid. | 04-05-2012 |
20120089832 | METHODS OF ISSUING A CREDIT FOR A CERTIFICATE FOR A DOMAIN NAME - The invention provides methods for efficiently registering a domain name and issuing a certificate without a Subscriber submitting a separate request for the certificate. A notice may be provided to the Subscriber after requesting to register the domain name that a credit for a certificate may be issued for the domain name. In other embodiments a credit may be given to the Subscriber for the certificate without receiving a separate request for the credit or certificate. The credit may be saved in a Subscriber's account to enable the Subscriber to use a certificate at a later time. In yet other embodiments, a single vetting process may be used to facilitate one or more of: creating a Subscriber's account; registering a domain name; and issuing a certificate. | 04-12-2012 |
20120102317 | SECURE CONTENT DISTRIBUTION - In an example, a method of securing content is described. The method may include instantiating a content server on a client device. The method may also include operating the content server to retrieve content identified by a Uniform Resource Identifier (URI). The method may also include serving the content from the content server to a content renderer on the client device. The content renderer may be configured to render the content at the client device and to prohibit saving the content in the clear on the client device. | 04-26-2012 |
20120102318 | Method for the Application of Implicit Signature Schemes - A method of certifying a correspondent in data communication system by a certifying authority. The certifying authority includes a cryptographic unit. The method includes generating a random number and implicit certificate components based on the random number using the cryptographic unit. The implicit certificate components have a first component and a second component. The method also includes providing the implicit certificate components for use in the data communication system and providing a public key of the certifying authority for use in derivation of a public key of the correspondent from the first component. The certifying authority recertifies the correspondent by providing implicit certificate components using a changed value for the random number. | 04-26-2012 |
20120102319 | System and Method for Reliably Authenticating an Appliance - A system and an apparatus ( | 04-26-2012 |
20120117381 | System and Method for Component Authentication of a Secure Client Hosted Virtualization in an Information Handling System - A client hosted virtualization system (CHVS) includes a processor to execute code, a security processor, a component that includes a certificate, and a non-volatile memory. The non-volatile memory includes BIOS code for the CHVS and virtualization manager code to initialize the CHVS, launch a virtual machine on the CHVS, and authenticate the component with the security processor by determining that the certificate is valid. The CHVS is configurable to execute the first code and not the second code, or to execute the second code and not the first code. | 05-10-2012 |
20120124369 | SECURE PUBLISHING OF PUBLIC-KEY CERTIFICATES - The current application is directed to methods and systems for secure distribution of public-key certificates using the domain name system with security extensions (“DNSSEC”), a publisher component, and additional client-side functionality. These methods and systems, when combined with public/private-key-based cryptography used for encrypting digitally encoded information, provides a computationally efficient and well-understood method and system for secure communications and digitally-encoded-information verification without current difficulties and inefficiencies attendant with distributing and managing the public keys used for encrypting digitally encoded information. | 05-17-2012 |
20120131333 | SERVICE KEY DELIVERY IN A CONDITIONAL ACCESS SYSTEM - A method is provided by which a client device obtains authorized access to content delivered over a content delivery network. The method includes receiving an entitlement management message (EMM). The EMM includes at least one cryptographic key and a device registration server certificate ID (DRSCID) identifying a currently valid device registration server (DRS) public key certificate. The DRSCID obtained from the EMM is compared to a stored DRSCID value. An entitlement control message (ECM), which includes an encrypted traffic key for decrypting content, is received. If the DRSCID obtained from the EMM is determined to match the stored DRSCID, the traffic key is decrypted with the cryptographic key or a key derived from the cryptographic key to thereby access the content. | 05-24-2012 |
20120131334 | Method for Attesting a Plurality of Data Processing Systems - A technique for attesting a plurality of data processing systems. The method includes: configuring a chain of data processing systems wherein a first data processing system is responsible for retrieving attestation data associated with a second data processing system; sending a request for attestation of the first data processing system; in response to receiving the request, retrieving a list of associated one or more children, wherein the one or more children comprise the second data processing system; retrieving and storing attestation data associated with each child; retrieving and storing attestation data associated with the first data processing system; and sending to the requester a concatenated response containing the attestation data associated with the first and second data processing systems, such that the attestation data associated with the first and second data processing systems can be used to attest the first and second data processing systems, respectively. | 05-24-2012 |
20120137126 | SMART METER AND METER READING SYSTEM - The present invention provides a smart meter for use in automatic meter reading of power, gas, and the like, preventing falsification of a program and data and assuring security in a communication path. A smart meter has: a data processor receiving a measurement signal according to a use amount, computing meter read data, and performing communication control by a communication unit coupled to a network; and a secure processor having tamper resistance for internally held information and performing secure authenticating process for a remote access. The data processor encrypts computed meter read data with a public key unique to the smart meter and supplies the encrypted data to the secure processor. The secure processor decrypts the encrypted meter read data with the secret key unique to the smart meter and stores the decrypted or encrypted meter read data into a nonvolatile storage region. | 05-31-2012 |
20120137127 | DEVICE CERTIFICATE INDIVIDUALIZATION - A method of generating a device certificate. A method of generating a device certificate comprising, constructing a device certificate challenge at a device, sending information to a device certificate individualization server in response to the device certificate challenge, validating the device certificate challenge by the device certificate individualization server, and validating the device certificate response by the device. | 05-31-2012 |
20120137128 | System and Method for Securing a Credential via User and Server Verification - Systems and methods for securing a credential generated by or stored in an authentication token during an attempt to access a service, application, or resource are provided. A secure processor receives a credential from an authentication token and securely stores the credential. The secure processor then verifies the identity of the individual attempting to use the authentication token and cryptographically verifies the identity of the server being accessed. The credential is only released for transmission to the server if both the identity of the individual and the identity of the server are successfully verified. Alternatively, a secure connection is established between the secure processor and the server being accessed and a secure connection is established between the secure processor and a computing device. The establishment of the secure connections verifies the identity of the server. After the secure connections are established, the identity of the user is verified. | 05-31-2012 |
20120137129 | METHOD FOR ISSUING A DIGITAL CERTIFICATE BY A CERTIFICATION AUTHORITY, ARRANGEMENT FOR PERFORMING THE METHOD, AND COMPUTER SYSTEM OF A CERTIFICATION AUTHORITY - In a method for issuing a digital certificate by a certification authority (B), a device (A) sends a request message to the certification authority (B) for issuing the certificate, the certification authority (B) receives the request message and sends a request for authenticating the device (A) to the device (A), the device (A) sends a response to the certification authority (B) in response to the received request, and the certification authority (B) checks the received response and generates the certificate and sends the certificate to the device (A), if the response was identified as correct. | 05-31-2012 |
20120144190 | DEVICES AND METHODS FOR ESTABLISHING AND VALIDATING A DIGITAL CERTIFICATE - A digital certificate is configured to confirm the association of a public key assigned to a device as the owner of the public key to the device. The digital certificate further has an additional digital certificate, the additional digital certificate being a certificate of an additional device configured to digitally sign the digital certificate of the device. The certification process can be improved, wherein particularly the verification of digital certificates is improved. The various embodiments are particularly useful for applications where a secure communication of information or data is desired and/or should be made possible. | 06-07-2012 |
20120151207 | Method and System for Guiding Smart Antenna - A method and system for guiding smart antenna is provided. The method includes: a terminal accessing a WLAN Authentication and Privacy Infrastructure (WAPI) access point, acquiring a position information from the WAPI access point; the terminal directly sending the position information to a base station, and the base station obtaining a terminal position information according to the position information; or after the terminal obtains a terminal position information according to the position information, sending the terminal position information to the base station; the base station guiding the smart antenna by using the terminal position information. The method and system adopts a WAPI function to position the terminal, the implementation is simple and the startup time is very short. | 06-14-2012 |
20120159156 | TAMPER PROOF LOCATION SERVICES - A secure location system is described herein that leverages location-based services and hardware to make access decisions. Many mobile computers have location devices, such as GPS. They also have a trusted platform module (TPM) or other security device. Currently GPS location data is made directly accessible to untrusted application code using a simple protocol. The secure location system provides a secure mechanism whereby the GPS location of a computer at a specific time can be certified by the operating system kernel and TPM. The secure location system logs user activity with a label indicating the geographic location of the computing device at the time of the activity. The secure location system can provide a difficult to forge, time-stamped location through a combination of kernel-mode GPS access and TPM security hardware. Thus, the secure location system incorporates secure location information into authorization and other operating system decisions. | 06-21-2012 |
20120159157 | REMOTE CONFIGURATION OF COMPUTING PLATFORMS - An embodiment of the invention relates to a computing platform ( | 06-21-2012 |
20120159158 | VALIDATION SERVER, VALIDATION METHOD, AND PROGRAM - A validation server using HSM, which reduces required process time from receiving a validation request to responding with a validation result, and comprises a first software cryptographic module | 06-21-2012 |
20120173873 | SMART GRID DEVICE AUTHENTICITY VERIFICATION - Methods and articles of manufacture are provided. Some embodiments are directed to smart grid device authenticity verification. In an exemplary embodiment a method is provided that generates a firmware package image for a device. The method goes on to manufacture a microcontroller using the image. A ship file is then generated with unique data associated to the device. A board is then manufactured and a board ship file generated. The device is then authenticated on a network using the two ship files and the firmware image. This Abstract is provided for the sole purpose of complying with the Abstract requirement rules. This Abstract is submitted with the explicit understanding that it will not be used to interpret or to limit the scope or the meaning of the claims. | 07-05-2012 |
20120179907 | METHODS AND SYSTEMS FOR PROVIDING A SIGNED DIGITAL CERTIFICATE IN REAL TIME - A method and system for signing a digital certificate in real time for accessing a service application hosted within a service provider (SP) computer system through an open application programming interface (API) platform is provided. The API platform is in communication with a memory device. The method includes receiving registration data from a developer computer device wherein the developer computer device is associated with a developer and configured to store a developer application, receiving a certificate signing request (CSR) from the developer computer device wherein the CSR includes a public key associated with the developer, verifying the registration data as being associated with the developer, signing the CSR to produce a signed certificate after verifying the registration data wherein the verifying and signing steps are performed by the SP computer system in real time, and transmitting the signed certificate and a client ID to the developer computer device. | 07-12-2012 |
20120198229 | INFORMATION PROCESSING APPARATUS, INFORMATION RECORDING MEDIUM MANUFACTURING APPARATUS, INFORMATION RECORDING MEDIUM, INFORMATION PROCESSING METHOD, INFORMATION RECORDING MEDIUM MANUFACTURING METHOD, AND COMPUTER PROGRAM - An information processing apparatus includes: a data processing unit that acquires content codes including a data processing program recorded in an information recording medium and executes data processing according to the content codes; and a memory that stores an apparatus certificate including an apparatus identifier of the information processing apparatus. The data processing unit is configured to execute an apparatus checking process applying the apparatus certificate stored in the memory on the basis of a code for apparatus checking process included in the content codes, acquire the apparatus identifier recorded in the apparatus certificate after the apparatus checking process, and execute data processing applying content codes corresponding to the acquired apparatus identifier. | 08-02-2012 |
20120210123 | ONE-TIME PASSWORD CERTIFICATE RENEWAL - Embodiments are directed to providing a certificate extension to an authentication certificate, to validating an authentication certificate request and to implementing authentication certificates that include certificate extensions. In an embodiment, a computer system accesses an authentication certificate request that is to be sent to a validation server for validation and to a certificate authority for issuance of an authentication certificate. The computer system appends an extension to the authentication certificate request. The extension includes origination information about the authentication certificate. The computer system then sends the authentication certificate request with the appended extension to the validation server for validation. | 08-16-2012 |
20120221850 | System and Method for Reducing Computations in an Implicit Certificate Scheme - There are disclosed systems and methods for reducing the number of computations performed by a computing device constructing a public key from an implicit certificate associated with a certificate authority in an implicit certificate scheme. In one embodiment, the device first operates on the implicit certificate to derive an integer e. The device then derives a pair of integers (e | 08-30-2012 |
20120221851 | SOURCE CENTRIC SANCTION SERVER AND METHODS FOR USE THEREWITH - A sanction server includes a network interface that receives proxy data from a content source that includes cryptographic parameters that are based on a scrambling control word used to scramble the media content, receives a request for the media content from a client device, transmits the proxy data to the client device and transmits notification data to a caching server. The content source generates cryptographic data and sends the cryptographic data and the scrambled media content to the caching server. The caching server forwards the cryptographic data and the scrambled media content to the client device. The client device generates the scrambling control word for descrambling the scrambled media content based on the proxy data and the cryptographic data. | 08-30-2012 |
20120221852 | SANCTIONED CACHING SERVER AND METHODS FOR USE THEREWITH - A caching server includes a network interface receives first sanction data from the sanction server and transmits first cryptographic data to a client device, receives second cryptographic data from the device and that transmits scrambled media content to the client device. A random number generator generates a random number. A caching processing module, in response to the first sanction data, generates the first cryptographic data based on the random number and the first sanction data, generates a scrambling control word based on the first sanction data and the second cryptographic data and that generates the scrambled media content based on the scrambling control word. | 08-30-2012 |
20120233457 | ISSUING IMPLICIT CERTIFICATES - Methods, systems, and computer programs for issuing an implicit certificate are disclosed. In some implementations, a certificate authority of an elliptic curve cryptography (ECC) system performs one or more operations for issuing the implicit certificate. A certificate request associated with a requester is received, and the certificate request includes a first element R | 09-13-2012 |
20120239927 | SYSTEM AND METHOD FOR SEARCHING AND RETRIEVING CERTIFICATES - A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one broad aspect, a method is provided in which a certificate search request is received, a search of one or more certificate servers for certificates satisfying the request is performed, located certificates are retrieved and processed at a first computing device to determine data that uniquely identifies each located certificate, and search result data comprising the determined data is communicated to a second device (e.g. a mobile device) for use in determining whether each located certificate is already stored on the second device. | 09-20-2012 |
20120246465 | INCORPORATING DATA INTO CRYPTOGRAPHIC COMPONENTS OF AN ECQV CERTIFICATE - During generation of an implicit certificate for a requestor, a certificate authority incorporates information in the public-key reconstruction data, where the public-key reconstruction data is to be used to compute the public key of the requestor. The information may be related to one or more of the requestor, the certificate authority, and the implicit certificate. The certificate authority reversibly encodes the public-key reconstruction data in the implicit certificate and sends it to the requestor. After receiving the implicit certificate from the certificate authority, the requestor can extract the incorporated information from the public-key reconstruction data. The implicit certificate can be made available to a recipient, and the recipient can also extract the incorporated information. | 09-27-2012 |
20120246466 | Flexible System And Method To Manage Digital Certificates In A Wireless Network - An infrastructure is provided for managing the distribution of digital certificates for network security in wireless backhaul networks. In embodiments, a root certificate management system (root CMS) processes requests for digital certificates, issues root certificates, automatically authenticates surrogate certificate management systems (sur-CMSs), and automatically processes certificate requests and issues certificate bundles to sur-CMSs that are successfully authenticated. The infrastructure includes sur-CMSs to which are assigned base stations within respective regions. Each sur-CMS automatically authenticates its own base stations and automatically processes certificate requests and issues certificate bundles to base stations that are successfully authenticated. A certificate bundle issued to a base station includes a digital certificate, signed by the issuing sur-CMS, of a public key of such base station, and at least one further digital certificate, including a self-signed certificate of the root CMS. | 09-27-2012 |
20120246467 | Verifying Cryptographic Identity During Media Session Initialization - An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint's agent may create the signature over some fields of the message using an enterprise network's private key. The agent may insert the signature into the message and send the message to a recipient endpoint's authentication agent. The recipient agent may verify the signature, receive a certificate including a second public key, and challenge the identity of the originating endpoint in order to confirm that identity. This challenge may request a confirmation that the originating endpoint knows the private key corresponding to the second public key and may occur while running encrypted media at the endpoints. After the originating endpoint is authenticated, the endpoints may exchange encrypted and/or unencrypted media. | 09-27-2012 |
20120246468 | System, Method, and Apparatus for Performing Reliable Network, Capability, and Service Discovery - A system, method, and apparatus are provided for performing reliable network, capability, and service discovery. A method may include providing for transmission of a request for signed access point information. The request may be provided for transmission prior to authenticating with an access point when authentication is performed or prior to associating with an access point when authentication is not performed. The method may further include receiving a response including signed access point information. The method may additionally include verifying the signed access point information using a digital certificate. The method may also include selecting the access point for communication based in least in part on the verified signed access point information. A corresponding system and apparatus is also provided. | 09-27-2012 |
20120265984 | NETWORK WITH PROTOCOL, PRIVACY PRESERVING SOURCE ATTRIBUTION AND ADMISSION CONTROL AND METHOD - A device implemented, carrier independent packet delivery universal addressing networking protocol for communication over a network between network nodes utilizing a packet. The protocol has an IP stack having layers. At least some of the layers have privacy preserving source node attribution and network admission control. The packet is admitted to the network only if a source node of the network nodes admits the packet. | 10-18-2012 |
20120272056 | KEY MANAGEMENT USING QUASI OUT OF BAND AUTHENTICATION ARCHITECTURE - To provide key management layered on a quasi-out-of-band authentication system, a security server receives a request for activation of a user interface window for a particular user from a network device via a communication channel. It then transmits an activation PIN to an out of band authentication system for forwarding to the user's telephone via a voice or text message. It next receives the previously transmitted PIN from the network device via the communication channel, and authenticates the user based on the received PIN. After authenticating the user, it establishes a secure, independent, encrypted communication channel between the user interface window and the security server on top of the original communication channel. It then generates and transmits to the user interface window and/or receives from the user interface window via the secure communication channel, key material and certificate material for public key and/or symmetric key cryptography based operations. | 10-25-2012 |
20120272057 | Method and Apparatus for Secured Embedded Device Communication - In a computing device that includes a host operating system and a management engine separate from the host operating system, if the primary operating system is not operating, a management engine may obtain from a credential server via a first network connection logon information for a secured network and the management engine connects to the secure network through a secured connection using the logon information. If the operating system is operating the operating system provides the logon information to the management engine. Certificate verification may be performed by a remote server on behalf of the management engine. Other embodiments are disclosed and claimed. | 10-25-2012 |
20120272058 | TRANSPARENT PROXY OF ENCRYPTED SESSIONS - In one embodiment, a proxy device located between a first device and a second device intercepts a security session request for a security session between the first device and the second device. The proxy device obtains security information from the first device that includes at least a subject name of the first device. The proxy device creates a dynamic certificate using the subject name of the first device and a trusted proxy certificate of the proxy device. The proxy device establishes a security session between the proxy device and the second device using the dynamic certificate. Further, the proxy device establishes a security session between the first device and the proxy device using the trusted proxy certificate of the proxy device. The two security sessions collectively operate as a security session between the first device and the second device. | 10-25-2012 |
20120278613 | ELECTRONIC APPARATUS AND INTRODUCING METHOD THEREBY - An electronic apparatus capable of introducing an apparatus certificate of the electronic apparatus and an intermediate certificate of an intermediate certificate authority which signs the apparatus certificate is disclosed. The electronic apparatus includes a communication unit; a separation unit configured to separate the intermediate certificate and the apparatus certificate acquired by the communication unit from the intermediate certificate authority; an apparatus certificate verifying unit configured to verify a validity of the apparatus certificate separated by the separating unit; an intermediate certificate verifying unit configured to verify a validity of the intermediate certificate separated by the separating unit; and an introducing unit configured to introduce the apparatus certificate and the intermediate certificate only when both the apparatus certificate and the intermediate certificate are verified. | 11-01-2012 |
20120284508 | VALIDATING A BATCH OF IMPLICIT CERTIFICATES - Methods, systems, and computer programs for validating a batch of implicit certificates are described. Data for a batch of implicit certificates are received and validated. In some aspect, the data include key-pair-validation values that can be used to validate the public and private keys for each implicit certificate. For example, the key-pair-validation values can include a private key, a public key reconstruction value, a public key of the certificate authority, and a hash of the implicit certificate. The key-pair-validation values are either valid or invalid according to a key-pair-validation function. In some cases, modification values are obtained independent of the key-pair-validation values, and the modification values are combined with the key-pair-validation values in a batch-validation function. The batch-validation function is evaluated for the batch of implicit certificates. Evaluating the batch-validation function identifies whether the key-pair-validation data include key-pair-validation values that are invalid according to the key-pair-validation function. | 11-08-2012 |
20120284509 | COMMUNICATION SYSTEM AND METHOD FOR SECURELY COMMUNICATING A MESSAGE BETWEEN CORRESPONDENTS THROUGH AN INTERMEDIARY TERMINAL - A wireless communication system includes a pager or similar device that communicates to a home terminal. The home terminal confirms the identity of the pager and attaches a certificate to the message for ongoing transmission. Where the recipient is also a pager, an associated home terminal verifies the transmission and forwards it in a trusted manner without the certificate to the recipient. | 11-08-2012 |
20120290833 | Certificate Blobs for Single Sign On - A system, method and a computer-readable medium for generating an authentication password for authenticating a client to a server. A digital certificate that includes private key, and a public key is provided. A hash of a content of a digital certificate is generated. The hash is also encrypted with a private key. The encrypted hash and the content of the digital certificate are encoded into a certificate blob, which is utilized as an authorization password. | 11-15-2012 |
20120290834 | KEY DISTRIBUTION DEVICE, TERMINAL DEVICE, AND CONTENT DISTRIBUTION SYSTEM - A terminal device used in a content distribution system including a key distribution device, the terminal device, and a recording medium device, the key distribution device distributing a title key for protecting a content to the recording medium device, the terminal device for controlling writing of the title key on the recording medium device, and the recording medium device recording the content, wherein the key distribution device and the recording medium device comprise a communication unit configured to transfer the title key safely between the key distribution device and the recording medium device without direct involvement by the terminal device, and the terminal device confirms a supported function of the key distribution device and determines whether to permit operations pertaining to the key distribution device in accordance with the supported function. | 11-15-2012 |
20120290835 | SYSTEM AND METHOD FOR VALIDATING CERTIFICATE ISSUANCE NOTIFICATION MESSAGES - To validate a received certificate issuance notification message, a device may verify that the certificate issuance notification message conforms to expected norms or authenticate a signature associate with the certificate issuance notification message. Upon validating, the device may then transmit a uniform resource locator, extracted from the certificate issuance notification message, to a network entity configured for processing certificate issuance. | 11-15-2012 |
20120290836 | ACCELERATED SIGNATURE VERIFICATION ON AN ELLIPTIC CURVE - A public key encryption system exchanges information between a pair of correspondents. The recipient performs computations on the received data to recover the transmitted data or verify the identity of the sender. The data transferred includes supplementary information that relates to intermediate steps in the computations performed by the recipient. | 11-15-2012 |
20120297187 | Trusted Mobile Device Based Security - A method for performing user security operations using a mobile communications device includes, storing at least one security credential for a user in the mobile communications device, receiving a request from a client computer to perform an action requiring the stored at least one security credential, wherein the request includes information regarding a service application for which the action is requested, determining a response to the request based upon at least one user configured personal security preference at the mobile communications device, and transmitting the determined response to the client computer. Corresponding system and computer program products are also described. | 11-22-2012 |
20120303950 | Implicit Certificate Scheme - A method of generating a public key in a secure digital communication system, having at least one trusted entity CA and subscriber entities A. The trusted entity selects a unique identity distinguishing each entity A. The trusted entity then generates a public key reconstruction public data of the entity A by mathematically combining public values obtained from respective private values of the trusted entity and the entity A. The unique identity and public key reconstruction public data of the entity A serve as A's implicit certificate. The trusted entity combines the implicit certificate information with a mathematical function to derive an entity information ƒ and generates a value k | 11-29-2012 |
20120311322 | Secure Access to Data in a Device - The invention concerns secure access to data in an electronic device ( | 12-06-2012 |
20120317412 | IMPLICITLY CERTIFIED DIGITAL SIGNATURES - Methods, systems, and computer programs for using an implicit certificate are disclosed. In some aspects, a message and an implicit certificate are accessed. The implicit certificate is associated with an entity. A modified message is generated by combining the message with a value based on the implicit certificate. A digital signature can be generated based on the modified message and transmitted to a recipient. In some aspects, a digital signature from an entity and a message to be verified based on the digital signature are accessed. An implicit certificate associated with the entity is accessed. A modified message is generated by combining the message with a value based on the implicit certificate. The message is verified based on the digital signature and the modified message. | 12-13-2012 |
20120331286 | APPARATUS AND METHOD FOR PROVIDING SERVICE TO HETEROGENEOUS SERVICE TERMINALS - An apparatus and method for providing a service to heterogeneous service terminals without modifying a security framework are provided, in which a gateway that controls a first service terminal transmits a right delegation request to a server in order to provide the service to a second service terminal as well, and upon receipt of a service right verification request from the second service terminal after receiving a right delegation certificate from the server, the gateway transmits a service right verification response including the right delegation certificate to the second service terminal. | 12-27-2012 |
20120331287 | Provisioning a Shared Secret to a Portable Electronic Device and to a Service Entity - Systems and methods are provided for computing a secret shared with a portable electronic device and service entity. The service entity has a public key G and a private key g. A message comprising the public key G is broadcast to the portable electronic device. A public key B of the portable electronic device is obtained from a manufacturing server and used together with the private key g to compute the shared secret. The portable electronic device receives the broadcast message and computes the shared secret as a function of the public key G and the portable electronic device's private key b. The shared secret can be used to establish a trusted relationship between the portable electronic device and the service entity, to activate a service on the portable electronic device, and to generate certificates. | 12-27-2012 |
20120331288 | CUSTOMIZABLE PUBLIC KEY INFRASTRUCTURE AND DEVELOPMENT TOOL FOR SAME - A public key infrastructure comprises a client side to request and utilize certificates in communication across a network and a server side to administer issuance and maintenance of said certificates. The server side has a portal to receive requests for a certificate from a client. A first policy engine to processes such requests in accordance with a set of predefined protocols. A certification authority is also provided to generate certificates upon receipt of a request from the portal. The CA has a second policy engine to implement a set of predefined policies in the generation of a certificate. Each of the policy engines includes at least one policy configured as a software component e.g. a Java bean, to perform the discreet functions associated with the policy and generate notification in response to a change in state upon completion of the policy. | 12-27-2012 |
20120331289 | METHOD AND SYSTEM FOR ENCRYPTION OF MESSAGES IN LAND MOBILE RADIO SYSTEMS - A method and system for authentication of sites in a land mobile radio (LMR) system and encryption of messages exchanged by the sites. In some embodiments, the method includes transmitting a certificate created by a trusted authority by applying a function to a first site public key using the trusted authority's private key to generate a reduced representation, which is encrypted with the trusted authority's private key. Other sites may receive the certificate, decrypt it using the trusted authority's public key, and authenticate the first site. The method may further include generating a session key, encrypting it with the public key of the first site, and transmitting the encrypted session key to the first site. The first site decrypts the encrypted session key with the first site's private key, and transmits a message encrypted with the shared session key to other sites for decryption using the session key. | 12-27-2012 |
20130007442 | FACILITATING GROUP ACCESS CONTROL TO DATA OBJECTS IN PEER-TO-PEER OVERLAY NETWORKS - Methods and apparatuses are provided for facilitating group access controls in peer-to-peer or other similar overlay networks. A group administrator may create a group in the overlay network and may assign peer-specific certificates to each member of the group for indicating membership in the group. A group member peer node can access data objects in the overlay network using its respective peer-specific certificate to authenticate itself as a group member. The authentication is performed by another peer node in the network. The validating peer node can authenticate that the group member is the rightful possessor of the peer-specific certificate using a public key associated with the peer node to which the peer-specific certificate was issued. The validating peer node can also validate that the peer-specific certificate was properly issued to the group member using a public key of the apparatus that issued the peer-specific certificate. | 01-03-2013 |
20130007443 | SYSTEMS AND METHODS FOR IDENTIFYING CONSUMER ELECTRONIC PRODUCTS BASED ON A PRODUCT IDENTIFIER - Systems and methods for identifying consumer electronic products using a playback device with a product identifier in accordance with embodiments of the invention are disclosed. One embodiment includes a processor, and memory configured to store a product identifier, where the product identifier is associated with a specific product and is associated with cryptographic information, and user account data, where the user account data is associated with a user account. In addition, the processor is configured by an application to receive a request for registration from a playback device, receive a product identifier from the playback device, retrieve cryptographic information using the playback device, and send user account data to the playback device encrypted using at least the cryptographic information associated with the product identifier. | 01-03-2013 |
20130007444 | METHOD AND SYSTEM FOR THE SUPPLY OF DATA, TRANSACTIONS AND ELECTRONIC VOTING - A system for supply of data, including generating a first digital certificate referred (empowerment certificate) signed with a first signing entity's electronic signature. The empowerment certificate includes attributes of the described entity, information identifying the first signing entity, indication of data relating to the described entity, indication of a source of the data, and identification of a relying entity to which the data can be supplied. The relying entity forwards the empowerment certificate to a source supplying the data indicated in the empowerment certificate. The data may be supplied to the relying entity by a second digital certificate (custom certificate), signed with a second signing entity's electronic signature. Custom certificates may appear in custom certificate revocation lists. A system and method for transfer of ownership of electronic property from a first entity to a second entity, and a method and system for electronic voting are also provided. | 01-03-2013 |
20130007445 | SYSTEM AND METHOD FOR RETRIEVING CERTIFICATES ASSOCIATED WITH SENDERS OF DIGITALLY SIGNED MESSAGES - A system and method for retrieving certificates and/or verifying the revocation status of certificates. In one embodiment, when a user opens a digitally signed message, a certificate that is required to verify the digital signature on the message may be automatically retrieved if it is not stored on the user's computing device (e.g. a mobile device), eliminating the need for users to initiate the task manually. Verification of the digital signature may also be automatically performed by the application after the certificate is retrieved. Verification of the revocation status of a certificate may also be automatically performed if it is determined that the time that has elapsed since the status was last updated exceeds a pre-specified limit. | 01-03-2013 |
20130007446 | SYSTEM AND METHOD FOR PROCESSING CERTIFICATES LOCATED IN A CERTIFICATE SEARCH - A system and method for processing certificates located in a certificate search. Certificates located in a certificate search are processed at a data server (e.g. a mobile data server) coupled to a computing device (e.g. a mobile device) to determine status data that can be used to indicate the status of those certificates to a user of the computing device, without having to download those certificates to the computing device in their entirety. The data server is further adapted to transmit the status data to the computing device. In one embodiment, at least one status property of the certificates is verified at the data server in determining the status data. In another embodiment, additional certificate data is determined and transmitted to the computing device, which can be used by the computing device to verify, at the computing device, at least one other status property of the certificates. | 01-03-2013 |
20130007447 | PROVIDING CERTIFICATE MATCHING IN A SYSTEM AND METHOD FOR SEARCHING AND RETRIEVING CERTIFICATES - A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one broad aspect, certificate identification data that uniquely identifies a certificate associated with a message is generated. The certificate identification data can then be used to determine whether the certificate is stored on a computing device. Only the certificate identification data is needed to facilitate the determination alleviating the need for a user to download the entire message to the computing device in order to make the determination. | 01-03-2013 |
20130013917 | SYSTEM AND METHOD FOR ENABLING BULK RETRIEVAL OF CERTIFICATES - A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one embodiment, a certificate synchronization application is programmed to perform certificate searches by querying one or more certificate servers for all of the certificates on those certificate servers. If all of the certificates on a certificate server cannot be successfully retrieved using a single search query, due to a search quota on the certificate server being exceeded for example, the search is re-performed through multiple queries, each corresponding to a narrower subsearch. Embodiments described herein enable large amounts of certificates to be automatically searched for and retrieved from certificate servers, thereby minimizing the need for users to manually search for individual certificates. | 01-10-2013 |
20130013918 | SYSTEM AND METHOD FOR RETRIEVING CERTIFICATES ASSOCIATED WITH SENDERS OF DIGITALLY SIGNED MESSAGES - A system and method for retrieving certificates and/or verifying the revocation status of certificates. In one embodiment, when a user opens a digitally signed message, a certificate that is required to verify the digital signature on the message may be automatically retrieved if it is not stored on the user's computing device (e.g. a mobile device), eliminating the need for users to initiate the task manually. Verification of the digital signature may also be automatically performed by the application after the certificate is retrieved. Verification of the revocation status of a certificate may also be automatically performed if it is determined that the time that has elapsed since the status was last updated exceeds a pre-specified limit. | 01-10-2013 |
20130013919 | UPDATING CERTIFICATE STATUS IN A SYSTEM AND METHOD FOR PROCESSING CERTIFICATES LOCATED IN A CERTIFICATE SEARCH - A system and method for processing certificates located in a certificate search. Certificates located in a certificate search are processed at a data server (e.g. a mobile data server) coupled to a computing device (e.g. a mobile device) to determine status data that can be used to indicate the status of those certificates to a user of the computing device. Selected certificates may be downloaded to the computing device for storage, and the downloaded certificates are tracked by the data server. This facilitates the automatic updating of the status of one or more certificates stored on the computing device by the data server, in which updated status data is pushed from the data server to the computing device. | 01-10-2013 |
20130031360 | PROCESS CONTROL SYSTEM - A process control system is disclosed which can include a plurality of spatially distributed, internetworked network subscribers with secure communication between the network subscribers via a communication network. Communication integrity can be based on an interchange of certificates. In order to protect the communication integrity, the process control system can include a central certification point which is an integral part of the process control system and allocates and distributes certificates. | 01-31-2013 |
20130031361 | URL-BASED CERTIFICATE IN A PKI - A method of requesting and issuing a certificate from certification authority for use by an initiating correspondent with a registration authority is provided. The initiating correspondent makes a request for a certificate to the registration authority, and the registration authority sends the request to a certificate authority, which issues the certificate to the registration authority. The certificate is stored at a location in a directory and this location is associated with a pointer such as uniform resource locator (URL) that is derived from information contained in the certificate request. The initiating correspondent computes the location using the same information and forwards it to other corespondents. The other correspondents can then locate the certificate to authenticate the public key of the initiating correspondent. | 01-31-2013 |
20130031362 | METHOD OF HANDLING A CERTIFICATION REQUEST - In a certification request, a user device includes an object identifier. When a certification authority generates an identity certificate responsive to receiving the certification request, the certification authority includes the object identifier, thereby allowing improved management of the identity certificate at the user device and elsewhere. | 01-31-2013 |
20130036302 | SECURE INSTANT MESSAGING SYSTEM - A secure instant messaging (IM) system integrates secure instant messaging into existing instant messaging systems. A certificate authority (CA) issues security certificates to users binding the user's IM screen name to a public key, used by sending users to encrypt messages and files for the user. The CA uses a subscriber database to keep track of valid users and associated information, e.g. user screen names, user subscription expiration dates, and enrollment agent information. A user sends his certificate to an instant messaging server which publishes the user's certificate to other users. Users encrypt instant messages and files using an encryption algorithm and the recipient's certificate. A sending user can sign instant messages using his private signing key. The security status of received messages is displayed to recipients. | 02-07-2013 |
20130042101 | SYSTEM AND METHOD FOR USING DIGITAL SIGNATURES TO ASSIGN PERMISSIONS - According to one embodiment of the invention, a method for setting permission levels is described. First, an application and digital signature is received by logic performing the permission assessment. Then, a determination is made as to what permission level for accessing resources is available to the application based on the particulars of the digital signature. Herein, the digital signature being signed with a private key corresponding to a first public key identifies that the application is assigned a first level of permissions, while the digital signature being signed with a private key corresponding to a second public key identifies the application is assigned a second level of permissions having greater access to the resources of an electronic device than provided by the first level of permissions. | 02-14-2013 |
20130042102 | INFORMATION PROCESSING DEVICE AND INFORMATION PROCESSING METHOD, AND PROGRAM - An information processing system including a medium where a content to be played is stored; and a playing apparatus for playing contents stored in the medium; with the playing apparatus being configured to discriminate the content type of a content selected as an object to be played, to selectively obtain a device certificate correlated with the discriminated content type from a storage unit, and to transmit the selectively obtained device certificate to the medium; with the device certificate being a device certificate for content types in which content type information where the device certificate is available is recorded; and with the medium determining whether or not an encryption key with reading being requested from the playing apparatus is an encryption key for decrypting an encrypted content matching an available content type recorded in the device certificate, and permitting readout of the encryption key only in the case of matching. | 02-14-2013 |
20130042103 | Digital Data Content Authentication System, Data Authentication Device, User Terminal, Computer Program and Method - A file is created in which digital data and a certificate are integrated and content authentication for the digital data and the certificate are performed simultaneously. A data authentication device ( | 02-14-2013 |
20130042104 | Certificate-based cookie security - A cookie attribute for use during secure HTTP transport sessions. This attribute points to a server-supplied certificate and, in particular, a digital certificate. The cookie attribute includes a value, and that value is designed to correspond to one or more content fields in the digital certificate. During a first https session, a first web application executing on a first server provides a web browser with the cookie having the server certificate identifier attribute set to a value corresponding to a content field in a server certificate. Later, when the browser is accessing a second server during a second https session, the browser verifies that the value in the cookie matches a corresponding value in the server certificate received from the second server before sending the cookie to the second server. This approach ensures that the cookie is presented only over specified https connections and to trusted organizations. | 02-14-2013 |
20130046972 | Using A Single Certificate Request to Generate Credentials with Multiple ECQV Certificates - A method and apparatus are disclosed for using a single credential request (e.g., registered public key or ECQV certificate) to obtain a plurality of credentials in a secure digital communication system having a plurality of trusted certificate authority CA entities and one or more subscriber entities A. In this way, entity A can be provisioned onto multiple PKI networks by leveraging a single registered public key or implicit certificate as a credential request to one or more CA entities to obtain additional credentials, where each additional credential can be used to derive additional public key-private key pairs for the entity A. | 02-21-2013 |
20130046973 | FACILITATING ACCESS OF A DISPERSED STORAGE NETWORK - A method begins by a dispersed storage (DS) processing module generating a temporary public-private key pair, a restricted use certificate, and a temporary password for a device. The method continues with the DS processing encoding a temporary private key to produce a set of encoded private key shares and encoding the restricted use certificate to produce a set of encoded certificate shares. The method continues with the DS processing module outputting the set of encoded private key shares and the set of encoded certificate shares to a set of authentication units. The method continues with the DS processing module outputting the temporary password to the device such that, when the device retrieves the set of encoded private key shares and the set of encoded certificate shares, the device is able to recapture the temporary private key and the restricted use certificate for accessing a dispersed storage network (DSN). | 02-21-2013 |
20130054962 | POLICY CONFIGURATION FOR MOBILE DEVICE APPLICATIONS - Methods, articles of manufacture, and apparatus to perform policy configuration for mobile device applications are disclosed. A disclosed example method includes determining whether a digital certificate associated with a application executable on a mobile device has been signed by a first trusted certificate authority, the first trusted certificate authority being included in a list of trusted certificate authorities hard-coded in the mobile device, and when the digital certificate is determined to have been signed by the first trusted certificate authority, configuring the application for execution on the mobile device based on an access privilege indicating a physical interface of the mobile device the application is permitted to access, and execution configuration information associated with the application. | 02-28-2013 |
20130061041 | IMAGE FORMING APPARATUS, PRINTING METHOD, AND STORAGE MEDIUM - An image forming apparatus, for use in a printing system including a print client, a printer server, and an authentication server, enables a secure print setting according to received policy information specifying that printing is to be performed using a secure print protocol employing a certificate. | 03-07-2013 |
20130061042 | Apparatus and Method for Monitoring Certificate Acquisition - A system that incorporates teachings of the present disclosure may include, for example, a set-top-box having a controller to transmit a request to a remote management server for status information associated with a x.509 certificate intended for the STB, and receive the status information associated with the x.509 certificate from the remote management server, where events associated with the status information are received by the remote management server from at least one of the STB, a certificates proxy, an external certificate web service, and a certificate authority, and where the status information comprises at least a portion of the received events. Other embodiments are disclosed. | 03-07-2013 |
20130067218 | INCORPORATING DATA INTO CRYPTOGRAPHIC COMPONENTS OF AN ECQV CERTIFICATE - During generation of an implicit certificate for a requestor, a certificate authority incorporates information in the public-key reconstruction data, where the public-key reconstruction data is to be used to compute the public key of the requestor. The information may be related to one or more of the requestor, the certificate authority, and the implicit certificate. The certificate authority reversibly encodes the public-key reconstruction data in the implicit certificate and sends it to the requestor. After receiving the implicit certificate from the certificate authority, the requestor can extract the incorporated information from the public-key reconstruction data. The implicit certificate can be made available to a recipient, and the recipient can also extract the incorporated information. | 03-14-2013 |
20130067219 | CONFIGURING A VALID DURATION PERIOD FOR A DIGITAL CERTIFICATE - A valid duration period for a digital certificate is established by a process that includes assigning numeric values to certificate term. The numeric value assigned to each certificate term is representative of the valid duration period. The method continues by identifying one certificate term, which may include requesting a user to select a certificate term. The method may include transmitting the requested certificate term to a server. The certificate term requested is sent via a certificate request. The server is configured to convert the numeric value associated with the requested certificate term into a duration counter value. The method may also include a certificate server receiving from the server, the certificate request including the duration counter value. The method may conclude with transmitting the signed certificate request to a client device capable of generating the digital certificate with the requested certificate term | 03-14-2013 |
20130067220 | COMMUNICATION SYSTEM, VEHICLE-MOUNTED TERMINAL, ROADSIDE DEVICE - There is a need to reduce the certificate verification time in a communication system. | 03-14-2013 |
20130073844 | QUARANTINE METHOD AND SYSTEM - A quarantine method and system for allowing a client terminal to connect to a user network. An authentication apparatus recognizes that a communication means of the client terminal has been activated. The authentication apparatus confirms a common certificate for the client terminal. An Internet Protocol (IP) address is provided to the client terminal to enable the client terminal to log in to the quarantine network. A first authentication server security checks the client terminal to determine whether each check item of at least two check items has a violation. The client terminal is allowed to connect to the user network, via a second authentication server confirming a user certificate for the client terminal followed by the second authentication server storing the user certificate in the client terminal. The security measure server, the first authentication server, and the second authentication server are physically distinct hardware servers. | 03-21-2013 |
20130073845 | ANONYMOUS CREDENTIAL SYSTEM, USER DEVICE, VERIFICATION DEVICE, ANONYMOUS CREDENTIAL METHOD, AND ANONYMOUS CREDENTIAL PROGRAM - A signature unit, in which a user device generates/transmits digital signature data to an authentication device, includes: a first function, which receives as input a plurality of subsets in which a plurality of characteristics of the users are classified; a second function, which generates a first encrypted text acquired by encrypting a user device public key with an identification device public key; a third function, which generates a second encrypted text, acquired by encrypting characteristic values belonging to a specific subset among the subsets with a characteristic value disclosure device public key; and a fourth function, which employs portions of a group public key and a member certificate to generates a signature of knowledge that denotes that data, of multiplication of a portion of the user device public key and all of the numerical values of a characteristic value certificate corresponding to each of the characteristics, satisfies the specific conditions. | 03-21-2013 |
20130080770 | System and Apparatus for Facilitating Transactions Between Two or More Parties - The present invention provides a system and apparatus for facilitating a transaction between two or more parties. A server computer is used to determine whether a contact information and an identity validation information of a second party are accurate. Whenever the contact information and the identity validation information of the second party are accurate, one or more documents are modified by attaching and identity validation from a first party and the identity validation from the second party to the one or more documents. | 03-28-2013 |
20130086377 | PROCESSING A CERTIFICATE SIGNING REQUEST IN A DISPERSED STORAGE NETWORK - A method begins by a requesting device transmitting a certificate signing request to a managing unit, wherein the certificate signing request includes fixed certificate information and suggested certificate information. The method continues with the managing unit forwarding the certificate signing request to a certificate authority and receiving a signed certificate from the certificate authority, wherein the signed certificate includes a certificate and a certification signature and wherein the certificate includes the fixed certificate information and determined certificate information based on the suggested certificate information. The method continues with the managing unit interpreting the fixed certificate information of the signed certificate to identify the requesting device and forwarding the signed certificate to the identified requesting device. | 04-04-2013 |
20130086378 | PROXY SYSTEM FOR SECURITY PROCESSING WITHOUT ENTRUSTING CERTIFIED SECRET INFORMATION TO A PROXY - First communication units use a public key thereof certified by a certification authority on a PKI (Public Key Infrastructure), which is held by the first communication units in advance, and a secret key of the first communication units or delegation information generated by using secret information, as public key certificate, of the first communication units to thereby allow a proxy server to perform security processing, i.e. key exchange processing, authentication processing or processing for providing compatibility of encryption schemes, between the first communication units and a second communication unit on behalf of the first communication units. | 04-04-2013 |
20130091352 | Techniques to Classify Virtual Private Network Traffic Based on Identity - Techniques are provided for obtaining first and second digital certificates from a certificate authority database for establishing a secure exchange between network devices. The first digital certificate contains identity information of a first network device, and the second digital certificate contains classification information of the first network device. In one embodiment, a secure key exchange is initiated with the second network device, and the first and second digital certificates are transmitted as a part of the secure key exchange to the second network device. In another embodiment, the first and second digital certificates are received by an intermediate network device. The first digital certificate is encrypted and is not evaluated by the intermediate network device. The second digital certificate is evaluated for classification information of the first network device. Source information associated with the first network device is stored, and encrypted traffic is processed between the network devices. | 04-11-2013 |
20130091353 | APPARATUS AND METHOD FOR SECURE COMMUNICATION - A method and apparatus are for transferring a client device certificate and an associated encrypted client private key to a client device from a secure device. The secure device receives over a secure connection, a secure device certificate, a secure device private key and a plurality of client device certificates. Each client certificate is associated with a bootstrap public key but is not assigned to any particular client device. A plurality of encrypted client private keys is also received. Each of the encrypted client private keys comprises a client private key associated with one of the client device certificates encrypted with the bootstrap public key. The plurality of client device certificates is stored. The encrypted client private keys are stored in double encrypted protected form. A client device certificate and an associated encrypted client private key are transferred to a client device that has successfully registered with the secure device. | 04-11-2013 |
20130097420 | Verifying Implicit Certificates and Digital Signatures - Methods, systems, and computer programs for verifying a digital signature are disclosed. The verifier accesses an implicit certificate and a digital signature provided by the signer. The implicit certificate includes a first elliptic curve point representing a public key reconstruction value of the signer. The verifier accesses a second elliptic curve point representing a pre-computed multiple of the certificate authority's public key. The verifier uses the first elliptic curve point and the second elliptic curve point to verify the digital signature. The verifier may also use a third elliptic curve point representing a pre-computed multiple of a generator point. Verifying the digital signature may provide verification that the implicit certificate is valid. | 04-18-2013 |
20130111206 | Extended Data Signing | 05-02-2013 |
20130117558 | METHOD AND APPARATUS FOR AUTHENTICATING A DIGITAL CERTIFICATE STATUS AND AUTHORIZATION CREDENTIALS - A relying party obtains a certificate of a certificate subject and acquires a status information object for the certificate. The relying party validates the certificate using information in the status information object and compares authorization attributes present in the status information object with policy attributes associated with the requested service. A policy attribute is a set of constraints used by the relying party to determine if the authorization attributes associated with the certificate subject are sufficient to allow the certificate subject to access the requested service. If the authorization attributes present in the status information object match the policy attributes associated with the requested service, the relying party may grant the certificate subject access to the requested service. | 05-09-2013 |
20130117559 | System and Method for Multi-Certificate and Certificate Authority Strategy - Operations or functions on a device may require an operational certificate to ensure that the user of the device or the device itself is permitted to carry out the operations or functions. A system and a method are provided for providing an operational certificate to a device, whereby the operational certificate is associated with one or more operations of the device. A manufacturing certificate authority, during the manufacture of the device, obtains identity information associated with the device and provides a manufacturing certificate to the device. An operational certificate authority obtains and authenticates at least a portion of the identity information associated with the device from the manufacturing certificate and, if at least the portion of the identity information is authenticated, the operational certificate is provided to the device. | 05-09-2013 |
20130124856 | System And Method For A Single Request And Single Response Authentication Protocol - Various embodiments of a system and method for a single request and single response authentication protocol are described. A client may send to an authentication server a request to authenticate the identity of a user attempting to access an electronic document protected by a rights management policy. The single request may be generated according to rights management configuration information included within the document. Such rights management information may include one or more parameters for requesting authentication from an authentication server. In response to the request, an authentication server may send a single response to the client. The single response may include information indicating that the identity is authenticated (e.g., a license to access the document, or an encryption key to decrypt the document). The client system may be configured to, in response to the single response, provide access to the document according to the rights management policy. | 05-16-2013 |
20130124857 | COMMUNICATION APPARATUS AND CONTROL METHOD THEREFOR - It is determined whether a user who has logged in in communication using a selfsigned certificate stored by default is an administrator or a general user. If it is determined that the user is an administrator, an install page for a CA-signed certificate which is more reliable than the selfsigned certificate is returned to the user. Alternatively, if it is determined that the user is a general user, an error page is returned to the user. | 05-16-2013 |
20130132717 | Mobile Handset Identification and Communication Authentication - Disclosed is a system and method for authenticating a communications channel between a mobile handset associated with a user and an application server, for uniquely identifying the mobile handset and for encrypting communications between the mobile handset and the application server over the communication channel is provided. The system includes a certificate authority configured to issue digital certificates to the handset and the application server, as well as software applications operating on both the handset and application server. The digital certificates may be used by the handset and application server to uniquely identify one another as well as to exchange encryption keys by means of which further communication between them may be encrypted. | 05-23-2013 |
20130138952 | SYSTEM AND METHOD TO PASS A PRIVATE ENCRYPTION KEY - A method and system may include receiving, by a certificate authority computing device, a request to provision and provide a private key. A connection may be established between a requester device and a network for identification. The identity of the requester device may be verified via a network path utilized by the connection. A secure session with the requester device may be initiated using an intermediate agent on the network. A private key may be provided from the certificate authority to the requester device using the secure session. The private key may be provisioned. The intermediate agent may be connected to the network at a location that provides the requester device with a connection to the network. The intermediate agent may further authenticate the requester device using the location of the connection to the network of the requesting device. | 05-30-2013 |
20130138953 | COMBINING MULTIPLE DIGITAL CERTIFICATES - A method for forming a digital certificate includes receiving contact information associated with the digital certificate. The contact information includes at least a name, a mailing address, and an email address. The method also includes receiving billing information associated with the digital certificate and receiving a Certificate Signing Request (CSR) for the digital certificate. The method further includes receiving a first name for use in forming the digital certificate and receiving a second name for use in forming the digital certificate. Moreover, the method includes receiving an indication of a vendor of web server software, receiving an indication of a service period for the digital certificate, and forming the digital certificate. The first name is stored in a Subject field of the digital certificate and the second name is stored in the SubjectAltName extension of the digital certificate. | 05-30-2013 |
20130145151 | Derived Certificate based on Changing Identity - A first device with a changing identity establishes a secure connection with a second device in a network by acting as its own certificate authority. The first device issues itself a self-signed root certificate that binds an identity of the first device to a long-term public key of the first device. The root certificate is digitally signed using a long-term private key, where the long-term public key and the long-term private key form a public/private key pair. The first device provides its root certificate to the second device in any trusted manner. The first device can then create a certificate for one or more short-term identities acquired by the first device and sign the newly-created certificate using the long-term private key. The first device can authenticate itself to the second device by sending the newly-created certificate to the second device. | 06-06-2013 |
20130145152 | SECURE PREFIX AUTHORIZATION WITH UNTRUSTED MAPPING SERVICES - In one embodiment, a first router associated with a first network node sends a first map lookup that includes a particular device identifier associated with a second network node to a mapping service that maintains a plurality of mappings that associate device identifiers with device locations. The first router receives, from a second router associated with the second network node, a map response that includes a particular device location that corresponds to the particular device identifier for the second network node. The first router establishes a secure session with the second router, and determines, based on the secure session, whether the second router is authorized to reply for the particular device identifier associated with the second network node. | 06-06-2013 |
20130145153 | METHOD AND DEVICE FOR SECURE NOTIFICATION OF IDENTITY - A system, methods and devices for the secure notification of an identity in a communications network. The methods include sending or receiving a communication including a hash of a certificate of a device to notify or detect the presence of the device in a network. Each certificate is associated with an identity which is excluded from the communication of the hash of the certificate. The received hash is compared to hashes of certificates stored in an electronic device to determine an identity. The identity may represent an electronic device or a user of the electronic device. | 06-06-2013 |
20130145154 | GAMING MACHINE CERTIFICATE CREATION AND MANAGEMENT - Methods and systems for creating and managing certificates for gaming machines in a gaming network using a portable memory device. A gaming machine creates a certificate signing request which is stored on a portable memory device at the machine. Then, the memory device is coupled with an appropriate CA server. A certificate batch utility program on the server downloads and processes the CSRs. A certificate services program on the server issues gaming machine certificates according to the CSRs. In one embodiment, the certificates are uploaded onto the memory device, along with copies of certificate authority server certificates, including a root CA certificate. Then, the memory device is coupled with the gaming machine and software on the machine identifies and downloads its certificate based on the certificate file name. | 06-06-2013 |
20130145155 | PROVISIONING MULTIPLE DIGITAL CERTIFICATES - A method of provisioning a first digital certificate and a second digital certificate based on an existing digital certificate includes receiving information related to the existing digital certificate. The existing digital certificate includes a first name listed in a Subject field and a second name listed in a SubjectAltName extension. The method also includes receiving an indication from a user to split the existing digital certificate and extracting the first name from the Subject field and the second name from the SubjectAltName extension of the existing digital certificate. The method further includes extracting the public key from the existing digital certificate, provisioning the first digital certificate with the first name listed in a Subject field of the first digital certificate and the public key, and provisioning the second digital certificate with the second name listed in a Subject field of the second digital certificate and the public key. | 06-06-2013 |
20130145156 | SYSTEMS AND METHODS FOR CREDENTIALING - A method includes issuing non-unique credentials to an operations management agent (“the agent”). The method further includes establishing a first encrypted communication channel between an operations management server (“the server”) and the agent based on the non-unique credentials. The method further includes issuing, automatically based on the establishing, unique credentials to the agent. The method further includes replacing, automatically based on the issuing of the unique credentials, the first encrypted communication channel with a second encrypted communication channel that is based on the unique credentials. | 06-06-2013 |
20130151846 | Cryptographic Certification of Secure Hosted Execution Environments - Implementations for providing a secure execution environment with a hosted computer are described. A security-enabled processor establishes a hardware-protected memory area with an activation state that executes only software identified by a client system. The hardware-protected memory area is inaccessible by code that executes outside the hardware-protected memory area. A certification is transmitted to the client system to indicate that the secure execution environment is established, in its activation state, with only the software identified by the request. | 06-13-2013 |
20130151847 | Authentication Certificates as Source of Contextual Information in Business Intelligence Processes - A certificate of a user is presented by a client to a server. The certificate is used to authenticate communications between the client and the server. Thereafter, data from the certificate is cached at the server. The server then initiates one or more business intelligence processes of a business intelligence application at the client using the cached data to provide context to the one or more business intelligence processes. Related apparatus, systems, techniques and articles are also described. | 06-13-2013 |
20130159702 | COMBINED DIGITAL CERTIFICATE - A system can comprise a memory to store computer readable instructions and a processing unit to access the memory and to execute the computer readable instructions. The computer readable instructions can comprise a certificate manager configured to request generation of N number of random values, where N is an integer greater than or equal to one. The certificate manager can also be configured to request a digital certificate from at least one certificate authority of at least two different certificate authorities. The request can include a given one of the N number of random values. The certificate manager can also be configured to generate a private key of a public-private key pair, wherein the private key is generated based on a private key of each of the least two certificate authorities. | 06-20-2013 |
20130159703 | UTILIZING A STAPLING TECHNIQUE WITH A SERVER-BASED CERTIFICATE VALIDATION PROTOCOL TO REDUCE OVERHEAD FOR MOBILE COMMUNICATION DEVICES - A certificate issuer ( | 06-20-2013 |
20130159704 | SYSTEM AND METHOD OF ENFORCING A COMPUTER POLICY - A method and system of enforcing a computer policy uses a central server to manage user profiles, policies and encryption keys. The server securely supplies the keys to client devices only after checking that the policy has been complied with. The checks include both the identity of the user and the machine identity of the client device. The keys are held in a secure environment of the client device, for example in a Trusted Platform Module (TPM), and remain inaccessible at all times to the end user. Theft or loss of a portable client device does not result in any encrypted data being compromised since the keys needed to decrypt that data are not extractable from the secure environment. | 06-20-2013 |
20130159705 | SECURITY SYSTEM FOR HANDHELD WIRELESS DEVICES USING TIME-VARIABLE ENCRYPTION KEYS - In one embodiment, the invention provides a portable wireless personal communication system for cooperating with a remote certification authority to employ time variable secure key information pursuant to a predetermined encryption algorithm to facilitate convenient, secure encrypted communication. The disclosed system includes a wireless handset, such as PDA, smartphone, cellular telephone or the like, characterized by a relatively robust data processing capability and a body mounted key generating component which is adapted to be mounted on an individual's body, in a permanent or semi-permanent manner, for wirelessly broadcasting, within the immediate proximity of the individual, a secret or private key identifying signal corresponding to a time variable secure key information under the control of the certification authority. The key identifying signal is generated in a format that facilitates secure wireless communication with the individual in accordance with a predetermined encryption algorithm including a PKI encryption algorithm. The disclosed system may be used with a console for coordinating access to a variety of different communication system and networks. | 06-20-2013 |
20130159706 | SECRET COMMUNICATION METHOD AND SYSTEM BETWEEN NEIGHBORING USER TERMINALS, TERMINAL, SWITCHING EQUIPMENT - The present invention provides a secret communication method, apparatus and system. The method comprises: 1) determining a neighboring encryption switching equipment shared by a first user terminal and a second user terminal, wherein the first user terminal and the second user terminal are neighboring user terminals ( | 06-20-2013 |
20130166907 | Trusted Certificate Authority to Create Certificates Based on Capabilities of Processes - A device certificate binds an identity of a first device to a public key of the first device. The first device comprises a certificate authority service that creates for a process on the first device a process certificate certifying one or more capabilities of the process on the first device. The process certificate is presented to the second device. Upon validating the process certificate using the device certificate, the second device permits the process on the first device to have on the second device one or more of the verified certified capabilities. | 06-27-2013 |
20130173912 | DIGITAL RIGHT MANAGEMENT METHOD, APPARATUS, AND SYSTEM - A digital right management method, including: generating, by a first user equipment having access right to shared digital contents, a common public key based on one or more public keys of one or more second user equipments intended to share the digital contents, respectively; encrypting, by the first user equipment, a key of the digital contents with the common public key to generate a ciphertext of the key of the digital contents; generating, by the first user equipment, from the ciphertext a new authorization certificate corresponding to the digital contents; and transmitting, by the first user equipment, the new authorization certificate and the digital contents to the second user equipments to instruct the second user equipments to share the digital contents in accordance with the new authorization certificate. | 07-04-2013 |
20130173913 | SECURE MECHANISMS TO ENABLE MOBILE DEVICE COMMUNICATION WITH A SECURITY PANEL - A method of arming or disarming a building security system includes transferring an electronic security credential file from an authorizing environment to a mobile computing device. The electronic security credential file is read by the mobile computing device to extract authentication data. The authentication data is transmitted from the mobile computing device and received at the building security system. Within the building security system, the authentication data is used to verify that a user of the mobile computing device is authorized to communicate with the building security system. The mobile computing device is enabled to communicate with the building security system only if the electronic security credential file has been used to verify that a user of the mobile computing device is authorized to communicate with the building security system. | 07-04-2013 |
20130173914 | Method for Certificate-Based Authentication - A method is disclosed for certificate-based authentication, in which a first subscriber authenticates himself to a second subscriber using a digital certificate associated to the first subscriber. The certificate specifies requirement(s) and the fulfillment of a requirement is ensured by a third subscriber. Within the framework of the authentication by the second subscriber, a validity condition is checked, and the certificate is classified as valid if the validity condition is fulfilled, based on the issue and/or absence of issue of the requirement(s) specified in the certificate by the third subscriber. Requirements may be used to restrict the validity of the certificate. The validity of a certificate can thereby be controlled in a simple and flexible manner without explicitly defining the validity in the certificate. The method can be used for authentication in any technical field, e.g., to authentication subscribers in the form of components of an automation system. | 07-04-2013 |
20130185552 | Device Verification for Dynamic Re-Certificating - A method for authenticating a device is provided. The method comprises receiving, by a network component, from the device, an access request and an encryption key; sending, by the network component, to the device, a request for at least one of current information associated with the device and an identification number associated with the device; receiving, by the network component, a response from the device; comparing, by the network component, the response with a known version of the at least one of current information associated with the device and identification number associated with the device; and determining, by the network component, that the device has passed an authenticity test when at least one of: current information included in the response matches the known version of the current information, and the identification number included in the response matches the known version of the identification number. | 07-18-2013 |
20130198511 | IMPLICIT SSL CERTIFICATE MANAGEMENT WITHOUT SERVER NAME INDICATION (SNI) - Embodiments disclose a reverse lookup using an IP:Port-to-hostname table to identify a hostname when only an IP address and port is present in an SSL hello connection, which may occur, for example, when a non-SNI-capable client initiates the SSL hello. Once the hostname is successfully looked up, a naming convention is used to simplify the management and identification of SSL certificates. Different types of SSL certificates are supported. Multiple hostname matches may be associated with a given IP address and port in the IP:Port-to-hostname table. In such case, the first-matching hostname is always used with the naming convention to identify related SSL certificates. The naming convention is applied in such a way that it will first look for the most matching file name to the least matching file name. | 08-01-2013 |
20130205134 | METHODS AND APPARATUSES FOR ACCESS CREDENTIAL PROVISIONING - Methods and apparatuses are provided for access credential provisioning. A method may include causing a trusted device identity for a mobile apparatus to be provided to an intermediary apparatus. The intermediary apparatus may serve as an intermediary between the mobile apparatus and a provisioning apparatus for a network. The method may further include receiving, from the intermediary apparatus, network access credential information for the network. The network access credential information may be provisioned to the mobile apparatus by the provisioning apparatus based at least in part on the trusted device identity. Corresponding apparatuses are also provided. | 08-08-2013 |
20130212379 | DYNAMIC GENERATION AND PROCESSING OF CERTIFICATE PUBLIC INFORMATION DIRECTORIES - Digital certificate public information is extracted using a processor from at least one digital certificate stored within at least one digital certificate storage repository. The extracted digital certificate public information is stored to at least one dynamically-created certificate public information directory. At least a portion of the digital certificate public information stored within the at least one dynamically-created certificate public information directory is provided in response to a digital certificate public information request. | 08-15-2013 |
20130212380 | SECURELY UPGRADING OR DOWNGRADING PLATFORM COMPONENTS - A method for securely altering a platform component is provided, comprising: assigning certificates for public encryption and signature verification keys for the device; assigning certificates for public encryption and signature verification keys for an upgrade server; mutually authenticating a device containing the platform component and the upgrade server; causing the device and the upgrade server to exchange a session key; and providing an alteration to be made to the platform component from the upgrade server to the device using the session key. | 08-15-2013 |
20130212381 | SYSTEM AND METHOD FOR CONTROLLING AUTHORIZED ACCESS TO A STRUCTURED TESTING PROCEDURE ON A MEDICAL DEVICE - Methods and systems for authorizing access to a medical device are disclosed. The methods and systems use authorization certificates to allow and prevent access to one or more operations of the medical device. The methods and systems also allow the tracking of changes made to the medical device by an authorized user. | 08-15-2013 |
20130212382 | DEVICE-BOUND CERTIFICATE AUTHENTICATION - A device-bound certificate authority binds a certificate to one or more devices by including digital fingerprints of the devices in the certificate. A device only uses a device-bound certificate if the digital fingerprint of the device is included in the certificate and is verified. Thus, a certificate is only usable by one or more devices to which the certificate is explicitly bound. Such device-bound certificates can be used for various purposes served by certificates generally such as device driver authentication and authorization of access to secure content, for example. | 08-15-2013 |
20130227275 | NETWORK SYSTEM, CERTIFICATE MANAGEMENT METHOD, AND CERTIFICATE MANAGEMENT PROGRAM - A network system includes a management apparatus and multiple apparatuses. The management apparatus includes a preparation instruction unit to transmit an instruction to prepare a certificate request to the apparatuses; a collection unit to collect the certificate requests; a request unit to request issuance of certificates to a certificate authority; a resetting instruction unit to transmit the issued certificates to the apparatuses and to instruct resetting of certificates. The apparatus includes a storing unit including an operation area for storing a first certificate and a provisional operation area; a provisionally operating unit to transfer the first certificate to the provisional operation area, and to generate a certificate request, and to transmit the certificate request to the management apparatus; a setting unit to store a second certificate, issued by the certificate authority, in the operation area, and to instruct a communication unit to conduct the communication by switching a certificate. | 08-29-2013 |
20130227276 | DEVICE MANAGEMENT APPARATUS, METHOD FOR DEVICE MANAGEMENT, AND COMPUTER PROGRAM PRODUCT - According to an embodiment, provided is a device management apparatus that issues a digital certificate to a device. The device management apparatus includes: a storage unit that stores therein device identification information unique to the device in advance; a device-data obtaining unit that, when receiving a connection request from the device, obtains the device identification information contained in the connection request; and a certificate issuing unit that, when the device identification information that is obtained matches up with the device identification information that is stored, issues the digital certificate to the device. | 08-29-2013 |
20130227277 | SELF-SIGNED IMPLICIT CERTIFICATES - There are disclosed systems and methods for creating a self-signed implicit certificate. In one embodiment, the self-signed implicit certificate is generated and operated upon using transformations of a nature similar to the transformations used in the ECQV protocol. In such a system, a root CA or other computing device avoids having to generate an explicit self-signed certificate by instead generating a self-signed implicit certificate. | 08-29-2013 |
20130232336 | METHOD AND SYSTEM FOR USER AUTHENTICATION FOR COMPUTING DEVICES UTILIZING PKI AND OTHER USER CREDENTIALS - A system and method for user authentication utilizing PKI credentials and user credentials on an electronic device comprising a mobile communication device, smart phone, a computer or other computing device. | 09-05-2013 |
20130232337 | USER TERMINAL AND METHOD FOR PLAYING DIGITAL RIGHTS MANAGEMENT CONTENT - Disclosed herein are a user terminal and method for playing DRM content. The user terminal includes a common security platform. The common security platform includes a DRM application management unit and a security management unit. The DRM application management unit stores and executes a DRM application that requests authentication from a license server and receives a license, including a decryption key for decrypting encrypted DRM content. The DRM application is an application in a downloadable form. The security management unit decrypts the encrypted DRM content, provided by a content providing server, using the decryption key included in the license issued via the DRM application. | 09-05-2013 |
20130238895 | RENEWAL PROCESSING OF DIGITAL CERTIFICATES IN AN ASYNCHRONOUS MESSAGING ENVIRONMENT - A renewed digital certificate is obtained within an asynchronous messaging environment from a certificate server of an issuer of an existing digital certificate to replace the existing digital certificate. The renewed digital certificate includes an extended attribute that stores a serial number value of the existing digital certificate. A message is received with a symmetric key that is encrypted using the existing digital certificate. The symmetric key is identified within the message by the serial number value of the existing digital certificate. The message is processed using the renewed digital certificate. | 09-12-2013 |
20130238896 | DIGITAL RIGHTS MANAGEMENT FOR LIVE STREAMING BASED ON TRUSTED RELATIONSHIPS - Managing digital rights of content based on trusted relationships including: tagging the content as using encryption and specifying a retrieval method that is used to request a decryption key so that the content is live streamed to a client device a client device; transmitting an affiliation token to a trusted agent, wherein the trusted agent relays the affiliation token onto the client device based on requirement and identifier of the client device; receiving a request from the client device for the decryption key, which includes a value from the affiliation token to identify the trusted relationships; and verifying the request and providing the decryption key to the client device, wherein the client device uses the decryption key to decrypt the live streaming content for playback. Keywords include digital rights management and trusted relationship. | 09-12-2013 |
20130246785 | METHOD FOR SECURING MESSAGES - There is provided a method for secure communications. The method comprises obtaining a broadcast message, computing a signature for said broadcast message using a private key, and sending a transmission to a communication device. The private key is associated with a certificate and the transmission comprises the signature. | 09-19-2013 |
20130254534 | METHOD OF AND SYSTEM FOR AUTHENTICATING ONLINE READ DIGITAL CONTENT - A method of authenticating an online read right of a digital content includes: receiving an online read first request from a terminal, the first request including first user information, obtaining first right information corresponding to the first user information, generating a first right model, obtaining first certificate information corresponding to the first right model, generating a second request including the first right model and the first certificate information, and authenticating the first certificate information and M function rights in the first right model. | 09-26-2013 |
20130262860 | Automated secure DNSSEC provisioning system - A system and method that maintains a secure chain of trust from domain name owner to publication by extending the trust placed in existing cryptographic identity systems to the records published in the Internet's Domain Name System (DNS) and secured by its DNS Security Extensions (DNSSEC) infrastructure. Automated validation and processing occur within a secured processing environment to capture and preserve the cryptographic security from the source request. | 10-03-2013 |
20130262861 | DATA PROTECTION METHOD FOR E-MAIL AND ELECTRONIC DEVICE HAVING DATA PROTECTION FUNCTION - A computerized data protection method prevents data of an electronic device from being compromised through e-mail. A digital certificate is installed in the electronic device, and one or more safe e-mail addresses are configured and stored in the digital certificate. Predetermined data stored in the electronic device are correlated with the one or more safe e-mail addresses. When the predetermined data need to be sent to a target e-mail address, whether the target e-mail address matches with one of the safe e-mail addresses is verified. If the target e-mail address matches with one of the safe e-mail addresses, the predetermined data is sent to the target e-mail address. | 10-03-2013 |
20130268754 | SECURE SOFTWARE FILE TRANSFER SYSTEMS AND METHODS FOR VEHICLE CONTROL MODULES - A server includes an import module that receives a first content file and a first instruction file from a design network. The first instruction file includes a first set of parameters. A job request module, based on the first instruction parameter set, determines a second parameter set and generates a second instruction file comprising the second parameter set. The job request module transmits the first content file and the second parameter set to a signature server. An export module receives a signature file from the signature server. The signature server generates the signature file based on the second instruction file. The export module integrates the signature into the first content file to generate a second content file and downloads the second content file to at least one of a service server, a manufacturing server, and a supplier network. | 10-10-2013 |
20130268755 | CROSS-PROVIDER CROSS-CERTIFICATION CONTENT PROTECTION - Access to protected resources across client devices having different authentication systems is provided. An authorization provider creates cross-certificates to trusted public keys provided by resource protection providers. Each resource protection provider installs a digital certificate on a device. This digital certificate is signed by the resource protection provider, and includes on the device a private key which are used for client authentication. Client authentication is performed by a security module on the client device digitally signing an authentication request to the authorization provider using a protection provider module-specific digital signature algorithm and providing the signed request with the device's provider-digital certificate to the authorization provider. If the authorization provider verifies the signed request and that the digital certificate is part of the authentication PKI, then the client device will be authenticated. | 10-10-2013 |
20130275749 | Secure Anonymity In A Media Exchange Network - Secure communication of information in a communication network may comprise acquiring a security code from a second communication device by a first communication device and receiving media containing the security code such as a pin code from the first communication device. The security code may be translated into an IP address corresponding to the second communication device. The received media may be routed to the second communication device based on the IP address of the second communication device. In this regard, the IP address of the second communication device remains anonymous or unknown to the first communication device. A duration for which the security code is valid may be limited to a specific time period and/or for a particular number of uses. Notwithstanding, the security code may be acquired out-of-band. | 10-17-2013 |
20130275750 | CONFIGURING A VALID DURATION PERIOD FOR A DIGITAL CERTIFICATE - A valid duration period for a digital certificate is established by a process that includes assigning numeric values to certificate term. The numeric value assigned to each certificate term is representative of the valid duration period. The method continues by identifying one certificate term, which may include requesting a user to select a certificate term. The method may include transmitting the requested certificate term to a server. The certificate term requested is sent via a certificate request. The server is configured to convert the numeric value associated with the requested certificate term into a duration counter value. The method may also include a certificate server receiving from the server, the certificate request including the duration counter value. The method may conclude with transmitting the signed certificate request to a client device capable of generating the digital certificate with the requested certificate term. | 10-17-2013 |
20130283041 | SERVER CERTIFICATE SELECTION - In one implementation, a network device, which may be a wide area network (WAN) optimization device includes a memory, a communication interface, and a processor. The memory is configured to store a pool of server certificates. The communication interface is configured to receive a data flow for optimization by the network device. The processor is configured to access a reverse domain name lookup on a destination internet protocol (IP) address extracted from the data flow to receive a fully qualified domain name (FQDN). A matching server certificate is selected from the pool of server certificates that best matches the FQDN. The common name of the matching server certificate and the FQDN are not exact matches. Instead, the common name may be the longest string match available from the pool of certificates, or the common name may have the most address components in common out of the available pool of certificates. | 10-24-2013 |
20130283042 | Trust Information Delivery Scheme for Certificate Validation - A unique TIO based trust information delivery scheme is disclosed that allows clients to verify received certificates and to control Java and Javascript access efficiently. This scheme fits into the certificate verification process in SSL to provide a secure connection between a client and a Web server. In particular, the scheme is well suited for incorporation into consumer devices that have a limited footprint, such as set-top boxes, cell phones, and handheld computers. Furthermore, the TIO update scheme disclosed herein allows clients to update certificates securely and dynamically. | 10-24-2013 |
20130283043 | METHOD AND APPARATUS FOR AUTHORIZATION UPDATING - A method for updating an authorization of electronic information includes receiving, by an authorization updating server, first information from a user equipment requesting for updating authorization items, wherein the first information includes first identification information and a first list of authorization items requested to be updated, determining a second list of authorization items stored in the authorization updating server that correspond to the first identification information, comparing the first list of authorization items and the second list of authorization items and determining a third list including authorization items that are listed in both the first list and the second list of authorization items, and transmitting the third list of authorization items to the user equipment. | 10-24-2013 |
20130290704 | AUTOMATED OPERATION AND SECURITY SYSTEM FOR VIRTUAL PRIVATE NETWORKS - A node device provides secure communication services over a data network, to multiple computers that are coupled through the node device and multiple other node devices. The node device includes a network communication interface for coupling the node device to the data network, a data storage containing cryptographic information including information that is unique to the node device, a tunneling communication service coupled to the network interface configured to maintaining an encrypted communication tunnel with each of multiple other node devices using the cryptographic information, a routing database for holding routing data and a router coupled to the tunneling communication service and to the routing database. The router can pass communication from one communication tunnel to another. A centralized server can be used to control the node devices in a centralized manner, thereby reducing or eliminating on-site administration of node devices. | 10-31-2013 |
20130290705 | METHOD AND APPARATUS FOR ON-SITE AUTHORISATION - A method for authorisation of a user to access a computer system locally at a site is described. The computer system determines whether a network connection to a remote authentication source is available. If the network connection is available, the computer system authenticates the user by interaction with the remote authentication source. If the network connection is not available, the computer system authenticates the user against a credential provided by the user. In this case, the credential will have been provided by or validated by the remote authentication source less than a predetermined time prior to the authenticating step, and the credential is a certificate issued by a certificate authority already trusted by the computer system and valid for a predetermined period of time. A suitable computer system is also described. | 10-31-2013 |
20130297933 | MOBILE ENTERPRISE SMARTCARD AUTHENTICATION - Utilities that allow for multi-factor authentication into an enterprise network with a smart card using mobiles devices (e.g., smartphones, tablets, etc.), where almost any application (app) or website that accesses enterprise resources can be launched or executed to automatically establish of a VPN connection with the enterprise network free of necessarily having to specially configure the apps or websites to be useable with smart cards, card readers, etc. Virtually any app can be used and take advantage of the multifactor authentication free or substantially free of modification to the app itself as the disclosed utilities may take advantage of the native VPN clients and capabilities provided with the mobile device operating system (OS) (e.g., Android®, iOS). As a result, a much more flexible solution may be provided that allows the use of commercially available apps (e.g., from an “App Store”) as well as, for instance, enterprise developed apps. | 11-07-2013 |
20130297934 | METHOD AND APPARATUS - A method comprises certifying at least a part of offload configuration information for an application, said application for use in an offload environment. | 11-07-2013 |
20130297935 | METHOD AND SYSTEM FOR SIGNING AND AUTHENTICATING ELECTRONIC DOCUMENTS VIA A SIGNATURE AUTHORITY WHICH MAY ACT IN CONCERT WITH SOFTWARE CONTROLLED BY THE SIGNER - A system and method for signing and authenticating electronic documents using public key cryptography applied by one or more server computer clusters operated in a trustworthy manner, which may act in cooperation with trusted components controlled and operated by the signer. The system employs a presentation authority for presenting an unsigned copy of an affixing an electronic signature to the unsigned document to create signed electronic document. The system provides an applet for a signing party's computer that communicates with the signature authority. | 11-07-2013 |
20130305041 | METHOD, DEVICE, AND SYSTEM OF SECURE ENTRY AND HANDLING OF PASSWORDS - Devices, system, and methods of secure entry and handling of passwords and Personal Identification Numbers (PINs), as well as for secure local storage, secure user authentication, and secure payment via mobile devices and via payment terminals. A server includes: an authentication module to send, to a remote client device, a server authentication certificate; an accreditation certificate stored in a pre-defined location on the server, wherein the pre-defined location is accessible to the remote client device; wherein the accreditation certificate indicates a condition that the server authentication certificate needs to meet in order for the server authentication certificate to be accepted for authentication by the remote client device. | 11-14-2013 |
20130305042 | SYSTEM AND METHOD FOR ISSUING DIGITAL CERTIFICATE USING ENCRYPTED IMAGE - The disclosure relates to a system and method for issuing a digital certificate using an encrypted image, in which a digital certificate is sealed in a digital envelope image so as to protect a digital certificate user from damages caused by hacking, phishing attacks and the like in the course of issuance, update and re-issuance of the digital certificate, and the method for issuing a digital certificate comprises the steps of: storing a user select image for issuing the digital certificate, by a proxy server or a certificate server; and requesting the certificate server to issue the digital certificate and, if the digital certificate is issued, creating a sealed digital envelope image by combining the digital certificate with the user select image and transmitting the digital envelope image to a user terminal. | 11-14-2013 |
20130311771 | SUBSCRIBER CERTIFICATE PROVISIONING - Provisioning a device with a certificate is contemplated. The certificate may be used to verify whether the device or a user of the device is authorized to access electronic content, services, and signaling. The certificate may be provisioned in relation to the device having successfully completed a two-factor authentication process so that an entity providing the certificate need not have to repeat the two-factor authentication process. | 11-21-2013 |
20130311772 | NON-PKI DIGITAL SIGNATURES AND INFORMATION NOTARY PUBLIC IN THE CLOUD - A digital signature is applied to digital documents/information. In certain instances, juridically strong digital signatures are achieved. Cloud computing technologies may be used to aid in the production of the cryptographically secure, authenticated digital signatures. Digital signatures may be produced with a digital notarization. The techniques of generating a digital signature may not require the use of traditional public key infrastructure (PKI). | 11-21-2013 |
20130318342 | Method and System for Generating Implicit Certificates and Applications to Identity-Based Encryption (IBE) - The invention relates to a method of generating an implicit certificate and a method of generating a private key from a public key. The method involves a method generating an implicit certificate in three phases. The public key may be an entity's identity or derived from an entity's identify. Only the owner of the public key possesses complete information to generate the corresponding private key. No authority is required to nor able to generate an entity's private key. | 11-28-2013 |
20130326214 | APPARATUS AND METHODS FOR ACTIVATION OF COMMUNICATION DEVICES - A method that incorporates teachings of the subject disclosure may include, for example, storing, by a universal integrated circuit card (UICC) including at least one processor, a digital root certificate locking a communication device to a network provider, and disabling an activation of the communication device responsive to receiving an indication of a revocation of the stored digital root certificate from a certificate authority, wherein the indication of the revocation of the stored digital root certificate is associated with a revocation of permission for an identity authority to issue a security activation information to the communication device on behalf of the network provide. Other embodiments are disclosed. | 12-05-2013 |
20130326215 | ESTABLISHING TRUST WITHIN A CLOUD COMPUTING SYSTEM - A cloud computing system includes a cloud system managing unit, a plurality of sets of devices, where a set of devices includes one or more devices having a common aspect, and a plurality of authentication servers, where an authentication server is associated with one of the plurality of sets of devices based on the common aspect. The cloud computing system functions to establish trust between a corresponding one of the plurality of authentication servers and the one or more devices of one of the plurality of sets of devices, between the corresponding one of the plurality of authentication servers and the cloud system managing unit, and between the cloud system managing unit and the one or more devices. The cloud system managing unit configures the cloud computing system based on the trust between the cloud system managing unit and devices of the plurality of sets of devices. | 12-05-2013 |
20130332726 | SYSTEM AND METHOD FOR VALIDATING SCEP CERTIFICATE ENROLLMENT REQUESTS - A system and method for validating SCEP certificate enrollment that enforces the pairing of a SCEP challenge password and a set of expected certificate request content. A SCEP Validation Service or software residing in another system component whether a certificate request is legitimate by comparing it to registered SCEP challenges and associated expected certificate request content. This system and method addresses a privilege-escalation vulnerability in prior SCEP-based systems that could lead to a practical attack. | 12-12-2013 |
20130346743 | DIGITAL CERTIFICATE ISSUER-CORRELATED DIGITAL SIGNATURE VERIFICATION - A message including a digital signature is received at a processor. It is determined whether a specific authorized certificate issuer is configured for a message originator within a data protection policy. In response to determining that the specific authorized certificate issuer is configured for the message originator within the data protection policy, it is determined whether a message originator certificate used to generate the digital signature is issued by the configured specific authorized certificate issuer. | 12-26-2013 |
20130346744 | DIGITAL CERTIFICATE ISSUER-CORRELATED DIGITAL SIGNATURE VERIFICATION - A message including a digital signature is received at a processor. It is determined whether a specific authorized certificate issuer is configured for a message originator within a data protection policy. In response to determining that the specific authorized certificate issuer is configured for the message originator within the data protection policy, it is determined whether a message originator certificate used to generate the digital signature is issued by the configured specific authorized certificate issuer. | 12-26-2013 |
20130346745 | MANAGEMENT OF CERTIFICATES FOR MOBILE DEVICES - One embodiment of the present disclosure provides a method that includes accessing, by a mobile device management system, a profile for a mobile device. The method also includes negotiating, by the mobile device management system, with a certificate authority to obtain a certificate for the mobile device. The negotiating with the certificate authority includes imitating the mobile device based on the profile. The negotiating with the certificate authority also includes, based at least on the imitation, transmitting one or more certificate enrollment messages to the certificate authority. The negotiating with the certificate authority further includes, based on the one or more messages, receiving, at the mobile device management system, the certificate for the mobile device. The method further includes transmitting the certificate to a control agent hosted on the mobile device for installation. | 12-26-2013 |
20140006776 | CERTIFICATION OF A VIRTUAL TRUSTED PLATFORM MODULE | 01-02-2014 |
20140013105 | MANAGING SECURITY CERTIFICATES OF STORAGE DEVICES - A method and data processing system for managing security certificates in a data processing environment is disclosed. A computer identifies a security certificate associated with a management interface of a device in the data processing environment. The computer determines whether the security certificate was issued by a certificate authority that is trusted. In response to determining that the security certificate was not issued by the certificate authority, the computer identifies the security certificate as invalid. Subsequent to identifying the security certificate as invalid, the computer determines if a service exists in the data processing environment that includes a feature for sending information about critical events associated with the data processing environment. Responsive to determining that the service with the feature exists in the data processing environment, the computer generates a certificate-signing request for the management interface of the device and sends the certificate-signing request via the feature in the service. | 01-09-2014 |
20140013106 | ISSUING, PRESENTING AND CHALLENGING MOBILE DEVICE IDENTIFICATION DOCUMENTS - Methods and systems of authenticating electronic identification (ID) documents may provide for receiving a decryption key and an encrypted ID document from a certificate authority server at a mobile device, wherein the encrypted ID document includes a read only document having a photograph of an individual. Additionally, the decryption key may be applied to the encrypted ID document to obtain a decryption result in response to a display request. The decryption result can be output via a display of the mobile device, wherein the encrypted ID document can be sent to a challenge terminal if a challenge request is received. | 01-09-2014 |
20140013107 | Mobile-Device-Based Trust Computing - In one embodiment, a method includes receiving access data from an application on a mobile device of a particular user. The access data includes authentication data associated with a shared device and a digital credential associated with the mobile device. The shared device is configured for use by at least a number users. The method also includes authenticating the access data based on a comparison of the access data with verification data stored by the verification authority; and transmitting to the shared device a digital certificate signed by the verification authority in response to the authentication. The signed digital certificate provides the particular user access to the shared device. | 01-09-2014 |
20140013108 | On-Demand Identity Attribute Verification and Certification For Services - An apparatus is caused to store identification data of a plurality of clients in memory; cause reception of information indicating at least one identifier of a device corresponding to a client requesting access to a service; verify the identity of the client device on the basis of the received identifier; detect whether or not the identified device is authorized to communicate with the apparatus on the basis of first predetermined criteria; upon detecting that the device is authorized, cause reception of in-formation indicating at least one identifier of the client from the identified device; verify the at least one identifier of the client on the basis of the received identifier and the stored identification data; and determine, on demand, whether to issue a certificate indicating the verifications on the basis of second predetermined criteria in order to enable the client to apply the certificate in accessing the service. | 01-09-2014 |
20140013109 | SECURE DELIVERY OF TRUST CREDENTIALS - A system is configured to receive, by one or more servers, a request for a certificate from a user device. The request may include a first parameter , a second parameter , and a third parameter. The system is further configured to identify a key based on the first parameter, generate a fourth parameter based on the key and the third parameter, authenticate the user device based on the fourth parameter and the second parameter, generate the certificate based on authenticating the user device, store information associated with the certificate, and send the certificate to the user device. The user device may use the certificate to establish a session to interact with an application server. | 01-09-2014 |
20140013110 | NON-HIERARCHICAL INFRASTRUCTURE FOR MANAGING TWIN-SECURITY KEYS OF PHYSICAL PERSONS OR OF ELEMENTS (IGCP/PKI) - A non-hierarchical infrastructure for managing twin-security keys of physical persons or of elements includes a public key and a private key with a public key certificate. The structure does not include any certification authority distinct from the physical persons or elements, but does include at least one registering authority and its electronic notary server. There is provided at least one registering authority and its electronic notary server for a circle of trust. The registering authority includes local registering agencies. The local registering agency establishes, after face-to-face verification of the identity of the physical person or of the identification of the element, a public key certificate, and a “public key ownership certificate”, which does not contain the public key of the person or of the element but the print thereof, and which is transmitted in a secure manner to the associated electronic notary server for storing in a secure manner. | 01-09-2014 |
20140025946 | AUDIO-SECURITY STORAGE APPARATUS AND METHOD FOR MANAGING CERTIFICATE USING THE SAME - An audio-security storage apparatus includes an audio connector for connecting with to an audio jack equipped in an external apparatus, and a audio-security storage module for transmitting information on certificates to the external apparatus or receiving information on certificates from the external apparatus for the storage thereof. | 01-23-2014 |
20140032898 | AUTHENTICATION SYSTEM AND METHOD FOR DIGITAL TELEVISIONS - The invention relates to digital television authentication system and method. The system includes a digital television having a digital television master chip; an SIM card module with a built-in SIM card, connected to the digital television master chip, and an authentication server wirelessly connected to the SIM card. The SIM card module includes a symmetric key generation unit used for generating a symmetric encryption key CT according to a Session Key (SEK) received by the SIM card and an identity (ID) of the SIM card; and a CW acquisition unit used for decrypting, according to the symmetric encryption key CT, an ECW sent by the authentication server, to obtain a CW. The authentication server includes an SEK generation unit used for randomly generating a string and taking the string as an SEK; and an SEK sending unit used for sending the SEK to the SIM card module. | 01-30-2014 |
20140040610 | Splitting an SSL Connection Between Gateways - A system for secure communication, including a first security computer communicatively coupled with a client computer via an SSL connection, including a certificate creator, for receiving certificate attributes of a server computer certificate and for creating a signed certificate therefrom, and an SSL connector, for performing an SSL handshake with the client computer using the signed certificate created by said certificate creator, and a second security computer communicatively coupled with a server computer via an SSL connection, and communicatively coupled with the first security computer via a non-SSL connection, including an SSL connector, for performing an SSL handshake with the server computer using a signed certificate provided by the server computer, and a protocol appender, for appending attributes of the signed certificate provided by the server computer within a message communicated to the first security computer. A method is also described and claimed. | 02-06-2014 |
20140059342 | System and Method of Accessing Keys for Secure Messaging - Methods and systems for handling on an electronic device a secure message to be sent to a recipient. Data is accessed about a security key associated with the recipient. The received data is used to perform a validity check related to sending a secure message to the recipient. The validity check may uncover an issue that exists with sending a secure message to the recipient. A reason is determined for the validity check issue and is provided to the mobile device's user. | 02-27-2014 |
20140068249 | TRUST MANAGEMENT SYSTEMS AND METHODS - The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied. The certificates may be evaluated until the state of the root authority indicates that the request should be granted, or until further evaluation of the certificates is ineffective in changing the state of the principals. | 03-06-2014 |
20140068250 | SYSTEM AND METHOD FOR SECURE PROVISIONING OF AN INFORMATION HANDLING SYSTEM - Systems and methods for reducing problems and disadvantages associated with provisioning of information handling systems, including without limitation those associated with bare metal provisioning of information handling systems, are disclosed. A system may include a processor, and a memory and an access controller each communicatively coupled to the processor. The access controller may store an enterprise public key associated with an enterprise private key and a platform private key associated with the system. The access controller may be configured to: (i) authenticate communications received from a provisioning server communicatively coupled to the access controller based at least on an enterprise public certificate associated with the provisioning server and (ii) establish an asymmetrically cryptographic communications channel between the access controller and the provisioning server based at least on a platform public key associated with the platform private key, the platform private key, the enterprise public key, and the enterprise private key. | 03-06-2014 |
20140075185 | SECURELY HANDLING SERVER CERTIFICATE ERRORS IN SYNCHRONIZATION COMMUNICATION - An invalid digital certificate can be saved and subsequently compared to an incoming digital certificate when performing a security check. If a subsequently provided digital certificate does not match the saved digital certificate, an error condition can be generated. Because a digital certificate can be invalid for non-malicious reasons, such technologies can be useful for improving software security. | 03-13-2014 |
20140075186 | Multiple Access Key Fob - The invention relates to a portable device with access to several instances such that each of the instances performs an operation in response to a wireless data exchange with the portable device. The portable device comprises a data processing unit and a memory that stores a public key, a private key and a certificate. The portable device is further configured to transfer the certificate and the public key to a first instance. The first instance is configured to receive the first public key and the first certificate from the first portable device. The first instance is further configured to receive a signature from the first portable device, to decrypt the signature with the copy of the first public key so as receive a code, to compare the code with the random challenge and to perform the operation only if the code and random challenge match. | 03-13-2014 |
20140082351 | Authority-Neutral Certification for Multiple-Authority PKI Environments - A method for facilitating electronic certification, and systems for use therewith, are presented in the context of public key encryption infrastructures. Some aspects of the invention provide methods for facilitating electronic certification using authority-neutral service requests sent by an application, which are then formatted by a server comprising a middleware that can convert the authority-neutral request into certification authority specific objects. The server and middleware then return a response from a selected certification authority back to the service requesting application. Thus, the server and/or middleware act as intermediaries that facilitate user transactions in an environment having multiple certification authorities without undue burden on the applications or the expense and reliability problems associated therewith. | 03-20-2014 |
20140089660 | ENHANCED PRIVACY ID BASED PLATFORM ATTESTATION - As opposed to utilizing a manufacturer provisioned EK Certificate for AIK processes, embodiments of the invention utilize EPID based data. EPID mitigates the privacy issues of common RSA PKI security implementations where every individual is uniquely identified by their private keys. Instead, EPID provides the capability of remote attestation but only identifies the client computing system as having a component (such as a chipset) from a particular technology generation. EPID is a group signature scheme, where one group's public key corresponds to multiple private keys, and private keys generate a group signature which is verified by the group public key. EPID provides the security property of being anonymous and unlinkable—given two signatures, one cannot determine whether the signatures are generated from one or two private keys. EPID also provides the security property of being unforgeable—without a private key, one cannot create a valid signature. | 03-27-2014 |
20140095865 | EXCHANGE OF DIGITAL CERTIFICATES IN A CLIENT-PROXY-SERVER NETWORK CONFIGURATION - Various techniques are described to authenticate the identity of a proxy in a client-proxy-server configuration. The configuration may have a client-side and a server-side SSL session. In the server-side session, if the proxy has access to the private keys of the client, the proxy may select a client certificate from a collection of client certificates and send the selected certificate to the server to satisfy a client authentication request of the server. If the proxy does not have access to the private keys, the proxy may instead send an emulated client certificate to the server. Further, the client certificate received from the client may be embedded within the emulated client certificate so as to allow the server to directly authenticate the client, in addition to the proxy. An emulated client certificate chain may be formed instead of an emulated client certificate. Similar techniques may be applied to the client-side session. | 04-03-2014 |
20140095866 | SYSTEM AND METHOD FOR VERIFICATION OF DIGITAL CERTIFICATES - Analysis of authenticity digital certificates includes. Initial information pertaining to digital certificates is collected from diverse information sources. For each of the digital certificates the initial information includes intrinsic parameter data from among contents of the digital certificate and extrinsic parameter data pertaining to the digital certificate and comprising static data not contained in the contents of the digital certificate. Selected parameter data is stored and analyzed to determine a measure of suspiciousness for each of the digital certificates. If necessary, circumstantial data based on actual usage of one or more of the digital certificates are collected. The initial data and supplemental data are compared against a set of decision criteria that define fraudulent activity, and a determination of authenticity of each of the digital certificates is made. | 04-03-2014 |
20140101439 | SYSTEMS AND METHODS FOR AUTHENTICATION BETWEEN NETWORKED DEVICES - Systems, methods, and computer-readable media are disclosed for authentication of networked devices in which a server device may authenticate a client device and/or a client device may authenticate a server device. Authentication credentials may be exchanged by the server device and the client device to enable mutual authentication. Upon authentication of the connection between the server device and the client device, authenticated, and potentially encrypted communications, may be exchanged by the server device and the client device. | 04-10-2014 |
20140101440 | DIGITAL ARBITRATION - A method for resolving disputes between users in network communications using digital arbitration. The method comprising the steps of agreeing on a contract between the users and choosing a set of arbitrators; appealing to the arbitrators by a first user, if he/she suspects the second user violates the agreement; and giving the information needed to reconstruct a resource of the second user, if a large enough number of arbitrators agree that the second user actually violated the agreement. | 04-10-2014 |
20140101441 | SYSTEMS AND METHODS FOR FLASH CROWD CONTROL AND BATCHING OCSP REQUESTS VIA ONLINE CERTIFICATE STATUS PROTOCOL - The present invention is directed towards systems and methods for batching OCSP requests and caching corresponding responses. An intermediary between a plurality of clients and one or more servers receives a first client certificate during a first SSL handshake with a first client and a second client certificate during a second SSL handshake with a second client. The intermediary may identify that the statuses of the client certificates are not in a cache of the intermediary. An OCSP responder of the intermediary may transmit a single request to an OCSP server to determine the statuses. The intermediary may determine, from a single response received from the OCSP server, whether to establish SSL connections with the clients based on the statuses. The intermediary may store the statuses to the cache for determining whether to establish a SSL connection in response to receiving a client certificate from the first client. | 04-10-2014 |
20140108784 | REDUCING NOISE IN A SHARED MEDIA SESSSION - A method to verify a geographic location of a virtual disk image executing at a data center server within a data center. One embodiment includes a cryptoprocessor proximate the data center server, a hypervisor configured to send a disk image hash value of the virtual disk image, a digital certificate issued to the cryptoprocessor, an endorsement key to a data center tenant and a location provider. The method includes sending a disk image hash value of the virtual disk image, an endorsement key unique to a cryptoprocessor proximate the data center server to a data center tenant, and a digital certificate to a data center tenant. Next, the location provider sends the geographic location of the cryptoprocessor matching the endorsement key to the data center tenant. | 04-17-2014 |
20140108785 | Certificate Authority Server Protection - This invention includes a solution to enable a digital authentication solution comprising a network. Next, a first device is coupled to the network. The first device may include an authentication key generator that is able to generate both public and private keys in electronic formats. Next, the first device is coupled to a certificate authority gateway. The certificate authority gateway includes devices capable of converting the electronically formatted public key to a non-electronic format, and vice versa. Next, the certificate authority gateway is coupled to a certificate authority server. The certificate authority server includes devices capable of converting the electronically formatted public key to a non-electronic format, and vice versa. The certificate authority server is also contained in a secure area such as a locked room, or a safe. The secure area includes features that allow the non-electronically formatted public key to be passed across the boundary of the secure area. Finally, a second device is coupled to the network. | 04-17-2014 |
20140108786 | TAMPER-PROTECTED HARDWARE AND METHOD FOR USING SAME - One of the various aspects of the invention is related to suggesting various techniques for improving the tamper-resistibility of hardware. The tamper-resistant hardware may be advantageously used in a transaction system that provides the off-line transaction protocol. Amongst these techniques for improving the tamper-resistibility are trusted bootstrapping by means of secure software entity modules, a new use of hardware providing a Physical Unclonable Function, and the use of a configuration fingerprint of a FPGA used within the tamper-resistant hardware. | 04-17-2014 |
20140108787 | IN-VEHICLE COMMUNICATION SYSTEM - The present invention is directed to solve a problem that time is required for a process related to verification of a public key certificate of a message sender. An in-vehicle device mounted on a vehicle has a memory for holding information of a device which failed in verification of a public key certificate. At the time of performing communication between vehicles or between a vehicle and a roadside device, a check is made to see whether or not information of a device included in a message transmitted matches information of a device which failed and held in the memory. When the information matches, verification of a public key certificate is not performed. | 04-17-2014 |
20140108788 | SYSTEMS AND METHODS FOR EVALUATING AND PRIORITIZING RESPONSES FROM MULTIPLE OCSP RESPONDERS - The present disclosure is directed towards systems and methods for determining a status of a client certificate from a plurality of responses for an Online Certificate Status Protocol (OCSP) request. An intermediary device between a plurality of clients and one or more servers identifies a plurality of OCSP responders for determining a status of a client certificate responsive to receiving the client certificate from a client during a Secure Socket Layer (SSL) handshake. Each of the plurality of OCSP responders may transmit a request for the status of the client certificate to a uniform resource locator corresponding to each OCSP responder. The intermediary device may determine a single status for the client certificate from a plurality of statuses of the client certificate received via responses from each uniform resource locator. | 04-17-2014 |
20140108789 | SYSTEM, METHOD AND APPARATA FOR SECURE COMMUNICATIONS USING AN ELECTRICAL GRID NETWORK - A secure communications and location authorization system using a power line or a portion thereof as a side-channel that mitigates man-in-the-middle attacks on communications networks and devices connected to those networks. The system includes a power grid server associated with a substation, or curb-side distribution structure such as a transformer, an electric meter associated with a structure having electric service and able to communicate with the power grid server, a human authorization detector input device connected to the electric meter and the power grid server. The human authorization detector is able to receive an input from a user physically located at the structure and capable of communicating with the power grid server via the electric meter. The user's physical input into the device causing a request to be sent to the power grid server that then generates a location certificate for the user. Without the location certificate, access to the communications network and devices connected to those networks can be denied. | 04-17-2014 |
20140115324 | System and Method for Secure Remote Biometric Authentication - Systems and methods for secure remote biometric authentication are provided. A network-based biometric authentication platform stores biometric templates for individuals which have been securely enrolled with the authentication platform. A plurality of sensor platforms separately establishes secure communications with the biometric authentication platform. The sensor platform can perform a biometric scan of an individual and generate a biometric authentication template. The sensor platform then requests biometric authentication of the individual by the biometric authentication platform via the established secure communications. The biometric authentication platform compares the generated biometric template to one or more of the enrolled biometric templates stored in memory at the biometric authentication platform. The result of the authentication is then communicated to the requesting sensor platform via the established secure communications. | 04-24-2014 |
20140122869 | SYSTEM AND METHOD FOR PROVIDING A CERTIFICATE FOR NETWORK ACCESS - Provided is a system and method for providing a certificate, and more specifically a certificate for network access upon a second system. The method includes receiving from a user a request made with a first device for network access, the request including a voucher. At least one characteristic of the first device is also determined. Upon verification of the voucher and in response to the first device having at least one characteristic corresponding to at least one predefined device criteria, the user is provided with a certificate with at least one characteristic for network access. An associated system for providing a Certificate is also provided. | 05-01-2014 |
20140122870 | Utilizing X.509 Authentication for Single Sign-On Between Disparate Servers - An authentication scheme may be utilized for a single sign-on operation between servers. One or more servers (e.g., a SHAREPOINT server) receives a data request directed to a disparate server (e.g., an SAP server). A root certificate (e.g., an X.509 root certificate) is loaded for accessing the disparate server. A user certificate is dynamically generated for identifying a logged-in user. The user certificate is signed with the root certificate and sent to the disparate server for binding with the data request. The data request is sent to the disparate server for authentication using the user certificate. The disparate server accesses a mapping table to map a subject name in the user certificate. When an entry for the logged-in user is found in the mapping table, data operations are enabled between the servers. An open web protocol response containing the requested data is then received from the disparate server. | 05-01-2014 |
20140122871 | SECURITY INFORMATION SHARING SYSTEM AND EXECUTION METHOD THEREOF - The present invention provides a security information sharing system and an execution method thereof which realizes information sharing based on Internet or Local Area Network. The security information sharing system comprises at least a digital key and a digital box and has features as follows: (a) a certification program is executed by a terminal device with the digital key's USB connector inserted into the terminal device's USB port; (b) a data storage device is accessed by the terminal device via the network unit with the data storage device checked via terminal device's connection unit, the digital box's network unit, and a decoding program. | 05-01-2014 |
20140122872 | METHOD FOR EXPORTING ON A SECURE SERVER DATA COMPRISED ON A UICC COMPRISED IN A TERMINAL - A method for exporting on a UICC in a terminal. An export request signed by the UICC, is transmitted by the terminal to a secure server. The server verifies the signed export request by comparing the signature and the identity of the UICC. The server sends a signed export certificate to the UICC via the terminal. An export package containing the data is prepared, signed and encrypted by the UICC, and sent to the terminal. The terminal transmits the export package to the server. The server signs an acknowledgment message and transmits it to the UICC via the terminal. In the UICC, the data that have been exported is destroyed, and a signed acknowledge message is sent to the server via the terminal. The server makes the data available for a further transfer to a new terminal or UICC. | 05-01-2014 |
20140129827 | Implementation of robust and secure content protection in a system-on-a-chip apparatus - A content processing integrated circuit includes a system-on-a-chip (SoC) that further includes a processor to receive an authentication request from an external device for authenticating if the SoC is permitted to receive encrypted content from the external device, and to receive the encrypted content once the SoC is authenticated. An authentication processor is provided and coupled to the processor to authenticate the SoC to the external device when the processor receives the authentication request, and to generate a decryption key for decrypting the encrypted content. A decryption processor is provided and coupled to the processor and the authentication processor to receive the decryption key from the authentication processor and to decrypt the encrypted content with the decryption key. A wireless display system with such SoC is also described. A method of implementing a secure and robust content protection in a SoC is also described. | 05-08-2014 |
20140129828 | USER AUTHENTICATION METHOD USING SELF-SIGNED CERTIFICATE OF WEB SERVER, CLIENT DEVICE AND ELECTRONIC DEVICE INCLUDING WEB SERVER PERFORMING THE SAME - A user authentication method using a self-signed certificate of a web server includes: receiving a log-in message generated by using a public key registered to the self-signed certificate of the web server from a client device; generating a response message by using the log-in message and a secret key corresponding to the public key; transmitting the generated response message to the client device; receiving a verification value from the client device via a secure socket layer (SSL) channel connected by using the self-signed certificate of the web server from the client device when a reliability of the response message is verified at the client device; verifying a reliability of the log-in message by using the received verification value; and confirming completion of user authentication if the reliability of the log-in message is verified. | 05-08-2014 |
20140136838 | ENTITY NETWORK TRANSLATION (ENT) - The present invention provides an Entity Network Translation (ENT) scheme for identifying and authenticating abstract identities using public-private key technology and PKI concepts such as a certificate authority and certificate chaining. ENT may grant any number of authentic, indefinite, abstract identifiers to any number of requestors. These abstract identifiers are each referred to as a verinym, which loosely means “verified name”. They allow any person or entity, for any purpose, to establish and control the authentic identities of things electronically, and establish relationships between these identities. According to some embodiments, ENT sidesteps traditional PKI relationship establishment issues by issuing abstract identifiers to users that request them. It is the use of these abstract identifiers, and the relationships formed between entities that define their real-world significance. | 05-15-2014 |
20140136839 | METHODS AND SYSTEMS FOR DYNAMIC UPDATES OF DIGITAL CERTIFICATES - Methods and systems of the present invention allow for dynamic updates of digital certificates. In one system, a server computer is configured to communicate with a certificate authority via a communications network. The server computer is configured to receive a first security certificate from the certificate authority. The first security certificate has a term. The first security certificate is installed onto the server computer, and at least one of a current time and the term of the first security certificate are analyzed to determine whether the first security certificate is to be updated. When the first security certificate is to be updated, a request for update is transmitted to the certificate authority, a second security certificate is received from the certificate authority, and the first security certificate is replaced with the second security certificate on the server computer. | 05-15-2014 |
20140143538 | Data Security and Integrity by Remote Attestation - This invention includes apparatus, systems, and methods to ensure the security and integrity of data stored, processed, and transmitted across compute devices. The invention includes a system comprising at least one of said devices, application software installed on said devices and coupled to the device's hardware and software stack to execute data encryption and remote attestation, and said devices coupled with an attestation server through a communication network. The invention includes a process to configure said devices for data encryption and remote attestation and performing an initial inventory and content scan of the device's hardware and software stack with results transmitted across a communication network to the attestation server. The invention includes periodic inventory and content scans of the device's hardware and software stack with results transmitted again to the attestation server via the communication network. The attestation server stores said results in a database for comparison to subsequent results sent by devices. The attestation server notes any differences in the most recent results and sends an alert to the device if the device is configured differently based on the previous scan, or configured the same if no differences were noted. | 05-22-2014 |
20140143539 | WEB TOKENS WITH A SIGNATURE OF A WEB PAGE VISITOR - Web tokens provided with a signature of a web page visitor solve a problem of time-consuming verification of authenticity of web pages. This is a key element for a visitor/user to avoid web fraud. The invention makes it possible for the Internet users to add a personal signature to trust tokens that are often subject to fraud. The user thus immediately sees whether a visited web site is authentic or fake. The visitor of web pages thus avoids the inconvenient following of links, via which authenticity of a web site can usually be verified. | 05-22-2014 |
20140149735 | DISTRIBUTIVE COMPUTATION OF A DIGITAL SIGNATURE - A method and apparatus are presented to perform a distributive computation of a digital signature in a document signing process. A signing request from a remote device initiates the document signing process including the distributive computation. The server verifies digital certificates corresponding to a signer's public key. An encryption request including a set of authenticated attributes and a hash value based on the to-be-signed content is transmitted to the remote device. A signer at the remote device encrypts the hash value in the encryption request with an encryption process utilizing a private key. The resulting encrypted hash value is transmitted to the server to produce the digital signature used to sign the subject content. This distributive computation process minimizes the amount of data transmitted between devices, while minimizing remote device resource requirements, and maintains the integrity of the signer's private key during generation of the digital signature. | 05-29-2014 |
20140149736 | SYSTEM AND METHOD FOR SECURITY AUTHENTICATION OF POWER SYSTEM - A method for security authentication of a power system includes transmitting, by at least one power system, a signal for requesting performing authentication on at least one remote control server or an external terminal with which the power system is to perform communication, to an authentication server, receiving, by the power system, an authentication certificate generated by the authentication server, and perform authentication on the remote control server or the external terminal by using the authentication certificate, and when authentication is completed by the authentication server, performing communication, by the power system, with the authentication-completed remote control server or the external terminal through an open-type communication network. | 05-29-2014 |
20140149737 | CONTROLLING APPLICATION ACCESS TO MOBILE DEVICE FUNCTIONS - There is described a method of controlling application access to predetermined functions of a mobile device. The described method comprises (a) providing a set of keys, each key corresponding to one of the predetermined functions ( | 05-29-2014 |
20140149738 | METHOD FOR ACCESSING A SERVICE OF A SERVICE PROVIDER BY PROVIDING ANONYMOUSLY AN ATTRIBUTE OR A SET OF ATTRIBUTES OF A USER - (EN)The invention relates to a method Method for accessing a service (S) of a service provider (SP | 05-29-2014 |
20140149739 | USE OF CERTIFICATE AUTHORITY TO CONTROL A DEVICE'S ACCESS TO SERVICES - A mobile communications device having a digital certificate authenticating the device itself is proposed. A server for authenticating the device and a method of authenticating the device are also disclosed. The device comprises a transmitter, a processor, a memory and a computer readable medium. The memory includes a certificate certifying the authenticity of the mobile communications device, the certificate comprising device-specific data and a digital signature signed by an authority having control of the authenticity of the mobile communications device. The computer readable medium has computer readable instructions stored thereon that when executed configure the processor to instruct the transmitter to transmit a copy of the certificate to a service provider in response to a request to authenticate the mobile communications device with the service provider. | 05-29-2014 |
20140156990 | METHOD AND SYSTEM FOR THE SUPPLY OF DATA, TRANSACTIONS AND ELECTRONIC VOTING - A system and a computer program product are disclosed. The system is configured to generate a digital empowerment certificate of a voter. The digital empowerment certificate includes an indication of identification data that uniquely identifies the voter to the authentication body, references to sources for the identification data or the identification data itself, and an indication of a voting key. The system is further configured to sign the digital empowerment certificate with an electronic signature of the voter. Moreover, the system is configured to generate a voting message including a vote of the voter. In addition, the system is configured to generate a signature block combining the digital empowerment certificate and the voting message. Furthermore, the system is configured to send the encrypted digital empowerment certificate, the encrypted voting message, and the signature block to the authentication body. | 06-05-2014 |
20140164764 | ASSIGNMENT OF DIGITAL SIGNATURE AND QUALIFICATION FOR RELATED SERVICES - Technologies are generally described for security algorithm methods in issuing, managing, and using digital certificates in online transactions. Certificate holders can be identified based on the device ID from the equipment they are using to access online services. The equipment can be previously linked to an identity known by the equipment service provider. A consumer can then authorize the using of the digital certificate associated with their device in online transactions. Third parties can then trust the identity behind the digital certificates and accept their use in identifying a private party and performing a transaction with that party. | 06-12-2014 |
20140164765 | PROCEDURE FOR A MULTIPLE DIGITAL SIGNATURE - It comprises:
| 06-12-2014 |
20140181504 | SECURE PROVISIONING OF COMPUTING DEVICES FOR ENTERPRISE CONNECTIVITY - Technologies for securely provisioning a personal computing device for enterprise connectivity includes a trusted computing device for wirelessly communicating with the personal computing device, generating a key pair for the personal computing device, generating a certificate signing request, sending the certificate signing request on behalf of the personal computing device, receiving an access certificate for enterprise connectivity, and securely exporting the access certificate and a private key of the key pair to the personal computing device. | 06-26-2014 |
20140181505 | Unified Mobile Security System and Method of Operation - A mobile secure agent on a wireless device executes one or more authenticated data collection profiles provisioned by a private profile producer. Each data package can only be transmitted to a collector certificated by the same private profile producer. Update profiles are signed and provisioned through a tunnel initiated from the mobile secure agent. A Certificate Authority provides libraries, anchors, and certificates in a key management message module to each mobile secure agent which enables revocation and replacement of certificates. Data stored in this way on a wireless device may only be transmitted in encrypted form to an authenticated destination. | 06-26-2014 |
20140181506 | PROCESSING A DISPERSED STORAGE NETWORK ACCESS REQUEST UTILIZING CERTIFICATE CHAIN VALIDATION INFORMATION - A method begins by a processing module receiving a dispersed storage network (DSN) access request that includes a requester identifier (ID), wherein the requester ID is associated with a certificate chain. When the certificate chain is valid, the method continues with the processing module accessing registry information for the DSN. The method continues with the processing module identifying one of a plurality of access control lists based on at least one of information associated with the requester ID and information associated with the certificate chain, identifying one or more entries of the one of the plurality of access control lists based on the information associated with the certificate chain to produce one or more identified entries, and generating, for the DSN access request, permissions from one or more sets of permissions associated with the one or more identified entries. | 06-26-2014 |
20140195800 | Certificate Information Verification System - The invention discloses a system and apparatus for detecting problematic certificate action requests and digital certificates. Ideally, the invention will be used to detect a certificate request that will result in security problems and detect issued certificates that lack essential information. The invention uses a proxy system that intercepts certificate requests and transmitted certificates. The proxy system runs a series of checks on the intercepted request and/or certificate. The checks vary depending on the certificate contents, requester, and system providing the request or certificate. | 07-10-2014 |
20140195801 | METHOD AND SYSTEM FOR ENCRYPTION OF MESSAGES IN LAND MOBILE RADIO SYSTEMS - A method and system for authentication of sites in a land mobile radio (LMR) system and encryption of messages exchanged by the sites. In some embodiments, the method includes transmitting a certificate created by a trusted authority by applying a function to a first site public key using the trusted authority's private key to generate a reduced representation, which is encrypted with the trusted authority's private key. Other sites may receive the certificate, decrypt it using the trusted authority's public key, and authenticate the first site. The method may further include generating a session key, encrypting it with the public key of the first site, and transmitting the encrypted session key to the first site. The first site decrypts the encrypted session key with the first site's private key, and transmits a message encrypted with the shared session key to other sites for decryption using the session key. | 07-10-2014 |
20140201519 | METHOD AND SYSTEM FOR THE SUPPLY OF DATA, TRANSACTIONS AND ELECTRONIC VOTING - A method for supply of data, including generating an empowerment certificate signed with a signing entity's electronic signature. The empowerment certificate includes attributes of a described entity, information identifying the signing entity, indication of data relating to the described entity, indication of a source of the data, and identification of a relying entity to which the data can be supplied. The relying entity forwards the empowerment certificate to a source supplying the data indicated in the empowerment certificate. | 07-17-2014 |
20140208096 | SECURE INTERFACE FOR INVOKING PRIVILEGED OPERATIONS - A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order authorize and authenticate requests sent to a virtualization later. The interfaces can be invoked to perform security monitoring, forensic capture, and/or patch software systems at runtime. In addition to the foregoing, other aspects are described in the claims, detailed description, and figures. | 07-24-2014 |
20140208097 | SECURING RESULTS OF PRIVILEGED COMPUTING OPERATIONS - A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to secure the results of privileged operations on systems such as the operating system (OS) kernel and/or the hypervisor. The interface allows a public key to be included into a request to perform a privileged operation on a hypervisor and/or kernel. The kernel and/or hypervisor use the key included in the request to encrypt the results of the privileged operation. In some embodiments, the request itself can also be encrypted, such that any intermediate parties are not able to read the parameters and other information of the request. | 07-24-2014 |
20140208098 | METHOD AND SYSTEM FOR DIGITAL RIGHTS MANAGEMENT OF DOCUMENTS - A method and system for transmission of digital content via e-mail with point of use digital rights management is disclosed. The secured access rights to the digital content may be customized for individual recipients by the sender, and may evolve over time. The access rights are enforced according to a time-dependent scheme. A key server is used to arbitrate session keys for the encrypted content, eliminating the requirement to exchange public keys prior to transmission of the digital content. During the entire process of transmitting and receiving e-mail messages and documents, the exchange of cryptographic keys remains totally transparent to the users of the system. Additionally, electronic documents may be digitally signed with authentication of the signature. | 07-24-2014 |
20140215206 | SYSTEM AND METHOD FOR PROVIDING A TRUST FRAMEWORK USING A SECONDARY NETWORK - A system for providing security services to a mobile device where the mobile device is in communication with a public network through a first network path that is subject to interference by a third party. The system includes a security server and a private network. The security server is operative to communicate with the mobile device through the private network. The security server is also operative to communicate with the public network through a second network path that is less susceptible to the interference by the third party than is the first network path. The security server communicates with the public network through the second network path to provide security services to the mobile device that are delivered over the private network. | 07-31-2014 |
20140223172 | SYSTEM, METHOD, SERVER AND COMPUTER-READABLE MEDIUM FOR REAL-TIME VERIFICATION OF A STATUS OF A MEMBER OF AN ORGANIZATION - A method, system, server and computer-readable medium enable verification of a member of an organization and the generation of a session-specific certificate for the member upon receipt of a status report indicating that the member is in good standing with the organization. When the member logs in, the member's credentials are retrieved from an identification server that enables the identification of web services associated with the organization to which the member belongs. The identification server also provides a personal certificate associated with the member to enable the generation of the session-specific certificate. | 08-07-2014 |
20140223173 | INFORMATION RECORDING DEVICE - A controller is provided with a controller key and a first controller identification information unique to the controller. The controller generates a controller unique key unique to a respective controller based on the controller key and the first controller identification information, and a second controller identification information based on the first controller identification information. A decryptor decrypts the encrypted medium device key using the controller unique key to obtain a medium device key. An authentication/key exchange process unit performs authentication/key exchange process with the host device through an interface unit using the medium device key and the medium device key certificate to establish the secure channel. | 08-07-2014 |
20140244998 | SECURE PUBLISHING OF PUBLIC-KEY CERTIFICATES - The current document is directed to methods and systems for secure provisioning, publication, distribution, and utilization of public-key certificates. These methods and systems employ domain name system (“DNS”) servers implementing the DNS security extensions (“DNSSEC servers”), a publisher component, and additional client-side and server-side functionalities. Public-key certificates provided by the DNSSEC servers engender a high degree of trust, as their integrity is protected and can be readily authenticated by the cryptographic-digital-signature based chains of trust provided by the DNSSEC. The systems to which the current document is directed employ DNSSEC servers, a publisher component, and additional client-side and server-side functionalities, and are referred to as “Public-key certificate Distribution and Management Systems” (“CDMSs”). | 08-28-2014 |
20140244999 | NETWORK SYSTEM, CERTIFICATE MANAGEMENT METHOD, AND CERTIFICATE MANAGEMENT PROGRAM - A network system includes a management apparatus and multiple apparatuses. The management apparatus includes a preparation instruction unit to transmit an instruction to prepare a certificate request to the apparatuses; a collection unit to collect the certificate requests; a request unit to request issuance of certificates to a certificate authority; a resetting instruction unit to transmit the issued certificates to the apparatuses and to instruct resetting of certificates. The apparatus includes a storing unit including an operation area for storing a first certificate and a provisional operation area; a provisionally operating unit to transfer the first certificate to the provisional operation area, and to generate a certificate request, and to transmit the certificate request to the management apparatus; a setting unit to store a second certificate, issued by the certificate authority, in the operation area, and to instruct a communication unit to conduct the communication by switching a certificate. | 08-28-2014 |
20140245000 | SECURE MESSAGE DELIVERY USING A TRUST BROKER - An email security system is described that allows users within different organizations to securely send email to one another. The email security system provides a federation server on the Internet or other unsecured network accessible by each of the organizations. Each organization provides identity information to the federation server. When a sender in one organization sends a message to a recipient in another organization, the federation server provides the sender's email server with a secure token for encrypting the message to provide secure delivery over the unsecured network. | 08-28-2014 |
20140250297 | CERTIFICATE RENEWAL - Certificate renewal is described. A processing device searches a certificate authority (CA) database of digital certificates to identify a certificate that satisfies an expiration condition for automatic renewal. The processing device renews the certificate as a renewed certificate without any user interaction. The processing device is to renew the certificate in view of the expiration condition. The expiration condition includes an expiration of the certificate. When renewing of the certificate, the processing device reuses a key of the certificate for the renewed certificate and sets a new expiration date for the renewed certificate. | 09-04-2014 |
20140258709 | INFORMATION PROCESSING APPARATUS, SERVER, METHOD FOR CONTROLLING THE SAME AND STORAGE MEDIUM - An information processing apparatus for accessing a server via a network transmits an issuance request of a certificate including information unique to the information processing apparatus to a certificate authority, and receives the certificate transmitted by the certificate authority in response to the issuance request. The apparatus determines whether or not it is possible to access the server by comparing information unique to the information processing apparatus with the unique information included in the received certificate, and restricts, if it is determined that it is not possible to access the server, issuance of a connection request to the server. | 09-11-2014 |
20140258710 | Mobile Handset Identification and Communication Authentication - Disclosed is a system and method for authenticating a communications channel between a mobile handset associated with a user and an application server for uniquely identifying the mobile handset and for encrypting communications between the mobile handset and the application server over the communication channel is provided. The system includes a certificate authority configured to issue digital certificates to the handset and the application server, as well as software applications operating on both the handset and application server. The digital certificates may be used by the handset and application server to uniquely identify one another as well as to exchange encryption keys by means of which further communication between them may be encrypted. | 09-11-2014 |
20140258711 | Application Specific Certificate Management - Application specific certificate deployment may be provided. An application may generate a security certificate comprising a public key and a first private key. The public key may be stored in a shared segment of a memory store, from where it may be retrieved and signed. The signed public key may be re-deployed and/or used to transmit securely encrypted resources. | 09-11-2014 |
20140258712 | Secure Socket Layer Keystore and Truststore Generation - A method for managing keystore information on a computing device may include requesting a keystore from a distribution system, receiving the keystore from the distribution system, and populating a runtime environment with keystore information contained within the keystore. A method for generating a keystore may include receiving, by a distribution system, a request for a keystore from a computing device, generating a key pair including a public key and a private key, generating a certificate signing request, digitally signing the public key with the private key, generating the keystore, combining the signed public key with the private key in the keystore, and providing the keystore to the computing device. A method for generating a truststore may include receiving, by a distribution system, a request for a truststore from a computing device, generating the truststore, adding a certificate to the truststore, and providing the truststore to the computing device. | 09-11-2014 |
20140258713 | SYSTEMS AND METHODS FOR SECURELY STREAMING MEDIA CONTENT - Systems and methods securely provide media content from a media server to a media client via a network. The media content is segmented to create multiple media segments that are each identified in a playlist, and at least one of the media segments is encrypted using a cryptographic key. The cryptographic key is also identified in the playlist, and the playlist is provided from the media server to the media client via the network. The various media segments and cryptographic keys may then be requested from and provided by the media server using hypertext transport protocol (HTTP) or similar constructs to allow the media client to receive and decrypt the various segments of the media content. | 09-11-2014 |
20140281497 | ONLINE PERSONALIZATION UPDATE SYSTEM FOR EXTERNALLY ACQUIRED KEYS - A method is provided for updating identity data on network-enabled devices. The method provides for providing certificate signing requests and/or device identifiers to an external trust authority, which in response generates digital certificates and/or key pairs. The generated digital certificates and/or key pairs can be provided to a network-enabled device in response to an update request. | 09-18-2014 |
20140281498 | IDENTITY AUTHENTICATION USING CREDENTIALS - A method and system may allow for authenticating a computing device. A computing device may send an authentication request over a network to an authentication computing device. The authentication request may include a user name and a password. The user name may include a credential and the password may be a digitally signed version of the user name. The authentication computing device may authenticate the requesting computing device by decrypting the password and comparing the received user name to the decrypted password. | 09-18-2014 |
20140281499 | METHOD AND SYSTEM FOR ENABLING COMMUNICATIONS BETWEEN UNRELATED APPLICATIONS - A method and system of enabling communications among unrelated applications is described herein. The method includes the step of identifying a paste memory element in an environment of a computing device that restricts communications among unrelated applications. The method also includes the step of imposing a file system on the identified paste memory element. The file system is compatible with the unrelated applications such that a first unrelated application is capable of storing data in the paste memory element using the imposed file system and a second unrelated application is capable of accessing the stored data using the imposed file system. As an example, the first and second unrelated applications may be secure applications. In addition, the method can also include the steps of encrypting the data stored in the paste memory element that is associated with the first unrelated application and decrypting this data on behalf of the second unrelated application. | 09-18-2014 |
20140281500 | SYSTEMS, METHODS AND APPARATUSES FOR REMOTE ATTESTATION - The systems, methods and apparatuses described herein provide a system for attesting a computing device. In one aspect, the computing device may comprise a secure zone configured to execute a task. The task may have executable code and data. The secure zone may be further configured to obtain a private key and an attestation certificate associated with the private key. The attestation certificate may be received from an attestation service attesting legitimacy of the computing device. The secure zone may be further configured to calculate a secure hash of the task, generate a message comprising the secure hash, sign the message with the private key and send the message and the attestation certificate to a second computing device in communication with the computing device. | 09-18-2014 |
20140281501 | APPLICATION ACCESS CONTROL METHOD AND ELECTRONIC APPARATUS IMPLEMENTING THE SAME - A method and apparatus of access control in an electronic apparatus implementing the method are provided. The method of operating an electronic apparatus includes detecting an access request to a resource from an application included in a first area of a memory by a processor of the electronic apparatus, in response to the access request, executing an access control module included in a second area of the memory to calculate a hash value of the application by the processor, determining whether a record exists in the memory, the record corresponding to the hash value and identification information of the application, by executing the access control module by the processor, and allowing access to the resource by the processor when the record exists in the memory. | 09-18-2014 |
20140289510 | Configuration Profile Validation on iOS Based on Root Certificate Validation - An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by using a validation certificate to validate against a root certificate embedded in a configuration profile installed on the device. The configuration profile is configured to be non-removable, so it cannot be remove or updated, except by another configuration profile signed by the same authority. Validation against the embedded root certificate thereby implicitly confirms the presence of the configuration profile and validates the content of the configuration profile. | 09-25-2014 |
20140289511 | Configuration Profile Validation on iOS Using SSL and Redirect - An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by initiating an SSL handshake with a client certificate request for a client SSL certificate embedded in the configuration profile. Validation against the embedded client SSL certificate implicitly confirms the presence of the configuration profile and validates the content of the configuration profile. | 09-25-2014 |
20140310516 | SYSTEMS AND METHODS FOR SECURING DATA IN MOTION - Two approaches are provided for distributing trust among certificate authorities. Each approach may be used to secure data in motion. One approach provides methods and systems in which a secure data parser is used to distribute trust in a set of certificate authorities during initial negotiation (e.g., the key establishment phase) of a connection between two devices. Another approach of the present invention provides methods and systems in which the secure data parser is used to disperse packets of data into shares. A set of tunnels is established within a communication channel using a set of certificate authorities, keys developed during the establishment of the tunnels are used to encrypt shares of data for each of the tunnels, and the shares of data are transmitted through each of the tunnels. Accordingly, trust is distributed among a set of certificate authorities in the structure of the communication channel itself. | 10-16-2014 |
20140317401 | SERVER, SYSTEM, AND METHOD FOR ISSUING MOBILE CERTIFICATE - A mobile certificate issue server, system, and method are provided. The mobile certificate issue server includes a certificate generation part for generating a certificate using a public key included in certificate issue request information received from a user terminal, an e-mail sending part for sending the certificate to an e-mail address accessible to the mobile terminal of a user, and a server-side certificate conversion part for converting the certificate into information having a recognition format capable of being recognized by the mobile terminal Here, the e-mail sending part sends the certificate through e-mail in an attachment form. The e-mail sending part stores the information having the recognition format in a file form, inserts the file into the e-mail as an attachment file, and sends the e-mail to the e-mail address accessible to the mobile terminal of the user. | 10-23-2014 |
20140325208 | OBTAINING A SIGNED CERTIFICATE FOR A DISPERSED STORAGE NETWORK - A method begins by a dispersed storage (DS) processing module generating a certificate signing request (CSR) that includes a certificate and a certificate extension, wherein the certificate includes information regarding a requesting device and wherein the certificate extension includes information regarding an accessible dispersed storage network (DSN) address range for the requesting device. The method continues with the DS processing module outputting the CSR to a certificate authority of a DSN and receiving a signed certificate from the certificate authority, wherein the signed certificate includes a certification signature of the certificate authority authenticating the certificate and the certificate extension. The method continues with the DS processing module storing the signed certificate for use when generating a DSN access request, wherein the DSN access request is requesting access to dispersed storage error encoded data in the DSN at an address within the accessible DSN address range. | 10-30-2014 |
20140331041 | METHOD AND SYSTEM FOR SIGNING AND AUTHENTICATING ELECTRONIC DOCUMENTS VIA A SIGNATURE AUTHORITY WHICH MAY ACT IN CONCERT WITH SOFTWARE CONTROLLED BY THE SIGNER - A system and method for signing and authenticating electronic documents using public key cryptography applied by one or more server computer clusters operated in a trustworthy manner, which may act in cooperation with trusted components controlled and operated by the signer. The system employs a presentation authority for presenting an unsigned copy of an electronic document to a signing party and a signature authority for controlling a process for affixing an electronic signature to the unsigned document to create a signed electronic document. The system provides an applet for a signing party's computer that communicates with the signature authority. | 11-06-2014 |
20140337616 | Verification of Aircraft Information in Response to Compromised Digital Certificate - A method and apparatus for verifying data for use on an aircraft. A plurality of digital certificates associated with the data are received by a processor unit. The processor unit determines whether one of the plurality of digital certificates is compromised. The processor unit selects a selected number of the plurality of digital certificates in response to a determination that the one of the plurality of digital certificates is compromised. The processor unit verifies the data for use on the aircraft using the selected number of the plurality of digital certificates. | 11-13-2014 |
20140337617 | LONG-TERM SIGNATURE SERVER, LONG-TERM SIGNATURE TERMINAL, AND LONG-TERM SIGNATURE VERIFICATION SERVER - Long-term signature data is formed at a server side while a private key and the like are held at a client side. The long-term signature data is configured by arranging ES, STS, verification information, ATS (1st), and ATS (2nd) in a predetermined long-term signature format. Among these elements, those for which processing using the private key and original data are necessary are ES and ATS. Due to processing where the original data and the private key is necessary being performed by a client terminal | 11-13-2014 |
20140337618 | System and Method for Validating SCEP Certificate Enrollment Requests - A system and method for validating SCEP certificate enrollment that enforces the pairing of a SCEP challenge password and a set of expected certificate request content. A SCEP Validation Service or software residing in another system component whether a certificate request is legitimate by comparing it to registered SCEP challenges and associated expected certificate request content. This system and method addresses a privilege-escalation vulnerability in prior SCEP-based systems that could lead to a practical attack. | 11-13-2014 |
20140351577 | DUAL LAYER TRANSPORT SECURITY CONFIGURATION - A system includes a first computer processor that receives a data transmission from a second computer processor. The data transmission includes a client certificate authentication and a user-based authentication. If the incoming information cannot be authenticated by the client certificate in a first layer of the system landscape, then there is no further data transmission to a second layer. If the first layer can authenticate the client certificate authentication, the system landscape transmits the data transmission to the second layer. If the second layer cannot authenticate the user-based authentication, the system prevents the data transmission from being processed at the second layer. If the second layer can authenticate the user-based authentication, the system processes the data transmission at the second layer. | 11-27-2014 |
20140351578 | DETERMINATION OF APPARATUS CONFIGURATION AND PROGRAMMING DATA - A method including determining a public identifier for identifying a configuration of an apparatus, determining a common configuration certificate comprising a common configuration certificate identifier for verifying programming data, and determining a hardware certificate comprising the public identifier and the common configuration certificate identifier for associating a permitted combination of the apparatus configuration and the programming data. Furthermore, the method includes generating a dedicated package of the hardware certificates corresponding to the apparatus configurations allowed to be provided, encrypting the dedicated package of the hardware certificates using a public key, and storing the encrypted dedicated package of the hardware certificates with an identifier to a passive memory of the apparatus. | 11-27-2014 |
20140351579 | HARDWARE AUTHENTICATION IN A DISPERSED STORAGE NETWORK - A method for authenticating a node of a dispersed storage network (DSN). In various embodiments, a dispersed storage (DS) management unit receives a device list originating from a hardware certificate authority (HCA). The HCA also provides a hardware certificate to the node. Upon receiving the hardware certificate from the node, the DS management unit determines if the certificate is valid by comparing it to information contained in the device list (such as a device ID or a serial number associated with the node). If the certificate is valid, the DS management unit sends a challenge message to the node and analyzes the resulting challenge message response to determine if it is valid. If the response is valid, the DS management unit provides a signed certificate to the node for use in authenticating the node to perform dispersed storage operations within the DSN. | 11-27-2014 |
20140351580 | URL-BASED CERTIFICATE IN A PKI - A method of requesting and issuing a certificate from certification authority for use by an initiating correspondent with a registration authority is provided. The initiating correspondent makes a request for a certificate to the registration authority, and the registration authority sends the request to a certificate authority, which issues the certificate to the registration authority. The certificate is stored at a location in a directory and this location is associated with a pointer such as uniform resource locator (URL) that is derived from information contained in the certificate request. The initiating correspondent computes the location using the same information and forwards it to other corespondents. The other correspondents can then locate the certificate to authenticate the public key of the initiating correspondent. | 11-27-2014 |
20140359280 | CERTIFICATING AUTHORITY TRUST EVALUATION - In many information security scenarios, a certificate issued by a certificating authority may be presented to a client in order to assert a trust level of a certificated item, such as a message or a web page. However, due to a decentralized structure and incomplete coordination among certificating authorities, the presence and exploitation of security vulnerabilities to issue untrustworthy certificates may be difficult to determine, particularly for an individual client. Presented herein are techniques for providing a certificating authority trust service that collects and evaluates certificates submitted to clients by certificating authorities, and advises the clients of a certificating authority trust level for respective certificating authorities (e.g., determined as a consensus of the evaluated certificates issued by the certificating authority). The clients may use a certificating authority trust set distributed by the certificating authority trust service to determine whether to trust a certificate issued from a particular certificating authority. | 12-04-2014 |
20140359281 | CERTIFICATE EVALUATION FOR CERTIFICATE AUTHORITY REPUTATION ADVISING - In many information security scenarios, a certificate issued by a certificate authority on behalf of a domain is presented to a client in order to verify the identity of the domain. However, due to a decentralized structure and incomplete coordination among certificate authorities, the presence and exploitation of security vulnerabilities to issue untrustworthy certificates may be difficult for an individual client to determine. Presented herein are techniques for advising clients of the trustworthiness of respective certificate authorities by evaluating the certificates issued by such certificate authorities for suspicious indicators, such as hashcode collisions with other certificates and public key re-use. A trust level may be identified of respective certificate authorities according to the presence or absence of suspicious indicators in the certificates issued by the certificate authority, and a certificate authority trust set may be distributed to advise clients of the trustworthiness of certificates issued by the respective certificate authorities. | 12-04-2014 |
20140365763 | APPARATUS AND METHOD FOR PROVISIONING AN ENDORSEMENT KEY CERTIFICATE FOR A FIRMWARE TRUSTED PLATFORM MODULE - Disclosed is a method for provisioning an endorsement key (EK) certificate for a firmware trusted platform module (fTPM). In the method, the fTPM receives a derived key (DK) from a hardware trusted platform (HWTP). The fTPM is implemented in the HWTP, the DK is derived from a hardware key (HWK) securely stored in the HWTP, the HWK is unique to the HWTP, and the HWK is not available to the fTPM. The fTPM generates an endorsement primary seed (EPS) based on the DK, and generates a hashed endorsement primary seed (HEPS) based on a hash of the EPS. The fTPM forwards the HEPS to a provisioning station, and receives, from the provisioning station, an EK certificate corresponding to the HEPS. | 12-11-2014 |
20140365764 | System and Method for Distributed Security - A security architecture in which a security module is integrated in a client machine, wherein the client machine includes a local host that is untrusted. The security module performs encryption and decryption algorithms, authentication, and public key processing. The security module also includes separate key caches for key encryption keys and application keys. A security module can also interface a cryptographic accelerator through an application key cache. The security module can authorize a public key and an associated key server. That public key can subsequently be used to authorize additional key servers. Any of the authorized key servers can use their public keys to authorize the public keys of additional key servers. Secure authenticated communications can then transpire between the client and any of these key servers. Such a connection is created by a secure handshake process that takes place between the client and the key server. A time value can be sent from the key server to the client, allowing for secure revocation of keys. In addition, secure configuration messages can be sent to the security module. | 12-11-2014 |
20140365765 | METHOD AND SYSTEM FOR SIGNING AND AUTHENTICATING ELECTRONIC DOCUMENTS VIA A SIGNATURE AUTHORITY WHICH MAY ACT IN CONCERT WITH SOFTWARE CONTROLLED BY THE SIGNER - A system and method for signing and authenticating electronic documents using public key cryptography applied by one or more server computer clusters operated in a trustworthy manner, which may act in cooperation with trusted components controlled and operated by the signer. The system employs a presentation authority for presenting an unsigned copy of an electronic document to a signing party and a signature authority for controlling a process for affixing an electronic signature to the unsigned document to create a signed electronic document. The system provides an applet for a signing party's computer that communicates with the signature authority. | 12-11-2014 |
20140365766 | METHOD AND SYSTEM FOR SIGNING AND AUTHENTICATING ELECTRONIC DOCUMENTS VIA A SIGNATURE AUTHORITY WHICH MAY ACT IN CONCERT WITH SOFTWARE CONTROLLED BY THE SIGNER - A system and method for signing and authenticating electronic documents using public key cryptography applied by one or more server computer clusters operated in a trustworthy manner, which may act in cooperation with trusted components controlled and operated by the signer. The system employs a presentation authority for presenting an unsigned copy of an electronic document to a signing party and a signature authority for controlling a process for affixing an electronic signature to the unsigned document to create a signed electronic document. The system provides an applet for a signing party's computer that communicates with the signature authority. | 12-11-2014 |
20140365767 | SCALABLE GROUPS OF AUTHENTICATED ENTITIES - Example embodiments provide various techniques for securing communications within a group of entities. In one example method, a request from an entity to join the group is received and a signed, digital certificate associated with the entity is accessed. Here, the signed, digital certificate is signed with a group private key that is associated with a certification authority for the group. The signed, digital certificate is added to a group roster, and this addition is to admit the entity into the group. The group roster with the signed, digital certificate is itself signed with the group private key and distributed to the group, which includes the entity that transmitted the request. Communication to the entity is then encrypted using the signed, digital certificate included in the group roster. | 12-11-2014 |
20150019863 | METHOD OF HANDLING A CERTIFICATION REQUEST - In a certification request, a user device includes an object identifier. When a certification authority generates an identity certificate responsive to receiving the certification request, the certification authority includes the object identifier, thereby allowing improved management of the identity certificate at the user device and elsewhere. | 01-15-2015 |
20150033011 | METHOD FOR INITIALIZING A MEMORY AREA THAT IS ASSOCIATED WITH A SMART METER - A method for initializing a memory area associated with a smart meter,: establishing a first communication channel between a first computer system and a security module, the security module being associated with a memory area, and the first computer system being associated with a set of computer systems interconnected via a network; authenticating the first computer system with respect to the security module; once the first computer system has been successfully authenticated, the security module receiving data from the first computer system by secure transmission and storage of the data in the memory area in order to initialize the memory area, communication between a second computer system of a utility company and/or operator of the measuring system and the security module being only possible while bypassing the first computer system, owing to the stored data, the second computer system being a computer system of the set of computer systems. | 01-29-2015 |
20150039884 | Secure Configuration of Authentication Servers - Embodiments of the invention are directed to automatically populating a database of names and secrets in an authentication server by sending one or more lists of one or more names and secrets by a network management software to an authentication server. Furthermore, some embodiments provide that the lists being sent are encrypted and/or embedded in otherwise inconspicuous files. | 02-05-2015 |
20150046699 | METHOD FOR GENERATING PUBLIC IDENTITY FOR AUTHENTICATING AN INDIVIDUAL CARRYING AN IDENTIFICATION OBJECT - A method for generating a public identity for authenticating an individual carrying an identification object, the method including: entering an initial biometric datum of the individual; generating a first key from the biometric datum; generating a second key derived from a datum generated by a security component of the object; generating an initial encryption key combining the first key and the second key; communicating with a server a first identity of the individual in connection with the initial encryption key; generating by the server a public identity by encrypting the first identity using the initial encryption key, the public identity being stored by the server in connection with the initial encryption key. The public identity is not significant, but is secured by a strong connection between the object and biometry of the individual. | 02-12-2015 |
20150046700 | METHOD AND SYSTEM FOR SIGNING AND AUTHENTICATING ELECTRONIC DOCUMENTS VIA A SIGNATURE AUTHORITY WHICH MAY ACT IN CONCERT WITH SOFTWARE CONTROLLED BY THE SIGNER - A system and method for signing and authenticating electronic documents using public key cryptography applied by one or more server computer clusters operated in a trustworthy manner, which may act in cooperation with trusted components controlled and operated by the signer. The system employs a presentation authority for presenting an unsigned copy of an electronic document to a signing party and a signature authority for controlling a process for affixing an electronic signature to the unsigned document to create a signed electronic document. The system provides an applet for a signing party's computer that communicates with the signature authority. | 02-12-2015 |
20150046701 | SECURE INDUSTRIAL CONTROL SYSTEM - A secure industrial control system is disclosed herein. The industrial control system includes a plurality of industrial elements (e.g., modules, cables) which are provisioned during manufacture with their own unique security credentials. A key management entity of the secure industrial control system monitors and manages the security credentials of the industrial elements starting from the time they are manufactured up to and during their implementation within the industrial control system for promoting security of the industrial control system. An authentication process, based upon the security credentials, for authenticating the industrial elements being implemented in the industrial control system is performed for promoting security of the industrial control system. In one or more implementations, all industrial elements of the secure industrial control system are provisioned with the security credentials for providing security at multiple (e.g., all) levels of the system. | 02-12-2015 |
20150052351 | Secure installation of encryption enabling software onto electronic devices - A process/method is provided, which authenticates electronic devices allowing the installation and utilization of encryption enabling software capable of facilitating a public key infrastructure in combination with electronic devices without need for such encryption enabling software capable of facilitating a public key infrastructure to be installed at the same time as manufacture of the electronic device. The disclosed process/method may then provide a system for monitoring various metrics and statuses of the electronic devices through the manufacturing chain, distribution chain and product lifecycle. The process/method can be utilized to create electronic devices secured with encryption enabling software capable of facilitating a public key infrastructure, free from the security risks inherent with the current method of installing encryption enabling software onto electronic devices, which will render such secured electronic devices suitable for tasks requiring such enhanced security or encryption. Moreover, electronic devices utilizing the disclosed process/method to install encryption enabling software capable of facilitating a public key infrastructure will be enabled to benefit from and facilitate public key infrastructure functionality, including, but not limited to, the renew encryption enabling software on a defined renewal interval. | 02-19-2015 |
20150052352 | CERTIFICATING VEHICLE PUBLIC KEY WITH VEHICLE ATTRIBUTES - A method for providing secure connection between vehicles over channels of a wireless communication network, according to which, a first unique pair of digitally signed public key and private key is provided to each vehicle, along with additional vehicle-related data including a visually static collection of attributes of the vehicle. A unique certificate number is generated for each vehicle and monolithic data consisting of the public key, the certificate number and the attributes is signed by a trusted certificate generating authority. Prior to wireless communication between a first vehicle and a second vehicle, a verification step is performed during which the first vehicle sends its unique certificate number to a second vehicle over a communication channel; the second vehicle verifies the authenticity of received unique certificate number of the first vehicle and attributes by a camera that captures attributes which are visible, using image processing means. If the attributes are verified successfully, the second vehicle sends its unique certificate number to the first vehicle over a communication channel, along with a secret session key, which is valid for the current session only. Then the first vehicle verifies the authenticity of received unique certificate number of the second vehicle and attributes by a camera that captures attributes of the second vehicle which are visible, using signal processing means and both vehicles are allowed to securely exchange message or data using the secret session key. | 02-19-2015 |
20150058620 | Proximity Authentication System - An authorized user may be provided access to a service only when a wireless token assigned to the user is in the proximity of a computing device. A user's credential may be stored on an RFID token and an RFID reader may be implemented within a security boundary on the computing device. Thus, the credential may be passed to the security boundary without passing through the computing device via software messages or applications. The security boundary may be provided, in part, by incorporating the RFID reader onto the same chip as a cryptographic processing component. Once the information is received by the RFID reader it may be encrypted within the chip. As a result, the information may never be presented in the clear outside of the chip. The cryptographic processing component may cryptographically encrypt/sign the credential received from the token. | 02-26-2015 |
20150074390 | METHOD AND DEVICE FOR CLASSIFYING RISK LEVEL IN USER AGENT BY COMBINING MULTIPLE EVALUATIONS - The present invention is directed toward a computer implemented method and device for classifying a safety level associated with a particular network data resource (e.g., webpage) in connection with the operation of a user agent (e.g., web browser). According to the invention, the safety level is classified by performing evaluations of the data resource on each of a plurality of categories relating to security or trust, quantifying the evaluations to associate a score with each of the plurality of categories, and applying a set of rules to the obtained scores. Furthermore, based on the application of these rules, a determination can be made as to whether a precautionary measure is warranted. If so, the user is notified of the precautionary measure. | 03-12-2015 |
20150082027 | DRM METHOD AND DRM SYSTEM FOR SUPPORTING OFFLINE SHARING OF DIGITAL CONTENTS - The present invention provides a DRM method and system for supporting offline sharing of digital resources. When a client applies for joining in a domain, the client sends its own device information to a server, and obtains feature data of the domain by receiving a sharing certificate sent by the server. Wherein, the sharing certificate is created by encrypting the feature data of the domain by using the equipment information of the client as a cipher. The client decrypts the sharing certificate by using its own equipment information to obtain the feature data. Since the feature data has already been obtained in the procedure of applying for joining the domain, a client is able to use the digital resources by using the feature data even if the client cannot connect to network, thus, an advantage of supporting offline sharing of digital resources is achieved. | 03-19-2015 |
20150089215 | SYSTEM, APPARATUS, APPLICATION AND METHOD FOR BRIDGING CERTIFICATE DEPLOYMENT - An apparatus, system and method is provided for bridging (i) a certificate registration apparatus that communicates with a certificate deployment target based on a specific certificate deployment protocol and (ii) a target deployment device that is not configured to conform to the specific certificate deployment protocol, within a public key infrastructure (PKI). | 03-26-2015 |
20150089216 | METHOD FOR CONFIGURING A REMOTE STATION WITH A CERTIFICATE FROM A LOCAL ROOT CERTIFICATE AUTHORITY FOR SECURING A WIRELESS NETWORK - A remote station is configured with a certificate from a local root certificate authority for securing a wireless network. To configure the certificate, the remote station forwards a station public key to the local root certificate authority. The station public key is forwarded out-of-band of the wireless network. The remote station receives a certificate and a root public key from the local root certificate authority. The certificate is generated by the local root certificate authority based on the forwarded station public key, and the certificate and the root public key are received out-of-band of the wireless network. The remote station securely communicates, using the wireless network, with another station based on the certificate and the root public key. | 03-26-2015 |
20150089217 | Method and System for Data Protection - The present disclosure provides a way for an enciphering party to protect data by ciphering the data, and establishing conditions upon which that data can be deciphered (or accessed) by a deciphering party, without requiring the enciphering party or the deciphering party to share a cipher key, or any other information that in-and-of-itself may be used to decipher the transmitted data; without requiring a System to store the cipher key, or any information that, in isolation, may be used to produce the key; or without requiring that the enciphering party share private data, in any form, with the System. | 03-26-2015 |
20150095639 | USING A PKCS MODULE FOR OPENING MULTIPLE DATABASES - A processing device is to determine that a module, executed from a memory by the processing device, is initialized from opening a first database. The processing device is to identify a second database to be opened from a request from an application to access data that is stored in the second database. The processing device is to create, a slot, via the initialized module, to open the second database using the initialized module. | 04-02-2015 |
20150095640 | METHOD AND APPARATUS FOR PROVIDING RADIO COMMUNICATION WITH AN OBJECT IN A LOCAL ENVIRONMENT - A method and apparatus for providing radio communication with an electronic object in a local environment are disclosed. For example the method receives via a mobile endpoint device of a user at least one first digital certificate associated with the local environment from a trusted source, and a second digital certificate from the electronic device deployed in the local environment via a wireless connection. The method then authenticates the electronic device using the at least one first digital certificate and the second digital certificate. | 04-02-2015 |
20150100778 | ACCELERATING OCSP RESPONSES VIA CONTENT DELIVERY NETWORK COLLABORATION - Techniques are disclosed for accelerating online certificate status protocol (OCSP) response distribution to relying parties using a content delivery network (CDN). A certificate authority generates updated OCSP responses for OCSP responses cached in the CDN that are about to expire. In addition, the certificate authority pre-generates cache keys in place of CDNs generating the keys. The certificate authority sends the OCSP responses and the cache keys in one transaction, and the CDN, in turn, consumes the new OCSP responses using the cache keys. | 04-09-2015 |
20150100779 | REDUCING LATENCY FOR CERTIFICATE VALIDITY MESSAGES USING PRIVATE CONTENT DELIVERY NETWORKS - Techniques are disclosed for accelerating online certificate status protocol (OCSP) response distribution to relying parties using a content delivery network (CDN). A certificate authority generates updated OCSP responses for OCSP responses cached in the CDN that are about to expire. In addition, the certificate authority pre-generates cache keys in place of CDNs generating the keys. The certificate authority sends the OCSP responses and the cache keys in one transaction, and the CDN, in turn, serves requests for the OCSP responses using the cache keys. For new certificates, a private CDN is pre-populated with an OCSP response for a certificate concurrent with that certificate being issued. Doing so effectively uses the PCDN as an origin server for OCSP responses, reducing CA infrastructure needs. | 04-09-2015 |
20150106615 | Methods and Apparatus for Controlling the Transmission and Receipt of Email Message - Methods and apparatus for identifying unwanted email messages by transmitting metadata with an outbound email message that indicates the total number of email messages sent by that sender in a predetermined time period, or alternatively indicates the total number of email messages which are equivalent to the outgoing message that have been sent. In addition the metadata may include an identification of the sender and a “pledge” made by the sender. A pledge may take the form of a binding commitment from the sender that the information contained in the metadata is accurate, and/or that the sender promises to abide by predetermined good conduct rules designed to limit unwanted email. The outgoing message may be further signed by the sender with a digital signature that provides means for verifying the content of the message and the pledge as well as the identity of the sender. | 04-16-2015 |
20150106616 | Systems and Methods for "Machine-to-Machine" (M2M) Communications Between Modules, Servers, and an Application using Public Key Infrastructure (PKI) - Methods and systems are provided for supporting efficient and secure “Machine-to-Machine” (M2M) communications using a module, a server, and an application. A module can communicate with the server by accessing the Internet, and the module can include a sensor and/or an actuator. The module, server, and application can utilize public key infrastructure (PKI) such as public keys and private keys. The module can internally derive pairs of private/public keys using cryptographic algorithms and a first set of parameters. A server can authenticate the submission of derived public keys and an associated module identity. The server can use a first server private key and a second set of parameters to (i) send module data to the application and (ii) receive module instructions from the application. The server can use a second server private key and the first set of parameters to communicate with the module. | 04-16-2015 |
20150106617 | Mechanisms to Use Network Session Identifiers for Software-As-A-Service Authentication - Techniques are provided for authenticating a subject of a client device to access a software-as-a-service (SaaS) server. A network access device receives a request from a client device to establish a network session and transfers identity information of the subject, the client device and the network session to a session directory database. A request is sent to access an application on a SaaS server. If it does not contain an identity assertion that identifies the subject, the request is redirected to an identity provider device, to provide identity assertion services to the subject. A network session identifier is inserted into the request by a network access device and the request is forwarded to the identity provider device. The identity provider device uses the network session identifier to query the session directory database for the identity information to be used for a security assertion of the subject to the SaaS server. | 04-16-2015 |
20150106618 | Device Using Secure Processing Zone to Establish Trust for Digital Rights Management - A DRM client on a device establishes trust with a DRM server for playback of digital content. The client executes in a secure execution environment, and the process includes (1) securely loading loader code from secure programmable memory and verifying it using a digital signature scheme and first key securely stored in the device; (2) by the verified loader code, loading DRM client code from the memory and verifying it using a digital signature scheme and second key included in the loader code; (3) by the verified DRM client code (a) obtaining a domain key from the memory; (b) encrypting the domain key with a device identifier using a DRM system key included in the DRM client code; and (c) sending the encrypted domain key and device identifier to the DRM server, whereby the device becomes registered to receive content licenses via secure communications encrypted using the domain key. | 04-16-2015 |
20150113266 | Secure Crypto-Processor Certification - The subject disclosure is directed towards certifying cryptographic data for a crypto-processor outside of a controlled environment. The crypto-processor and a certifying entity maintain shared secret data for the purpose of verifying security of cryptographic key generation by the crypto-processor's firmware. In order to certify new cryptographic keys, the crypto-processor uses the shared secret data to verify the crypto-processor's firmware/hardware to the certifying entity. By protecting the shared secret data from exposure to compromised firmware, the shared secret data may be used to compute another secret conveying to the certifying entity whether the firmware can be trusted or not. | 04-23-2015 |
20150113267 | Method and System for Providing a Plurality of Tamperproof Digital Certificates for a Plurality of Public Keys of a Device - A method and system for providing a plurality of tamperproof digital certificates for a plurality of public keys of a device by a certification authority wherein a respective signing request for requesting a digital certificate is initially created for each of a plurality of public keys, where the signing request for the ith public key is signed using the jth private key in accordance with a signing rule, the jth private key being dissimilar to the ith private key belonging to the ith public key, and wherein all signing requests are transmitted to the same certification authority in each case, and each signing request is verified in the certification authority, in which case a check is performed to determine whether the ith signing request has been signed using the jth private key in accordance with the signing rule. | 04-23-2015 |
20150121067 | DIGITAL CERTIFICATE ISSUER-CORRELATED DIGITAL SIGNATURE VERIFICATION - A message including a digital signature of a message originator is received at a processor. In response to determining that the message originator is authorized by a data protection policy to originate the message, a determination is made as to whether a specific authorized certificate issuer is configured for the message originator within a data protection policy. In response to determining that the specific authorized certificate issuer is configured for the message originator within the data protection policy, a determination is made as to whether a message originator certificate used to generate the digital signature of the message originator is issued by the specific authorized certificate issuer configured for the message originator within the data protection policy. | 04-30-2015 |
20150134951 | Securely Associating an Application With a Well-Known Entity - A mechanism is provided for securely associating an application with a well-known entity. A determination is made as to whether an identified application has an associated certificate. Responsive to the identified application having the associated certificate, a determination is made as to whether the associated certificate is issued from a certificate authority associated with the well-known entity trusted by a user of the identified application, where the certificate authority is in a separate domain from an application marketplace where the application was obtained. Responsive to the associated certificate being issued by the certificate authority associated with the well-known entity trusted by the user of the identified application, an indication is provided to the user that the application is trusted in context to interactions with the certificate authority. | 05-14-2015 |
20150143107 | DATA SECURITY TOOLS FOR SHARED DATA - Embodiments of data security tools enable secure data sharing. A data sharing system includes a memory device and a processor. The processor encrypts data with a common key. The processor also assigns separate instances of the common key to each user having permissions to access the data. The processor also encrypts each instance of the common key with corresponding unique keys assigned to each user. | 05-21-2015 |
20150149768 | SYSTEM AND METHOD FOR AUTOMATED CUSTOMER VERIFICATION - Techniques are disclosed for identifying and authenticating prospective certificate authority customers of a secure socket layer (SSL) certificate prior to receiving an order from the customer. The CA generates a list of prospective customers of digital certificates (e.g., by scanning networked servers via the Internet for the presence of an installed digital certificate). The CA retrieves data for each customer on the list and determines, based on a set of approval criteria, which prospective customers to target in enrollment campaigns. For each approved customer, the CA initiates an enrollment process prior to receiving a request from the customer to provide a certificate. | 05-28-2015 |
20150149769 | SECURING A SECRET OF A USER - Methods, systems and apparatuses for securing a secret of a user are disclosed. One method includes one or more adjudicator devices providing a plurality of public keys, wherein each of the plurality of public keys has a corresponding at least one adjudicator, and a corresponding secret key, receiving, by the one or more adjudicator devices, a plurality of encrypted shares that were generated based on a secret of the user, a policy, and the plurality of public keys, and verifying that the plurality of encrypted shares can be used to reconstitute the secret upon receiving the plurality of encrypted shares, wherein the secret can be reconstructed, without access to the secret. | 05-28-2015 |
20150296268 | METHOD AND DEVICE FOR PLAYING CONTENT - There is provided a method of playing a content stored in a storage device which is connectable, including: detecting whether the storage device is connected; receiving certification information from the detected storage device; transmitting, to a server, the certification information; receiving, from the server, an encrypted media file and a certification list based on the certification information, wherein the certification list is used for authenticating eligibility of at least one of a player, the storage device, and the server; storing the encrypted media file to the storage device and updating the certification list; and playing the encrypted media file based on the updated certification list. | 10-15-2015 |
20150304309 | TRANSMITTING ENCODED DIGITAL CERTIFICATE DATA TO CERTIFICATE AUTHORITY USING MOBILE DEVICE - Techniques are disclosed for managing a digital certificate enrollment process. A certificate assistant on a server is configured to encode certificate enrollment data in a barcode graphic, such as a quick response (QR) code. A mobile phone application can then scan the barcode graphic using a camera to recover and transmit the enrollment data to a certificate authority. Doing so allows a system administrator (or other user) to complete the certificate enrollment process in cases where the server is blocked from connecting to a certificate authority (CA) directly, e.g., because the server is behind a firewall blocking any outbound network connections from being initiated. | 10-22-2015 |
20150304312 | Method and System for Remote Operation of an Installation - The present invention relates to a method and a system for operating a device. The system comprises: a mobile communication device, an internal server and an external server, the external server being adapted to generate a certificate and to send the certificate to the mobile communication device, the mobile communication device being adapted to send a device specific command comprising the certificate to the internal server, the internal server being adapted to check and validate the device specific command comprising the certificate, the internal server being adapted to send a request to the device to perform an action specified in the device specific command if the internal server validates the device specific command comprising the certificate, the device being adapted to perform the action, wherein the device specific command from the mobile communication device to the internal server is adapted to be sent via a cellular network. | 10-22-2015 |
20150304315 | SEMI-TRUSTED DATA-AS-A-SERVICE PLATFORM - A system and method provide for shared access to a database in a semi-trusted platform. In the method, for each of a set of users, provision is made for regenerating a respective user key, based on a respective predefined user input, such as a hashed password. One or more of the users is authorized to have access to an encrypted database. For each of these, the method includes encrypting a key for the encrypted database with the respective user's user key to generate an encrypted database key. During a user session, one of the authorized users is provided with access to the encrypted database by decrypting the database key from the encrypted database key with the respective user's user key, and decrypting the database, from the encrypted database, with the database key. The database key and each user's user key are not stored on the platform and are thus inaccessible to platform administrators and unauthorized users between user sessions. | 10-22-2015 |
20150312045 | TRUST MANAGEMENT SYSTEMS AND METHODS - The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied. The certificates may be evaluated until the state of the root authority indicates that the request should be granted, or until further evaluation of the certificates is ineffective in changing the state of the principals. | 10-29-2015 |
20150312245 | IDENTIFICATION FOR APPARATUSES - It is inter alia disclosed to provide first identity data stored in an apparatus, the first identity data comprising an identifier and a first certificate, and to provide second identity data stored in the apparatus, the second identity data comprising an identifier and a second certificate, wherein the identifier of the first identity data is the same as the identifier of the second identity data. | 10-29-2015 |
20150312247 | OBJECT DELIVERY AUTHENTICATION - A method and system for authenticating delivery including the steps of receiving by a receiver a delivery information package from a deliverer over a network during a communication between the receiver and the deliverer, wherein the delivery package includes deliverer identity information, sending an authentication request of the received delivery package from the receiver to an authentication module having a hardware processor, over at least one of a call network and an additional network, and authenticating the received delivery package using the deliverer identity information. | 10-29-2015 |
20150318997 | AUTHENTICATION PROCESSING APPARATUS, AUTHENTICATION PROCESSING SYSTEM, AUTHENTICATION PROCESSING METHOD AND AUTHENTICATION PROCESSING PROGRAM - A communication apparatus sends a processing request, including request information, a digital signature, and an electronic certificate, to a control apparatus. The control apparatus sends a verification request including the electronic certificate to a verification server. The verification server verifies the electronic certificate included in the verification request, and sends authentication-use reference information, including the verification result, as a verification response, to the control apparatus. When the verification result included in the authentication-use reference information indicates validity, the control apparatus, using the request information and a public key included in the electronic certificate, verifies whether or not the digital signature is valid. When the digital signature is valid, the control apparatus performs the requested processing in accordance with the request information, and sends a processing response, to the communication apparatus. | 11-05-2015 |
20150319167 | VIRTUAL SMARTCARD AUTHENTICATION - The invention provides a system and method for signing a user workstation onto an access restricted network utilising a mobile communication device. The method includes receiving a sign-on request from a mobile communication device of a user of the network, looking up a user certificate included in the sign-on request in an enrolment database and retrieving identifiers relating to the user, the workstation and network from the database, and transmitting a sign-on command to an authentication driver operating on the workstation, in response to which the authentication driver negotiates a sign-on operation of the workstation onto the network. | 11-05-2015 |
20150326399 | Method and System for Email Identity Validation - The present invention uses Server-based Certificate Validation Protocol (SCVP) to validate the public key digital signature certificate of an email signer (or the public key encryption certificate of an email recipient) by using a modified SCVP server such that a trustworthiness indicator based on certificate policies is included in an SCVP server response that maps the certificate policies asserted in the public key certificate of the email signer (or email recipient(s)) to graphically represent the degree of trust that can be attributed to the identities bound to public key certificates containing one or more certificate policies. The graphical representation of a trust level may appear directly in an email client and is based on the level of trust attributable to the binding between the public key distributed via a public key certificate (for signing or encryption) and the identity/attributes of the “subject” or “entity” contained in that certificate. | 11-12-2015 |
20150333911 | ID SYSTEM AND PROGRAM, AND ID METHOD - [PROBLEMS] To appropriately authenticate a user, a biometric device, and an authentication timing of a client side and prevent leak or tampering of the biometric information. | 11-19-2015 |
20150333916 | DIGITAL CERTIFICATE AUTOMATIC APPLICATION METHOD, DEVICE AND SYSTEM - In a digital certificate automatic application method, device and system, a digital certificate applicant notifies a digital certificate issuer of supported digital certificate generation methods. If a digital certificate issued by the issuer is available, then the issuer is notified of the existing digital certificate information. Otherwise, the issuer is notified of the certificate information required to be contained in a newly applied digital certificate. The issuer selects a digital certificate generation method from the digital certificate generation methods supported by the applicant, and notifies the applicant. If the applicant must apply for a new digital certificate, then the new digital certificate information is generated and the applicant is notified. Otherwise, the applicant is notified of the invalid digital certificate information. The applicant determines the digital certificate to be used according to the notification from the issuer. The present application achieves automatic application, updating and issuing of a digital certificate. | 11-19-2015 |
20150334110 | MULTI-TENANT DISCOVERY AND CLAIMING OF DISTRIBUTED STORAGE NODES OVER AN INSECURE NETWORK - A technique is introduced that enables a server to establish trust of and a secure channel of communication with an unverified client computer, which can be on a different insecure network. To establish trust, the server needs to ensure that the client computer is legitimate, and the client computer similarly needs to ensure that the server is legitimate. With mutual trust established, a secure channel of communication is established between the server and the client computer. With mutual trust and a secure channel of communication established, the client computer can safely communicate with the server, for example, to download software that enables the client computer to join a central management system at the server. | 11-19-2015 |
20150334166 | CABLE MANAGEMENT AND SECURITY SYSTEM - A cable management system includes a cable that transmits data between information handling systems (IHSs). The cable includes a first end and a second end that is opposite the cable from the first end. A first connector is located on the first end of the cable and couples the cable to a first IHS. A second connector is located on the second end of the cable and couples the cable to a second IHS. A first communication system is located adjacent the first end of the cable. The first communication system receives and stores first IHS information about the first IHS when the first connector is coupled to the first IHS and second IHS information about the second IHS when the second connector is coupled to the second IHS. The first communication system may then provide the first and second IHS information to a management device. | 11-19-2015 |
20150341178 | CERTIFICATE ISSUING SYSTEM, CLIENT TERMINAL, SERVER DEVICE, CERTIFICATE ACQUISITION METHOD, AND CERTIFICATE ISSUING METHOD - Provided is a certificate issuing system including a client terminal and a server device. The client terminal derives a first hash value from a first random number using a unidirectional function, generates a secret key and a public key of the client terminal, and transmits the first hash value and the public key of the client terminal to the server device. The server device receives the first hash value and the public key of the client terminal from the client terminal, stores the first hash value, authenticates the client terminal on the basis of the stored first hash value and the derived first hash value, generates a client certificate on the basis of the public key of the client terminal and a secret key of the server device when the authentication succeeds, and transmits the client certificate to the client terminal. | 11-26-2015 |
20150341325 | Systems And Methods For Secure Communication Over An Unsecured Communication Channel - A system and method for secure data transmission over an unsecured communication channel by means of public key cryptography is disclosed. A plurality of digital certificates associated with a plurality of user devices within a peer network are maintained at each of the user devices in a certificate database. Each user device is assigned with a secure hardware token. The hardware token stores a private key and a local encryption key associated with the corresponding device. In order to transfer data between a first user device and a second user device, a public key of second user device stored in the certificate database is used to encrypt a data to be transferred from a first user device to the second user device within the peer network. At the second user device, the encrypted data is decrypted using a private key associated with the second user device to retrieve the data. | 11-26-2015 |
20150341335 | PASSWORD-BASED AUTHENTICATION - A password authentication system includes an access control server configured to control access by a user computer to a resource dependent on authentication of user passwords associated with user IDs. The system further includes a plurality of authentication servers, storing respective secret values. For each user ID, the access control server stores a first ciphertext produced by encrypting the user password associated with that ID using a predetermined algorithm dependent on the secret values. In response to receipt of a user ID and an input password, the access control server communicates with the plurality of authentication servers to implement password authentication, requiring use of the secret values, in which a second ciphertext is produced by encrypting the input password using said predetermined algorithm. The access control server compares the first and second ciphertexts to determine whether the input password equals the user password to permit access to the resource. | 11-26-2015 |
20150341345 | SECURITY SYSTEM - A security system includes a controller manufacturer, a key issuer, and a medium manufacturer. The controller manufacturer writes a controller key Kc and a controller unique ID (IDcu) in the controller at the time of manufacturing the controller, and transmits the controller key Kc to the key issuer. The key issuer generates a medium device key Kmd_i and a medium device key certificate Cert | 11-26-2015 |
20150349964 | RELAY DEVICE, NON-TRANSITORY STORAGE MEDIUM STORING INSTRUCTIONS EXECUTABLE BY THE RELAY DEVICE, AND SERVICE PERFORMING SYSTEM - A relay device communicates with a server and a client device and includes a storage and a controller. The controller is configured to: receive, from the server, service use information which is to be used for the client device to use a service; transmit the received service use information to the client device; receive, from the client device, transmission instructing information containing key information which identifies CA certificate data stored in the storage and used for the client device to verify server certificate data; and transmit, to the client device, the CA certificate data identified by the key information contained in the received transmission instructing information. The CA certificate data is stored in the storage. | 12-03-2015 |
20150349965 | CLIENT DEVICE, NON-TRANSITORY STORAGE MEDIUM STORING INSTRUCTIONS EXECUTABLE BY THE CLIENT DEVICE, AND SERVICE PERFORMING SYSTEM - A client device communicates with a server and a relay device and includes a controller and a storage. The controller is configured to: receive service use information from the relay device; use the received service use information to transmit connection request information to the server; receive the server certificate data which is transmitted from the server as a response to the connection request information; determine whether certificate-authority certificate data for verification of server certificate data is stored in the storage; when the certificate-authority certificate data is stored in the storage, verify the server certificate data using the certificate-authority certificate data; when the certificate-authority certificate data is not stored in the storage, receive the certificate-authority certificate data from the relay device; verify the server certificate data using the received certificate-authority certificate data; and store the received certificate-authority certificate data into the storage. | 12-03-2015 |
20150350196 | TERMINAL AUTHENTICATION SYSTEM, SERVER DEVICE, AND TERMINAL AUTHENTICATION METHOD - Provided is a terminal authentication system including a client terminal and a server device. The client terminal transmits first information based on secret information different for each client terminal and a client certificate including a hash value of the secret information which is derived from the secret information, to a server device. The server device receives the first information and the client certificate, derives a hash value from the secret information based on the first information using a unidirectional function, and authenticates the client terminal on the basis of the derived hash value and the hash value of the secret information which is included in the client certificate. | 12-03-2015 |
20150350197 | SIGNATURE VERIFICATION SYSTEM, COMMUNICATION DEVICE, VERIFICATION DEVICE, SIGNATURE GENERATION METHOD, AND SIGNATURE VERFICATION METHOD - Provided is a signature verification system including a communication device and a verification device. The communication device and the verification device are connected to each other through a network. The communication device derives a first hash value from a first random number, derives a second hash value from data including electronic data and a certificate of the communication device which includes the first hash value and a public key of the communication device, using a unidirectional function, generates a signature using a secret key of the communication device with respect to the second hash value, and transmits the electronic data, the certificate, and the signature to the verification device. The verification device receives the electronic data, the certificate, and the signature, authenticates the communication device using the first hash value included in the certificate, derives the second hash value from the data including the electronic data and the certificate using a unidirectional function, and verifies the signature using the public key of the communication device and the derived second hash value which are included in the certificate. | 12-03-2015 |
20150350198 | METHOD AND SYSTEM FOR CREATING A CERTIFICATE TO AUTHENTICATE A USER IDENTITY - A method for creating a certificate to authenticate a user identity at a web browser includes receiving a login request including a first user identity for a user and generating a first browser-signed certificate using public and secret keys associating the first user identity to the web browser. The first browser-signed certificate is sent to a first identity provider server and in response a first server-signed certificate is received from the first identity provider server. The first server-signed certificate associates the first user identity to the first identity provider server. A final certificate is generated by merging the first browser-signed certificate with the first server-signed certificate. | 12-03-2015 |
20150350903 | RADIO DEVICE WITH TWO RADIO UNITS AND A METHOD FOR THE TRANSMISSION OF INFORMATION - A radio device is provided with a first radio unit and a second radio unit, wherein the first radio unit provides a certified functionality which is certified by an authorized certification authority. The second radio unit provides a certified functionality, wherein the functionality of the second radio unit is different from the functionality of the first radio unit, and the functionality of the second radio unit is similarly certified by an authorized certification authority. Furthermore, a method is provided for the transmission of information via the radio device. | 12-03-2015 |
20150358170 | COMMUNICATION SYSTEM, VEHICLE-MOUNTED TERMINAL, ROADSIDE DEVICE - A communication system ( | 12-10-2015 |
20150358311 | SYSTEMS AND METHODS FOR SECURED KEY MANAGEMENT VIA HARDWARE SECURITY MODULE FOR CLOUD-BASED WEB SERVICES - A new approach is proposed that contemplates systems and methods to support security management for a plurality of web services hosted in a cloud at a data center to offload their crypto operations to one or more hardware security modules (HSMs) deployed in the cloud. Each HSM is a high-performance, Federal Information Processing Standards (FIPS) 140-compliant security solution for crypto acceleration of the web services. Each HSM includes multiple partitions, wherein each HSM partition is dedicated to support one of the web service hosts/servers to offload their key management and crypto operations via one of a plurality of HSM virtual machine (VM) over the network. An HSM managing VM can also be deployed to monitor and manage the operations of the HSM-VMs to support a plurality of web services. | 12-10-2015 |
20150358312 | SYSTEMS AND METHODS FOR HIGH AVAILABILITY OF HARDWARE SECURITY MODULES FOR CLOUD-BASED WEB SERVICES - A new approach is proposed to support high availability (HA) of hardware security module (HSM) adapters in an HSM HA domain for web services hosted in a cloud to offload their key storage, management, and crypto operations to the HSM adapters. Each of the HSM adapters is a high-performance, FIPS 140-compliant security solution and includes multiple partitions isolated from each other each dedicated to support one of the web service hosts to offload its key management crypto operations. An HSM managing virtual machine (VM) monitors load information on the operations currently being performed by the HSM partitions in the HSM HA domain and identifies one or more second HSM partitions if a first HSM partition serving the operations is determined to be overloaded. The HSM managing VM then distributes a portion of the offloaded key management and crypto operations from the first HSM partition to the second HSM partitions. | 12-10-2015 |
20150365240 | DIGITAL RIGHTS MANAGEMENT SYSTEM AND METHOD - An architecture for application of digital rights management to industrial automation devices including programmable logic controllers (PLCs), I/O devices, and communication adapters is provided. Digital rights management involves a set of technologies for controlling and managing access to device objects and/or programs such as ladder logic programs. Access to automation device objects and/or programs can be managed by downloading rules of use that define user privileges with respect to automation devices and utilizing digital certificates, among other things, to verify the identity of a user desiring to interact with device programs, for example. The architecture can provide for secure transmission of messages to and amongst automation devices utilizing public key cryptography associated with digital certificates. | 12-17-2015 |
20150372813 | SYSTEM AND METHOD FOR GENERATING A RANDOM NUMBER - A system and method for generating a random number are provided. The method is performed on a mobile device, and includes the steps of establishing a secure, independent connection with a remote server, of transmitting a request for a random seed value from the server, of receiving a random seed value from the server generated by a dedicated random seed device, and of generating a random number using the random seed as input to a random number generating algorithm. The random number may in turn be used to generate an asymmetric key pair, including a public key and a private key, which in turn may be used to encrypt communication. The public key may be communicated to a remote server, which in turn may provide the mobile device with a digital certificate to use when digitally signing messages. | 12-24-2015 |
20150372823 | SYSTEM AND METHOD FOR AN EXTENDED WEB OF TRUST - An industrial automation gateway providing an extended web of trust is provided. The industrial automation gateway includes a cloud communication interface coupled with a cloud automation facility, a hardware memory, and a processor coupled with the cloud communication interface and the hardware memory. The cloud automation facility includes a cloud hardware memory storing a cloud root certificate from a first root certificate authority and a subordinate certificate. The hardware memory stores a gateway root certificate from a second root certificate authority and the subordinate certificate. The processor is configured to determine if the subordinate certificate has been certified by the first root certificate authority and the second root certificate authority. The processor is also configured to transfer automation data to the cloud automation facility using the subordinate certificate only if the subordinate certificate has been certified by the first root certificate authority and the second root certificate authority. | 12-24-2015 |
20150372824 | UTILIZING A STAPLING TECHNIQUE WITH A SERVER-BASED CERTIFICATE VALIDATION PROTOCOL TO REDUCE OVERHEAD FOR MOBILE COMMUNICATION DEVICES - A certificate issuer ( | 12-24-2015 |
20150372825 | Per-Device Authentication - Systems and techniques are provided for per-device authentication. A hardware serial number associated with a hardware component of a computing device may be received. The hardware serial number may be converted to a hardware key check. A hardware key associated with a certificate from the computing device may be received. The hardware key may be compared to the hardware check key to obtain a verification of the certificate. The certificate may be verified when the hardware key check matches the hardware key and the certificate may not be verified when the hardware key check does not match the hardware key. A signature associated with the certificate may be verified. Access to the data processing apparatus by the computing device may be permitted when the certificate is verified and the signature is determined to be authentic. | 12-24-2015 |
20150372994 | Cryptographic Proxy Service - A cryptographic proxy service may be provided. Upon determining that data associated with a network destination comprises at least some sensitive data, a cryptographic service may provide a security certificate associated with the network destination. The plurality of data may be encrypted according to the security certificate associated with the network destination and provided to the cryptographic service for re-encryption and transmission to the network destination. | 12-24-2015 |
20150381372 | REDUCTION OF MEMORY REQUIREMENT FOR CRYPTOGRAPHIC KEYS - For communication of a first participant with at least one additional participant in a communication system via multiple protocols, the protocols using at least two different certificate formats, the first participant uses different certificates with the respective certificate formats for the communication via the different protocols, the different certificates being based on a shared public key. The first participant holds a shared associated private key for the different certificates. Provision of the certificates for the first participant includes generating the public key and the associated private key, signing the public key for provision of the first certificate, and signing the public key for provision of the second certificate. | 12-31-2015 |
20150381608 | EFFICIENT ENCRYPTION, ESCROW AND DIGITAL SIGNATURES - A network server is operated so as to facilitate legal eavesdropping by receiving, from the first user via a network, a session key (SK) encrypted with a second user's public key, k | 12-31-2015 |
20150381612 | Integrated Circuit Device That Includes A Secure Element And A Wireless Component For Transmitting Protected Data Over A Local Point-To-Point Wireless Communication Connection - An integrated circuit device that includes a wireless component and a secure element is herein disclosed and enabled. The integrated circuit device includes a protected memory area for storing protected data that is implemented to be not accessible by a user, but is accessible by a memory controller included in the integrated circuit device. The memory controller accesses the protected data with a combination of security operations that may include authentication, cryptography, decryption, and encryption. The integrated circuit device further includes a wireless interface for establishing a local point-to-point radio connection with wireless computing devices or readers for transmitting the protected data that is encrypted. The integrated circuit device functions as a security key by requiring the presence of the integrated circuit device when using the protected data. The wireless integrated circuit device can be included in, or embodied, as any wireless communication device, such as a smart card. | 12-31-2015 |
20160006722 | METHOD FOR MANAGING THE INSTALLATION OF AN APPLICATION ON AN ELECTRONIC DEVICE - A method for managing the installation of an application on an electronic device is disclosed. In one aspect, the method includes seeking the authenticity of a second signature using the public authentication key of a certificate, the certificate being authenticated if at least one of the second sub-signatures is considered authentic during implementation of the search. | 01-07-2016 |
20160006724 | SECURE INSTALLATION OF SOFTWARE IN A DEVICE FOR ACCESSING PROTECTED CONTENT - The invention relates to a device for decrypting protected content and for providing the decrypted content for playback, the device comprising a secure module for carrying out cryptographic operations including the decryption of the protected content using decryption information, and the device being configured to install therein at least one client software module assigned to a provider of protected content, the client software module being adapted to forward decryption information for decrypting the protected content of the provider to the secure module in an encrypted form. The secure module is adapted to store therein a public key assigned to the provider and to authenticate at least one link key provided by the content provider using the stored public key. Further, the secure module is adapted to receive a protected software image of the client software module and to initiate the installation of the client software module in the device upon having decrypted and/or validated the software image by means of a link key authenticated using the registered public key or by means of a key of a key ladder derived from the authenticated link key, and, during execution of the installed client software module, the secure module is adapted to decrypt the decryption information by means of a link key authenticated using the registered public key or by means of key of a key ladder derived from the authenticated link key. Moreover, the invention relates to a method for operating the device. | 01-07-2016 |
20160006729 | METHODS AND APPARATUS FOR ESTABLISHING A SECURE COMMUNICATION CHANNEL - A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information. | 01-07-2016 |
20160007198 | Credibility Token System for Over The Air Multi-programming of a Wireless Device and Method of Operation - A mobile secure agent on a wireless device executes co-resident authenticated data collection profiles provisioned by private profile producers. Each wireless device has a MAC address that is transformed into a credibility token which is included in a notification to execute or update a data collection profile. The credibility token may also include attributes of location current or stored data. Each wireless device retains location history data transformed by encryption or by hashing. Each data package can only be transmitted to a collector certificated by the same private profile producer. Update profiles are signed and provisioned through a tunnel initiated from the mobile secure agent. A Certificate Authority provides libraries, anchors, and certificates in a key management message module to each mobile secure agent which enables revocation and replacement of certificates. Data stored in this way may only be transmitted to one destination per profile. | 01-07-2016 |
20160013947 | SYSTEM AND METHOD FOR SECURE PROVISIONING OF AN INFORMATION HANDLING SYSTEM | 01-14-2016 |
20160013948 | SYSTEM, METHOD AND APPARATUS FOR PROVIDING ENROLLMENT OF DEVICES IN A NETWORK | 01-14-2016 |
20160014114 | SECURE SESSION CAPABILITY USING PUBLIC-KEY CRYPTOGRAPHY WITHOUT ACCESS TO THE PRIVATE KEY | 01-14-2016 |
20160021110 | INFORMATION PROCESSING APPARATUS AND ENCRYPTION COMMUNICATING METHOD - An information processing apparatus for performing encryption communication with an external apparatus by an encryption communication protocol has an inhibition unit for inhibiting use of a set of algorithms which do not satisfy a predetermined condition among a plurality of sets of algorithms used in the encryption communication protocol. The set of algorithms whose use if inhibited is a set of algorithms which need to transmit a message with a signature of the information processing apparatus to the external apparatus at the time of handshake performed with the external apparatus prior to the encryption communication. | 01-21-2016 |
20160028551 | SYSTEMS AND METHODS FOR HARDWARE SECURITY MODULE AS CERTIFICATE AUTHORITY FOR NETWORK-ENABLED DEVICES - A new approach is proposed that contemplates systems and methods to support a trusted local certificate authority (CA) running on a hardware security module (HSM), wherein the trusted local CA is configured to issue a certificate to each of a plurality of network-enabled devices for authentication. The HSM further includes a plurality of HSM service units each configured to process key management and crypto operations offloaded from each of the network-enabled devices once it is authenticated. Each of the network-enabled devices is configured to accept its certificate for authentication from the trusted local CA, establish a secured communication channel with the HSM over a network and present the certificate to the HSM in a request for authentication, and offload its key management and crypto operations to one of the HSM service units once the network-enabled device is authenticated. | 01-28-2016 |
20160028719 | SEGMENTED SECRET-KEY STORAGE SYSTEM, SEGMENT STORAGE APPARATUS, SEGMENTED SECRET-KEY STORAGE METHOD - The risk of leakage of secret information caused by leakage of a secret key is reduced. A segmented secret-key storage system segments a secret key SK into segments that can be combined at the time of decryption or at the time of generation of a signature and records the secret-key segments sk | 01-28-2016 |
20160028720 | CONFIGURATION PROFILE VALIDATION ON IOS USING SSL AND REDIRECT - An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by initiating an SSL handshake with a client certificate request for a client SSL certificate embedded in the configuration profile. Validation against the embedded client SSL certificate implicitly confirms the presence of the configuration profile and validates the content of the configuration profile. | 01-28-2016 |
20160028722 | SECURE FEATURE AND KEY MANAGEMENT IN INTEGRATED CIRCUITS - A mechanism for providing secure feature and key management in integrated circuits is described. An example method includes receiving, by a root authority system, data identifying a command that affects operation of an integrated circuit, singing, by the root authority system, the command using a root authority key to create a root signed block (RSB), and providing the RSB to a security manager of the integrated circuit. | 01-28-2016 |
20160028723 | METHOD FOR DOMAIN CONTROL VALIDATION - A system and method for domain control validation is presented. At a certificate authority a request is received. The request includes a certificate signing request and a first Internet protocol address. The certificate signing request identifies a domain and a certificate. A second Internet protocol address for the domain is retrieved from a domain name system. When the first Internet protocol address is the same as the second Internet protocol address, the certificate is signed, and the signed certificate is transmitted to a requester of the request. When the first Internet protocol address is not the same as the second Internet protocol address, the certificate signing request is rejected. | 01-28-2016 |
20160028728 | IMPLEMENTING ACCESS CONTROL BY SYSTEM-ON-CHIP - Systems and methods for implementing access control by systems-on-chip (SoCs). An example SoC may comprise an access control unit employed to: receive a message comprising an access control data item; validate the message using a value of a message digest function of contents of the message and a value of a state variable reflecting a state of communications between the access control unit and a programming agent that has initiated the message, wherein the value of the state variable is derived from a previous value of the message digest function calculated within a current communication session between the access control unit and the programming agent; update the state variable using the value of the message digest function of the contents of the message; and control, using the access control data item, access by an initiator device to a target device. | 01-28-2016 |
20160036593 | ADVISING CLIENTS ABOUT CERTIFICATE AUTHORITY TRUST - In many information security scenarios, a certificate issued by a certificate authority may be presented to a client in order to assert a trust level of a certificated item, such as a message or a web page. However, due to a decentralized structure and incomplete coordination among certificate authorities, the presence and exploitation of security vulnerabilities to issue untrustworthy certificates may be difficult to determine, particularly for an individual client. Presented herein are techniques for advising clients of the reputations of respective certificate authorities by evaluating the certificates issued by such certificate authorities, such as the number and types of domains certified by the certificate; the number and pattern of certificates issued for the domain; and the certification techniques used to issue the certificates. Such evaluation enables a determination of a certificate authority trust level that may be distributed to the clients in a certificate authority trust set. | 02-04-2016 |
20160057132 | MANAGEMENT OF DIGITAL CERTIFICATES - Various embodiments are directed to a computer-implemented method for displaying a map of certificate relationships. A method can include retrieving certificate information for two or more servers and storing the retrieved certificate information in a memory. In addition, the method can include receiving a command to generate a map of certificate relationships. The command includes a command scope that identifies at least a first server of the two or more servers. Further, the method can include generating the map from the retrieved certificate information and rendering the map on a display device. The map includes the first server and a device having a certificate relationship with the first server. | 02-25-2016 |
20160057133 | SECURE CONNECTION CERTIFICATE VERIFICATION - One or more computer processors identify a first certificate that is used to establish a secure Internet connection. One or more computer processors identify a stored second certificate that shares at least one attribute with the first certificate. One or more computer processors determine a policy action based, at least in part, on a result of a comparison between an attribute of the first certificate and an attribute of the second certificate. | 02-25-2016 |
20160080363 | COMPUTER IMPLEMENTED METHOD OF ANALYZING X.509 CERTIFICATES IN SSL/TLS COMMUNICATIONS AND THE DATAPROCESSING SYSTEM - A computer implemented method of analyzing X.509 certificates in SSL/TLS communications, and the data processing system for implementing said method, that may include: extracting X.509 certificates from SSL/TLS Handshake protocols; monitoring each extracted X.509 certificate for evaluating, using the processor, a grade of polymorphism that the X.509 certificate exhibits; and, storing the X.509 certificate in the certificate database if the X.509 certificate is not previously stored in the certificate database or, if the X.509 certificate exhibits a grade of polymorphism with respect to a previously stored version of the X.509 certificate. | 03-17-2016 |
20160080368 | FACILITATING DYNAMIC END-TO-END INTEGRITY FOR DATA REPOSITORIES IN AN ON-DEMAND SERVICES ENVIRONMENT - In accordance with embodiments, there are provided mechanisms and methods for facilitating dynamic end-to-end integrity for data repositories in an on-demand services environment in an on-demand services environment in a multi-tenant environment according to one embodiment. In one embodiment and by way of example, a method includes receiving, by and incorporating into a database system, a content file and metadata to be submitted to a data repository of the database system. The content file may include content, where the metadata includes identifying data associated with at least one of the content and a user associated with the content. The method may further include verifying, by the database system, the identifying data of the metadata. The verification of the identifying data represents authentication of at least one of the user and the content. The method may further include submitting, by the database system, the content file and the metadata to the data repository, upon authentication of at least one of the user and the content via successful verification of the identifying data. | 03-17-2016 |
20160080380 | ESTABLISHING TRUST BETWEEN TWO DEVICES - Techniques described herein leverage a trusted entity within a domain to enable devices to establish trust with one another so they can securely discover each other and connect to one another. In various examples discussed herein, a device is configured to provide trust information to, and/or receive trust information from, the trusted entity. The trust information may include, for example, a public key of an encryption key pair, a certificate signed by the trusted entity proving authenticity, and/or a hash function and a hash seed used to compute a series of results that form a hash chain. The device may use the trust information to discover another device and to connect to the other device securely and automatically (e.g., with no user involvement or limited user involvement). Moreover, the device may use the trust information to dynamically change a MAC address being used to communicate with the other device. | 03-17-2016 |
20160087804 | METHOD AND SYSTEM FOR ISSUING CSR CERTIFICATE FOR VEHICLE-TO-ANYTHING COMMUNICATION - A method for issuing a certificate signing request (CSR) certificate in a vehicle-to-anything (V | 03-24-2016 |
20160087976 | TECHNOLOGIES FOR SENSOR ACTION VERIFICATION - Technologies for sensor action verification include a local computing device to receive a request for the local computing device to perform a sensor action from a remote computing device. The local computing device verifies the received request to confirm that the remote computing device is authorized to request the local computing device to perform the sensor action and performs, by a sensor controller of the local computing device, the requested sensor action in response to verification of the received request. The sensor controller manages operation of one or more sensors of the local computing device. The local computing device transmits a response message to the remote computing device indicating whether the requested sensor action has been performed by the sensor controller of the local computing device. | 03-24-2016 |
20160087995 | Procedure For Platform Enforced Storage in Infrastructure Clouds - The present invention relates to a secure component for protecting data in a storage entity and a method at the secure component of protecting data in the storage entity. Further, the present invention relates to a secure domain manager for securely associating a communicating party with a storage domain and a method at the secure domain manager of securely associating the communicating party with the storage domain. Moreover, the present invention relates to a trusted third party for verifying correctness of a launch package created by a secure domain manager to securely associate a communicating party with a storage domain and a method at the trusted third party to verify correctness of the launch package created by the secure domain manager to securely associate the communicating party with the storage domain. | 03-24-2016 |
20160094541 | DIGITAL CERTIFICATION ANALYZER - A digital certification analyzer (or “analyzer”) provides protection for digital content stored on servers, file sharing systems, hard drives and USB enabled external drives or other digital repositories. The analyzer prevents unauthorized access from both owners/administrators and recipients of digital content being shared through a web based or file sharing type service. The analyzer protects the owner of the shared digital content from unauthorized access, while allowing multiple protection instances to be applied to multiple digital content shares within a digital file hosting and sharing environment. Timers are provided to limit access to digital content at the discretion of the owner of the digital content. | 03-31-2016 |
20160094546 | FAST SMART CARD LOGON - Methods and systems for faster and more efficient smart card logon and for giving a client device full domain access in a remote computing environment are described herein. Fast smart card logon may be used to reduce latency and improve security. For example, the system may reduce the number of operations (e.g., interactions) between a server device used for authentication and the client device. These operations may include fetching a user certificate from the smart card or signing data. Fast smart card logon may also improve security by optionally avoiding PIN (or other credential) transmission over networks, and to enable single sign on from an authentication event (e.g., Secure Sockets Layer (SSL) or Transport Layer Security (TLS) authentication) using a smart card to the domain logon without resorting to PIN caching. | 03-31-2016 |
20160094573 | TECHNOLOGIES FOR DISTRIBUTED DETECTION OF SECURITY ANOMALIES - Technologies for distributed detection of security anomalies include a computing device to establish a trusted relationship with a security server. The computing device reads one or more packets of at least one of an inter-virtual network function network or an inter-virtual network function component network in response to establishing the trusted relationship and performs a security threat assessment of the one or more packets. The computing device transmits the security threat assessment to the security server. | 03-31-2016 |
20160099952 | METHOD AND SYSTEM FOR TESTING AND VALIDATION OF CRYPTOGRAPHIC ALGORITHMS - A method for testing cryptographic algorithms includes: receiving one or more request files, wherein each request files is associated with a cryptographic algorithm and includes a plurality of tests; formatting the plurality of tests in each of the request files based on algorithm formatting rules; transmitting the request files; receiving a plurality of test results for each of the transmitted request files, wherein each test result corresponds to a test included in the respective request file and is generated by execution of the corresponding test using the cryptographic algorithm associated with the respective request file; generating a response file for each of the request files, wherein the response files includes a plurality of test results that correspond to each test included in the corresponding request file; formatting the plurality of tests results in each of the generated response files based on result formatting rules; and transmitting the response files. | 04-07-2016 |
20160105288 | CERTIFICATES FOR LOW-POWER OR LOW-MEMORY DEVICES - Compact certificate formats that may be used in a fabric or network between devices. The compact format includes a serial number field tagged with a tag of 1, a signature algorithm field tagged with a tag of 2, an issuer field tagged with a tag of 3, an encoded version of a public key tagged with a tag of A, and a signature field tagged with a tag of C. Each field includes the respective tags and corresponding values encoded in a tag-length-value (TLV) format, and each tag value is represented in hexadecimal. | 04-14-2016 |
20160112396 | Password Manipulation for Secure Account Creation and Verification Through Third-Party Servers - A method and system for deterring attacks at potential breach points between servers and an account and login server for creating and subsequent verification of accounts. Various cryptographic primitives are used to manipulate passwords to generate verifiers. The verifiers are used with external hardware security modules (HSMs) to eliminate HSMs and intermediate steps between the HSM and login servers as potential breach points. | 04-21-2016 |
20160112408 | SCALABLE GROUPS OF AUTHENTICATED ENTITIES - Example embodiments provide various techniques for securing communications within a group of entities. In one example method, a request from an entity to join the group is received and a signed, digital certificate associated with the entity is accessed. Here, the signed, digital certificate is signed with a group private key that is associated with a certification authority for the group. The signed, digital certificate is added to a group roster, and this addition is to admit the entity into the group. The group roster with the signed, digital certificate is itself signed with the group private key and distributed to the group, which includes the entity that transmitted the request. Communication to the entity is then encrypted using the signed, digital certificate included in the group roster. | 04-21-2016 |
20160112409 | SPATIAL AND TEMPORAL VERIFICATION OF USERS AND/OR USER DEVICES - Approaches for facilitating spatial and temporal verification of users and/or user devices are disclosed. In some implementations, a user device may be detected within a short wireless communication range. A wireless communication session with the user device may be initiated based on the detection. Information identifying a first integrity-based certificate may be received from the user device during the wireless communication session during a first time period. Information identifying a second integrity-based certificate associated with a second time period may be provided responsive to determining that the first integrity-based certificate is a valid integrity-based certificate associated with the first time period. The second integrity-based certificate may be configured to allow network access for the user device during the second time period. | 04-21-2016 |
20160112410 | SECURE OVER-THE-AIR PROVISIONING SOLUTION FOR HANDHELD AND DESKTOP DEVICES AND SERVICES - In one embodiment, a device and a services provisioning system establish an over-the-air connection with each other, and perform device posture validation to obtain a unique identification (ID) of the device at the provisioning system. The device and provisioning system then participate in device and user authentication in response to a confirmed unique ID by a backend access control system, where the device generates a secure key pair after successful user authentication. In response to the device being approved for services (e.g., checked by the provisioning system via a registration system), the provisioning system provides a root certificate to the device, and the device sends a certificate enrollment request back to the provisioning system. In response to a certificate authority signing the certificate request, the provisioning system returns a valid certificate to the device, and the valid certificate is installed on the device. | 04-21-2016 |
20160112417 | TERMINAL FOR STRONG AUTHENTICATION OF A USER - A method for negotiating reciprocal access to secured data in a computing terminal comprising authenticating, by an application in the computing terminal, the first party by means of transmitting authentication data read on the computing terminal to an application server of the computing terminal configured to store data in the computing terminal, authenticating, by the application, the second party, accepting, by the second party, a negotiation request, defining and sending, by the second party, proposed conditions of access to the secured data, negotiating and accepting, by the first party and the second party, the conditions for access to the secured data, and creating, by the application server, a negotiated digital certificate for the first party and a negotiated digital certificate for the second party, wherein each of the negotiated digital certificates is encrypted with a public key, wherein the public key is configured to control access to the secured data. | 04-21-2016 |
20160119141 | SECURE COMMUNICATION AUTHENTICATION METHOD AND SYSTEM IN DISTRIBUTED ENVIRONMENT - The present invention relates to a secure communication authentication method and system in a distributed environment. By using the method and the system of the present invention, disadvantages in a platform identity certification process in TCG remote certification are alleviated, a method for platform identity certification is expanded, and by combining three technologies, that are, zero-knowledge proof, a Kerberos framework and a virtual TPM, a new verification method is designed, which is mainly intended to make improvement in the aspects in the existing method such as platform information exposure, a trusted third-party bottleneck and complexity avoidance. By using the method and the system of the present invention, the problems of privacy exposure and efficiency in mutual verification between remote servers in the existing distributed system. | 04-28-2016 |
20160119149 | SECURITY SYSTEM FOR HANDHELD WIRELESS DEVICES USING TIME-VARIABLE ENCRYPTION KEYS - In one embodiment, the invention provides a portable wireless personal communication system for cooperating with a remote certification authority to employ time variable secure key information pursuant to a predetermined encryption algorithm to facilitate convenient, secure encrypted communication. The disclosed system includes a wireless handset, such as PDA, smartphone, cellular telephone or the like, characterized by a relatively robust data processing capability and a body mounted key generating component which is adapted to be mounted on an individual's body, in a permanent or semi-permanent manner, for wirleessly broadcasting, within the immediate proximity of the individual, a secret or private key identifying signal corresponding to a time variable secure key information under the control of the certification authority. The key identifying signal is generated in a format that facilitates secure wireless communication with the individual in accordance with a predetermined encryption algorithm including a PKI encryption algorithm. The disclosed system may be used with a console for coordinating access to a variety of different communication system and networks. | 04-28-2016 |
20160119328 | SYSTEM AND METHOD FOR USER AUTHENTICATION - A system and method for providing authentication of a user is disclosed. The use of a non-confidential and unique user identification number and a temporary access code separates authentication of the user from transmission of any user passwords or user-identifiable data, as well as provides a ubiquitous means to authenticate the user with unrelated organizations, without any information passing between those organizations. | 04-28-2016 |
20160127132 | METHOD AND APPARATUS FOR INSTALLING PROFILE - The present invention relates to a method and apparatus for installing a profile, and more specifically, to a method for managing mobile communication subscriber information (profile), such as for remotely installing and uninstalling a profile onto a security module (Universal Integrated Circuit Card (UICC)) that is embedded inside a terminal and that is not attachable or detachable, thereby replacing UICC. Accordingly, the present invention relates to a method for a server installing a profile, wherein the method for the server installing the profile for a terminal having an embedded security module comprises the steps of: receiving from the terminal a profile installation request including an identifier of the terminal embedded security module; receiving an encrypted profile corresponding to the installation request; and transmitting to the terminal the encrypted profile. | 05-05-2016 |
20160127353 | METHOD AND APPARATUS FOR ENABLING SECURED CERTIFICATE ENROLLMENT IN A HYBRID CLOUD PUBLIC KEY INFRASTRUCTURE - In a method a public key infrastructure (PKI) device receives a certificate signing request (CSR) and an identity assertion cryptographically bound to an end entity issuing the CSR. The PKI device validates the authenticity and integrity of the CSR using the identity assertion. In response to validating the authenticity and integrity of the CSR, the PKI device issues a certificate based on at least one of the CSR and fields in the identity assertion. | 05-05-2016 |
20160127355 | EMBEDDED EXTRINSIC SOURCE FOR DIGITAL CERTIFICATE VALIDATION - A computer uses the information included within a digital certificate to obtain a current date and time value from a trusted extrinsic trusted source and the computer compares the obtained current date and time value to a validity period included in the digital certificate to determine if the digital certificate is expired. The information included within the digital certificate specifying an extrinsic source for the current date and time value can be included in an extension of the digital certificate, and the information can specify a plurality of extrinsic sources. | 05-05-2016 |
20160127358 | PROVIDING A SECURITY MECHANISM ON A MOBILE DEVICE - Disclosed are methods, apparatus, systems, and computer program products for providing a security mechanism on a mobile device before performing an action on a database record in an on-demand database service. The action to be performed can be identified for requesting third-party information. When the third-party information is provided by a user who does not have authorization to access data locally or remotely from the mobile device, the action is performed on the database record but the security mechanism can be activated for display on the mobile device. When the security mechanism is traversed, the mobile device can be unlocked and a user can access the database record in the on-demand database service. | 05-05-2016 |
20160134621 | CERTIFICATE PROVISIONING FOR AUTHENTICATION TO A NETWORK - A method for authenticating a device to a network using a device certificate is described. The method includes generating a private-public key pair on a system-on-chip (SoC) of the device. The private key is protected by a hardware-based root of trust of the SoC. The method also includes generating a device certificate that is signed using the private key. The method further includes using the device certificate to gain access to the network. | 05-12-2016 |
20160134623 | SECURE EXECUTION ENVIRONMENT SERVICES - Techniques for managing secure execution environments provided as a service to computing resource service provider customers are described herein. A request to launch a secure execution environment is received from a customer and fulfilled by launching a secure execution environment on a selected computer system. The secure execution environment is then validated and upon a successful validation, one or more applications are provided to the secure execution environment to be executed within the secure execution environment. As additional requests relating to managing the secure execution environment are received, operations are performed based on the requests. | 05-12-2016 |
20160142212 | TRUSTED PLATFORM MODULE CERTIFICATION AND ATTESTATION UTILIZING AN ANONYMOUS KEY SYSTEM - This application is directed to trusted platform module certification and attestation utilizing an anonymous key system. In general, TPM certification and TPM attestation may be supported in a device utilizing integrated TPM through the use of anonymous key system (AKS) certification. An example device may comprise at least combined AKS and TPM resources that load AKS and TPM firmware (FW) into a runtime environment that may further include at least an operating system (OS) encryption module, an AKS service module and a TPM Certification and Attestation (CA) module. For TPM certification, the CA module may interact with the other modules in the runtime environment to generate a TPM certificate, signed by an AKS certificate, that may be transmitted to a certification platform for validation. For TPM attestation, the CA module may cause TPM credentials to be provided to the attestation platform for validation along with the TPM and/or AKS certificates. | 05-19-2016 |
20160142216 | METHOD AND APPARATUS FOR AUTOMATING SELECTION OF CERTIFICATE MANAGEMENT POLICIES DURING ISSUANCE OF A CERTIFICATE - A Public Key Infrastructure (PM) device receives a certificate signing request (CSR) from an end entity. The PKI device obtains at least one of: a controlling attribute of at least one PKI device associated with processing of the certificate signing request and a controlling attribute associated with the CSR. The PKI device obtains an end entity policy object (EEPO) to be associated with the end entity based on at least one obtained controlling attribute. Based on the obtained EEPO, the PKI device determines at least one attribute and at least one value associated with the attribute this is to be included in a certificate and issues, to the end entity, the certificate including the at least one attribute. | 05-19-2016 |
20160147981 | Anti-piracy Protection for Software - A certificate for a target device includes encrypted system attributes that are verified against attributes of the target device prior to software usage. A certificate server securely obtains system attributes from the target system and generates a certificate with encrypted components including some system attributes. The certificate is stored on the target device and software installation/execution is made dependent on validation of the certificate. An encrypted system fingerprint in the certificate is decrypted by the software at the target device and compared with locally obtained system attributes to verify authorization for software usage on the target device. The certificate represents an easy to use paradigm for anti-piracy protection of software. | 05-26-2016 |
20160149711 | DISTRIBUTED IDENTIFICATION SYSTEM FOR PEER TO PEER MESSAGE TRANSMISSION - The present disclosure describes computer systems and methods for peer to peer information exchange. The methods entail receiving, by a first computer system, a first Internet Protocol (IP) address from a second computer system, generating a first key pair comprising a first public key and a first private key, generating, by the first computer system, a first public key certificate comprising the first public key and the first IP address, and generating a first address-book entry comprising the first public key certificate. The first address-book entry, along with a likewise generated second address-book entry on a third computer system, enable direct communication between the a user on the first computer system and a second user on third computer system, without relying on a domain name server (DNS) or a mnemonic address assignment. | 05-26-2016 |
20160149900 | AUTONOMOUS SYSTEM FOR SECURE ELECTRIC SYSTEM ACCESS - Secure electronic access may be provided by receiving at least one electronic certificate from an electronic device seeking to access a secure resource at a device under protection including at least one security processor, the at least one certificate providing device information related to the security of the electronic device, and comparing with at least one autonomous processor of an autonomous system the device information to the security requirement information. The at least one autonomous processor may instruct the at least one security processor to provide the secure resource to the device when the device information meets the security requirement information. The device under protection may provide the secure resource to the electronic device in response to the instruction. | 05-26-2016 |
20160149901 | METHOD AND APPARATUS FOR ENABLING SERVICE-CONFIGURABLE WIRELESS CONNECTIONS - The disclosed embodiments provide a system that enables service-configurable wireless connections. During operation, a local service endpoint of a service runs on a wireless device. The local service endpoint sends a request to establish a datapath with another service endpoint on another device. Meanwhile, the wireless device's service discovery module discovers a remote endpoint for the service on a remote device. In response to the request, the wireless device's service-configurable security entity configures a Wi-Fi connection's security configuration, thereby enabling the local endpoint to establish a datapath between the local endpoint and the remote endpoint over the Wi-Fi connection. | 05-26-2016 |
20160149903 | METHOD FOR SUPPORTING SUBSCRIBER'S SERVICE PROVIDER CHANGE RESTRICTION POLICY IN MOBILE COMMUNICATIONS AND APPARATUS THEREFOR - The present invention relates to a method and an apparatus for employing an embedded subscriber identity module (hereinafter referred to as eSIM) to apply a policy such as a subsidy policy to, activate, deactivate, add to, update, and delete a user profile in a mobile communications network. The present invention enables a mobile device to determine whether to host the policy of a new service provider when it changes the present service provider or to perform a lock for prohibiting the policy change, and to change the profile related to the determination. The present invention also enables a mobile device to replace the policy related to the service provider by applying the policy, or to employ eSIM so as to activate, deactivate, revise, add, or delete the rules of the policy related to the service provider. The present invention provides various examples of hosting and applying the policy and various examples of activating, deactivating, revising, adding, deleting the policy rules so as to make eSIM identify the subscriber as the existing subscriber identity module. The invention also enables the device or eSIM to be reused when changing the service provider throughout the life cycle thereof without limiting the use of eSIM to a single service provider. The invention also provides a method for locking the policy applied per service provider, and the use of eSIM when changing to another service provider by the policy per service provider. The present invention also provides a method for checking the criteria of decision and verifying the power of decision when administering the policy rules and eSIM through deleting, adding, revising, activating, and deactivating the profile management plan and policy rules by applying the service provider's policy. Thus the present invention enables the device to host a new service provider's policy for communicating therewith when changing from the existing service provider to the new service provider, or when the government changes the service provider for an M2M device related to the electricity, infrastructure, etc. under an environment such as EUTRAN (Evolved Universal Terrestrial Radio Access Network) or UTRAN (Universal Terrestrial Radio Access Network)/GERAN(GSM/EDGE Radio Access Network). The present invention also is advantageous in that if the change of a service provider is not allowed according the policy of the existing service provider, the information related to communication and the security information are set revised safely by locking, thus enhancing the communication efficiency and security. The present invention also enables the device to verify the power of the user or to revise safely the information of eSIM for adding, revising, deleting, activating, and deactivating the policy rules for managing the operation profile for administration of the policy of the service provider under an environment such as EUTRAN(Evolved Universal Terrestrial Radio Access Network) or UTRAN(Universal Terrestrial Radio Access Network)/GERAN(GSM/EDGE Radio Access Network), thus enhancing the communication efficiency and security. | 05-26-2016 |
20160156477 | MANAGING TIME-DEPENDENT ELECTRONIC FILES | 06-02-2016 |
20160173286 | CREATING A DIGITAL CERTIFICATE FOR A SERVICE USING A LOCAL CERTIFICATE AUTHORITY HAVING TEMPORARY SIGNING AUTHORITY | 06-16-2016 |
20160173287 | SHORT-DURATION DIGITAL CERTIFICATE ISSUANCE BASED ON LONG-DURATION DIGITAL CERTIFICATE VALIDATION | 06-16-2016 |
20160173487 | CONTROLLING A DISCOVERY COMPONENT, WITHIN A VIRTUAL ENVIRONMENT, THAT SENDS AUTHENTICATED DATA TO A DISCOVERY ENGINE OUTSIDE THE VIRTUAL ENVIRONMENT | 06-16-2016 |
20160173488 | MANAGEMENT OF CERTIFICATE AUTHORITY (CA) CERTIFICATES | 06-16-2016 |
20160182350 | Systems and Methods Implementing an Autonomous Network Architecture and Protocol | 06-23-2016 |
20160182492 | DETERMINING THE REPUTATION OF A DIGITAL CERTIFICATE | 06-23-2016 |
20160182495 | AUTHENTICATOR DEVICE FACILITATING FILE SECURITY | 06-23-2016 |
20160182497 | TRUSTED EPHEMERAL IDENTIFIER TO CREATE A GROUP FOR A SERIVCE AND/OR TO PROVIDE THE SERVICE | 06-23-2016 |
20160182499 | TRUST ESTABLISHMENT BETWEEN A TRUSTED EXECUTION ENVIRONMENT AND PERIPHERAL DEVICES | 06-23-2016 |
20160182500 | SYSTEMS AND METHODS FOR ANONYMOUS AUTHENTICATION USING MULTIPLE DEVICES | 06-23-2016 |
20160197950 | DETECTION SYSTEM AND METHOD FOR STATICALLY DETECTING APPLICATIONS | 07-07-2016 |
20160254918 | TRUST-ZONE-BASED END-TO-END SECURITY | 09-01-2016 |
20160379209 | METHODS, APPARATUS AND COMPUTER PROGRAM PRODUCTS FOR SECURELY ACCESSING ACCOUNT DATA - Customer data is securely downloaded to a browser toolbar by performing a check to determine whether a request for customer data includes a request for personal identifiable information requiring encryption by a public encryption key generated by the browser toolbar. The customer is authenticated based on a set of a user credential and an account specific access credential. The account specific access credential is associated with the account of the customer. Requested personal identifiable information is encrypted using the public encryption key generated by the browser toolbar. Encrypted personal identifiable information is transmitted to the browser toolbar. | 12-29-2016 |
20160381003 | UNIVERSAL ENROLLMENT USING BIOMETRIC PKI - A system may obtain identification information for a user for obtaining a form of access using universal enrollment. The system may obtain a digital certificate associated with the identification information, the digital certificate including a public key of a public key, private key pair and the public key and the private key of the public key, private key pair being generated using first biometric information of the user obtained during the universal enrollment. The system may obtain second biometric information. The system may generate a second private key using the second biometric information. The system may determine whether the second private key matches the public key included in the digital certificate. The system may provide the form of access based on the second private key matching the public key included in the digital certificate. | 12-29-2016 |
20160381004 | CERTIFICATION MANAGEMENT SYSTEM - A certification management system helps an organization develop and maintain a repository of current certification status of employees. The system may integrate multiple learning management systems and other enterprise level systems across the organization. The system facilitates identifying and enrolling targeted employees for any number and type of certification programs. The system may also implement and support reconfiguring certification programs, for example, during training, and enforcing recertification requirements according to maturing business needs. The system provides automated workflows that facilitate a formal, structured approach to the development and recognition of specific specialized skills at scale by infusing more consistency, rigor, and objectivity. | 12-29-2016 |
20160381006 | DISTRIBUTING AN AUTHENTICATION KEY TO AN APPLICATION INSTALLATION - Disclosed are various examples for facilitating distribution of an authentication code to installation of managed applications. An identity certificate is sent to a device by installing a configuration profile on the client device. The configuration profile includes the identity certificate. A management service can also initiate installation of a managed application. The identity certificate can be used to authenticate the client device so that an authentication key can be provided to the managed application. | 12-29-2016 |
20170237561 | Systems and Methods for "Machine-to-Machine" (M2M) Communications Between Modules, Servers, and an Application using Public Key Infrastructure (PKI) | 08-17-2017 |
20170237571 | SECURE SESSION CAPABILITY USING PUBLIC-KEY CRYPTOGRAPHY WITHOUT ACCESS TO THE PRIVATE KEY | 08-17-2017 |
20170237572 | METHOD AND APPARATUS FOR BULK AUTHENTICATION AND LOAD BALANCING OF NETWORKED DEVICES | 08-17-2017 |
20170237754 | EVALUATING INSTALLERS AND INSTALLER PAYLOADS | 08-17-2017 |
20180026797 | BINDING DIGITALLY SIGNED REQUESTS TO SESSIONS | 01-25-2018 |
20180026799 | A METHOD OF ESTABLISHING TRUST BETWEEN A DEVICE AND AN APPARATUS | 01-25-2018 |
20180026800 | TECHNIQUES TO VERIFY AND AUTHENTICATE RESOURCES IN A DATA CENTER COMPUTER ENVIRONMENT | 01-25-2018 |
20180026949 | SYSTEM AND METHOD FOR PROVIDING VEHICLE INFORMATION BASED ON PERSONAL AUTHENTICATION AND VEHICLE AUTHENTICATION | 01-25-2018 |
20190149316 | PROVISIONING SYSTEMS AND METHODS | 05-16-2019 |
20190149340 | CRYPTOGRAPHIC VERIFICATION OF A COMPRESSED ARCHIVE | 05-16-2019 |
20190149341 | TAMPER-PROOF SECURE STORAGE WITH RECOVERY | 05-16-2019 |
20190149342 | SYSTEMS, METHODS, AND DEVICES FOR MULTI-STAGE PROVISIONING AND MULTI-TENANT OPERATION FOR A SECURITY CREDENTIAL MANAGEMENT SYSTEM | 05-16-2019 |
20220141025 | METHOD AND SYSTEM FOR BLOCKCHAIN-BASED INFORMATION MANAGEMENT AMONG NETWORK DEVICES - A method, a device, and a non-transitory storage medium are described in which an blockchain-based network information management service is provided. The service provides blockchain mechanisms that allows for the management and disbursement of network information among network devices of a RAN, a core network, and an application layer network. The service may define a structure for the network information that may be used by RAN devices, core devices, and application layer devices of different vendors and third parties. | 05-05-2022 |