Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


By certificate

Subclass of:

713 - Electrical computers and digital processing systems: support

713150000 - MULTIPLE COMPUTER COMMUNICATION USING CRYPTOGRAPHY

713155000 - Central trusted authority provides computer authentication

Patent class list (only not empty are listed)

Deeper subclasses:

Class / Patent application numberDescriptionNumber of patent applications / Date published
713158000 Revocation or expiration 113
713157000 Chain or hierarchical certificates 24
Entries
DocumentTitleDate
20110179269SIGNATURE SYSTEMS - A signature system includes a public key certificate obtainment device 07-21-2011
20110185171CERTIFICATE AUTHENTICATING METHOD, CERTIFICATE ISSUING DEVICE, AND AUTHENTICATION DEVICE - A terminal device 07-28-2011
20130031362METHOD OF HANDLING A CERTIFICATION REQUEST - In a certification request, a user device includes an object identifier. When a certification authority generates an identity certificate responsive to receiving the certification request, the certification authority includes the object identifier, thereby allowing improved management of the identity certificate at the user device and elsewhere.01-31-2013
20130031361URL-BASED CERTIFICATE IN A PKI - A method of requesting and issuing a certificate from certification authority for use by an initiating correspondent with a registration authority is provided. The initiating correspondent makes a request for a certificate to the registration authority, and the registration authority sends the request to a certificate authority, which issues the certificate to the registration authority. The certificate is stored at a location in a directory and this location is associated with a pointer such as uniform resource locator (URL) that is derived from information contained in the certificate request. The initiating correspondent computes the location using the same information and forwards it to other corespondents. The other correspondents can then locate the certificate to authenticate the public key of the initiating correspondent.01-31-2013
20080301438Peer-to-peer smime mechanism - A method and apparatus for sending a self-asserted certificate is described. In one embodiment, a mail client of a sender is configured to generate a public and private key pair, to create a self-signed certificate, and to form an introduction message addressed to a recipient to enable use of the self-signed certificate prior to corresponding with the recipient. A mail client of a recipient is configured to display an indicator of a receipt of the introduction message from the sender. The indicator comprises a user interface query to the recipient to verify and accept the sender-signed certificate in response to receiving the introduction message from the sender.12-04-2008
20100023758DOCUMENT AUTHENTICATION USING ELECTRONIC SIGNATURE - Embodiments of authenticating an electronic document are disclosed. A document authentication system is operatively connected with a professional system, a license management system and a certification authority system, for authenticating an electronic document of a client response to a request from a client system. An authentication unit included in the document authentication system receives the electronic document from the client system for review and seal thereof, transmits the electronic document to receive the electronic document with the electronic signature implemented and transmits the electronic signature to the license management system to verify license validity of the professional based on the electronic signature. Further, the authentication unit transmits the electronic document to the client system with the electronic signature including a seal imprint image of the professional if the license of the professional is valid.01-28-2010
20090193250AUTHENTICATION SYSTEM, SIGNATURE CREATING DEVICE, AND SIGNATURE VERIFYING DEVICE - A signature generating device for generating digital signature data that certifies authenticity of information of a person, and making the information obfuscated. The signature generating device comprises: a storage unit that stores attribute information concerning the person and a private key corresponding to the attribute information; an obfuscated information generating unit that selects one or more pieces of dummy information in relation to the attribute information, and generates the obfuscated information that includes the attribute information and the dummy information; a public key obtaining unit that obtains a public key corresponding to the attribute information and public keys respectively corresponding to the dummy information; and a signature generating unit that generates digital signature data by performing a ring signature generation process to the obfuscated information, using the private key and the public key corresponding to the attribute information and using the public keys corresponding to dummy information.07-30-2009
20110202759CERTIFICATE REMOTING AND RECOVERY - Certificate remoting and recovery may be provided. A computer may identify required security certificates and determine whether at least one required security certificate is not available. If the certificate is not available, the computer may identify a peer server and request the missing certificate from the peer server. The computer may also be operative to receive certificate management instructions from other computers.08-18-2011
20120246468System, Method, and Apparatus for Performing Reliable Network, Capability, and Service Discovery - A system, method, and apparatus are provided for performing reliable network, capability, and service discovery. A method may include providing for transmission of a request for signed access point information. The request may be provided for transmission prior to authenticating with an access point when authentication is performed or prior to associating with an access point when authentication is not performed. The method may further include receiving a response including signed access point information. The method may additionally include verifying the signed access point information using a digital certificate. The method may also include selecting the access point for communication based in least in part on the verified signed access point information. A corresponding system and apparatus is also provided.09-27-2012
20120246467Verifying Cryptographic Identity During Media Session Initialization - An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint's agent may create the signature over some fields of the message using an enterprise network's private key. The agent may insert the signature into the message and send the message to a recipient endpoint's authentication agent. The recipient agent may verify the signature, receive a certificate including a second public key, and challenge the identity of the originating endpoint in order to confirm that identity. This challenge may request a confirmation that the originating endpoint knows the private key corresponding to the second public key and may occur while running encrypted media at the endpoints. After the originating endpoint is authenticated, the endpoints may exchange encrypted and/or unencrypted media.09-27-2012
20120246466Flexible System And Method To Manage Digital Certificates In A Wireless Network - An infrastructure is provided for managing the distribution of digital certificates for network security in wireless backhaul networks. In embodiments, a root certificate management system (root CMS) processes requests for digital certificates, issues root certificates, automatically authenticates surrogate certificate management systems (sur-CMSs), and automatically processes certificate requests and issues certificate bundles to sur-CMSs that are successfully authenticated. The infrastructure includes sur-CMSs to which are assigned base stations within respective regions. Each sur-CMS automatically authenticates its own base stations and automatically processes certificate requests and issues certificate bundles to base stations that are successfully authenticated. A certificate bundle issued to a base station includes a digital certificate, signed by the issuing sur-CMS, of a public key of such base station, and at least one further digital certificate, including a self-signed certificate of the root CMS.09-27-2012
20120246465INCORPORATING DATA INTO CRYPTOGRAPHIC COMPONENTS OF AN ECQV CERTIFICATE - During generation of an implicit certificate for a requestor, a certificate authority incorporates information in the public-key reconstruction data, where the public-key reconstruction data is to be used to compute the public key of the requestor. The information may be related to one or more of the requestor, the certificate authority, and the implicit certificate. The certificate authority reversibly encodes the public-key reconstruction data in the implicit certificate and sends it to the requestor. After receiving the implicit certificate from the certificate authority, the requestor can extract the incorporated information from the public-key reconstruction data. The implicit certificate can be made available to a recipient, and the recipient can also extract the incorporated information.09-27-2012
20100077207COMMUNICATIONS APPARATUS, COMMUNICATIONS SYSTEM, AND METHOD OF SETTING CERTIFICATE - An apparatus in a system which includes at least a high-level apparatus and a plurality of low-level apparatuses, said apparatus being one of the low-level apparatuses. The apparatus includes a storage unit configured to store an individual certificate set and a common certificate set and a communication unit configured to transmit own authentication information to the high level apparatus to allow the high level apparatus to perform decryption to authenticate the validity of the apparatus.03-25-2010
20130086378PROXY SYSTEM FOR SECURITY PROCESSING WITHOUT ENTRUSTING CERTIFIED SECRET INFORMATION TO A PROXY - First communication units use a public key thereof certified by a certification authority on a PKI (Public Key Infrastructure), which is held by the first communication units in advance, and a secret key of the first communication units or delegation information generated by using secret information, as public key certificate, of the first communication units to thereby allow a proxy server to perform security processing, i.e. key exchange processing, authentication processing or processing for providing compatibility of encryption schemes, between the first communication units and a second communication unit on behalf of the first communication units.04-04-2013
20130086377PROCESSING A CERTIFICATE SIGNING REQUEST IN A DISPERSED STORAGE NETWORK - A method begins by a requesting device transmitting a certificate signing request to a managing unit, wherein the certificate signing request includes fixed certificate information and suggested certificate information. The method continues with the managing unit forwarding the certificate signing request to a certificate authority and receiving a signed certificate from the certificate authority, wherein the signed certificate includes a certificate and a certification signature and wherein the certificate includes the fixed certificate information and determined certificate information based on the suggested certificate information. The method continues with the managing unit interpreting the fixed certificate information of the signed certificate to identify the requesting device and forwarding the signed certificate to the identified requesting device.04-04-2013
20130031360PROCESS CONTROL SYSTEM - A process control system is disclosed which can include a plurality of spatially distributed, internetworked network subscribers with secure communication between the network subscribers via a communication network. Communication integrity can be based on an interchange of certificates. In order to protect the communication integrity, the process control system can include a central certification point which is an integral part of the process control system and allocates and distributes certificates.01-31-2013
20130080770System and Apparatus for Facilitating Transactions Between Two or More Parties - The present invention provides a system and apparatus for facilitating a transaction between two or more parties. A server computer is used to determine whether a contact information and an identity validation information of a second party are accurate. Whenever the contact information and the identity validation information of the second party are accurate, one or more documents are modified by attaching and identity validation from a first party and the identity validation from the second party to the one or more documents.03-28-2013
20090119506Method and Apparatus for Secure Assertion of Resource Identifier Aliases - A method and apparatus for secure assertion of a user identifier alias. The method comprises receiving at an application server from a first device a first user identifier, a first device identifier and a first authentication key associated with the first device; receiving at the application server from the first device a second user identifier, the first device identifier and a second authentication key associated with the first device; comparing the first authentication key to the second authentication key; and storing the second user identifier at the application server as an alias of the first user identifier if the first authentication key matches the second authentication key.05-07-2009
20090119505Transaction method and verification method - In a method for performing an electronic transaction a first transaction part generates a digital signature and an encrypted digital signature. The second transaction party receives both signatures. The second party is enabled to verify the digital signature, but cannot verify or (re)generate the encrypted digital signature. A trusted third party is enabled to verify the encrypted digital signature if the digital signature is also provided, since the trusted third party cannot (re)generate the digital signature. Thus, no other party than the first transaction party can (re)generate both the digital signature and the encrypted digital signature. Therefore, no other party presenting himself as the first transaction party can be verified as being the first transaction party.05-07-2009
20130036302SECURE INSTANT MESSAGING SYSTEM - A secure instant messaging (IM) system integrates secure instant messaging into existing instant messaging systems. A certificate authority (CA) issues security certificates to users binding the user's IM screen name to a public key, used by sending users to encrypt messages and files for the user. The CA uses a subscriber database to keep track of valid users and associated information, e.g. user screen names, user subscription expiration dates, and enrollment agent information. A user sends his certificate to an instant messaging server which publishes the user's certificate to other users. Users encrypt instant messages and files using an encryption algorithm and the recipient's certificate. A sending user can sign instant messages using his private signing key. The security status of received messages is displayed to recipients.02-07-2013
20130042102INFORMATION PROCESSING DEVICE AND INFORMATION PROCESSING METHOD, AND PROGRAM - An information processing system including a medium where a content to be played is stored; and a playing apparatus for playing contents stored in the medium; with the playing apparatus being configured to discriminate the content type of a content selected as an object to be played, to selectively obtain a device certificate correlated with the discriminated content type from a storage unit, and to transmit the selectively obtained device certificate to the medium; with the device certificate being a device certificate for content types in which content type information where the device certificate is available is recorded; and with the medium determining whether or not an encryption key with reading being requested from the playing apparatus is an encryption key for decrypting an encrypted content matching an available content type recorded in the device certificate, and permitting readout of the encryption key only in the case of matching.02-14-2013
20130042101SYSTEM AND METHOD FOR USING DIGITAL SIGNATURES TO ASSIGN PERMISSIONS - According to one embodiment of the invention, a method for setting permission levels is described. First, an application and digital signature is received by logic performing the permission assessment. Then, a determination is made as to what permission level for accessing resources is available to the application based on the particulars of the digital signature. Herein, the digital signature being signed with a private key corresponding to a first public key identifies that the application is assigned a first level of permissions, while the digital signature being signed with a private key corresponding to a second public key identifies the application is assigned a second level of permissions having greater access to the resources of an electronic device than provided by the first level of permissions.02-14-2013
20130042103Digital Data Content Authentication System, Data Authentication Device, User Terminal, Computer Program and Method - A file is created in which digital data and a certificate are integrated and content authentication for the digital data and the certificate are performed simultaneously. A data authentication device (02-14-2013
20100042830Method for Controlling a Consumption Limit Date of Digital Contents Device for Consuming Such Contents, Means of Controlling Consumption and Server Distributing Such Contents - This invention relates to a method for controlling the consumption limit date of a digital content which is transferred from distribution means (02-18-2010
20090158034AUTHENTICATION GATEWAY APPARATUS FOR ACCESSING UBIQUITOUS SERVICE AND METHOD THEREOF - An authentication gateway apparatus for accessing a ubiquitous service includes: an authentication server of a service provider that receives an authentication data request message from a portable apparatus, and provides an authentication token; a first authentication device of the portable apparatus that transmits the authentication data request message to the authentication server, receives and stores an authentication token from the authentication server, and is used as a representative authentication device; and second authentication devices of ubiquitous apparatuses that are connected to the first authentication device of the portable apparatus by a wireless communication system, and have individual unique values.06-18-2009
20090158033METHOD AND APPARATUS FOR PERFORMING SECURE COMMUNICATION USING ONE TIME PASSWORD - The invention relates to a communication method and system using a one time password (OTP). The communication system includes: a user computer that has an OTP generator for generating the OTP provided therein; a service server that performs user authentication using user information and an OTP value input from the user computer, and communicates with the user computer using the encoded data that is associated with the OTP value, when the user authentication succeeds; and an OTP integrated authentication server that verifies the OTP value between the user computer and the service server.06-18-2009
20090158032Method and System for Automated and Secure Provisioning of Service Access Credentials for On-Line Services to Users of Mobile Communication Terminals - In a communications network including at least one authentication entity adapted to authenticating a network access requestor in order to conditionally grant thereto access to the communications network, wherein the authenticating is based on public key cryptography, a method for automatically provisioning the network access requestor with service access credentials for accessing an on-line service offered by an on-line service provider accessible through the communications network. The method includes: during the authenticating the network access requestor, having an authentication entity request to the on-line service provider the generation of the service access credentials; at the on-line service provider, generating the service access credentials, encrypting the service access credentials by exploiting a public encryption key of the network access requestor and providing the encrypted service access credentials to the authentication entity; and having the authentication entity cause the network access requestor to be provided with the encrypted service access credentials.06-18-2009
20090158031Secure Certificate Installation on IP Clients - According to one embodiment of the invention, a method is deployed for loading a user CA certificate into the trusted certificate storage of a network device The method comprises a number of operations. A first operation involves a downloading of addressing information. Thereafter, a communication session is established using the addressing information for retrieval of a bootstrapping digital certificate that can be digitally verified by the network device using its factory settings. Keying information is extracted from the bootstrapping digital certificate and the keying information can be used to verify that the communication session is between the network device and a certificate server being different than a source for the addressing information. Upon verification that the network device is in communication with the certificate server, the user CA certificate is downloaded from the certificate server using a secure channel that is established based on the bootstrapping digital certificate.06-18-2009
20090158030Doing business without SSN, EIN, and charge card numbers - This invention introduces encrypted identifiers to be used when the owner of an identifier wants to hide the original identifier away from public exposure but still be able to be uniquely identified through the encrypted form of the identifier. The logical requirement for such an encrypted identity is that it needs to be different for each user in order for it not to become public knowledge. The inventor refers to such changeable, proxy identifiers as “Pxy” identifiers. Pxy identifiers are generated using a Rule Number that references a user-specific algorithm and encryption key that is different for every user. To further privatize and facilitate tracing the ownership of a Pxy identifier to its owner, one or more identity-owner-specific passwords are also utilized. Pxy identity-identifiers examples include: PxySsn, PxyId, PxyEIN; and non-identity-identifier examples are: user-specific-encrypted-door-opener-codes, coded charge numbers, Pxy Software Keys, and so on.06-18-2009
20100332824SYSTEM AND METHOD OF MOBILE LIGHTWEIGHT CRYPTOGRAPHIC DIRECTORY ACCESS - A system for handling an LDAP service request to an LDAP server for an LDAP service comprises a client program executable on a client system and a handler program executable on a handler system. The client program is operable to generate LDAP service request data corresponding to the LDAP service and provide the LDAP service request data for transmission from the client system, and further operable to receive LDAP service reply data in response to the LDAP service request data. The handler program is operable to receive the LDAP service request data transmitted from the client system and execute the LDAP service request to the LDAP server, receive LDAP service reply data from the LDAP server during one or more passes, and upon completion of the LDAP service, provide the LDAP service reply data for transmission to the client system in a single pass.12-30-2010
20100106966Method and System for Registering and Verifying the Identity of Wireless Networks and Devices - The present invention discloses a method for registering a wireless network's identity using a central server. The central server receives a request for registration of an identifier of a wireless network. If the identifier has not been previously registered, the central server creates an association between the identifier and the wireless network, which is stored in a database maintained by the central server. The present invention also discloses a method for verifying a wireless network's identity by a wireless device. A central server comprising a database is provided, which registers an identifier of the wireless network. The central server receives from a wireless device an authentication request of the identifier. The authentication request arrives through a gateway of the wireless network. The central server then authenticates the identifier.04-29-2010
20100106965DELIVERY OF MULTIPLE THIRD-PARTY SERVICES TO NETWORKED DEVICES - Systems and methods for authenticating a media device or other information handling system so as to be able to receive content from one or more media content providers. Authenticating the device includes determining what authentication information the media content providers require for access and then to generating and providing to the media device an authentication token that includes the required information. In some embodiments this may be accomplished by a service center, which removes the need for additional authentication steps to be performed by the media device or the media content providers. In addition, the service center may also determine when changes are made to the authentication information and may then ensure that the authentication token is changed or updated to reflect these changes. This ensures that the media device is at least partially immune to changes to authentication.04-29-2010
20130042104Certificate-based cookie security - A cookie attribute for use during secure HTTP transport sessions. This attribute points to a server-supplied certificate and, in particular, a digital certificate. The cookie attribute includes a value, and that value is designed to correspond to one or more content fields in the digital certificate. During a first https session, a first web application executing on a first server provides a web browser with the cookie having the server certificate identifier attribute set to a value corresponding to a content field in a server certificate. Later, when the browser is accessing a second server during a second https session, the browser verifies that the value in the cookie matches a corresponding value in the server certificate received from the second server before sending the cookie to the second server. This approach ensures that the cookie is presented only over specified https connections and to trusted organizations.02-14-2013
20130046972Using A Single Certificate Request to Generate Credentials with Multiple ECQV Certificates - A method and apparatus are disclosed for using a single credential request (e.g., registered public key or ECQV certificate) to obtain a plurality of credentials in a secure digital communication system having a plurality of trusted certificate authority CA entities and one or more subscriber entities A. In this way, entity A can be provisioned onto multiple PKI networks by leveraging a single registered public key or implicit certificate as a credential request to one or more CA entities to obtain additional credentials, where each additional credential can be used to derive additional public key-private key pairs for the entity A.02-21-2013
20130046973FACILITATING ACCESS OF A DISPERSED STORAGE NETWORK - A method begins by a dispersed storage (DS) processing module generating a temporary public-private key pair, a restricted use certificate, and a temporary password for a device. The method continues with the DS processing encoding a temporary private key to produce a set of encoded private key shares and encoding the restricted use certificate to produce a set of encoded certificate shares. The method continues with the DS processing module outputting the set of encoded private key shares and the set of encoded certificate shares to a set of authentication units. The method continues with the DS processing module outputting the temporary password to the device such that, when the device retrieves the set of encoded private key shares and the set of encoded certificate shares, the device is able to recapture the temporary private key and the restricted use certificate for accessing a dispersed storage network (DSN).02-21-2013
20090044008DRM SYSTEM AND METHOD OF MANAGING DRM CONTENT - The present invention relate to a DRM system and a method of managing DRM content, which allow the user of content protected by DRM to use DRM content even through an unconnected device, which is not connected to a network. The DRM system includes a DRM server for issuing a Public Key Infrastructure (PKI)-based certificate and a key pair to an unconnected device via a network client connected to the unconnected device so as to allow the unconnected device to share a right to DRM content with the network client and to authenticate the unconnected device and permit the unconnected device to join a domain on a basis of the certificate and the key pair via the network client.02-12-2009
20090319780ESTABLISHING SECURE DATA TRANSMISSION USING UNSECURED E-MAIL - In one embodiment, a host entity may create a trusted connection with a guest entity. The host entity may encrypt a trusted connection invitation for an external guest entity using a proof of possession of a trusted token for the external guest entity. The host entity may transmit the encrypted trusted connection invitation to the external guest entity. A guest entity may decrypt the trusted token, and then use the proof of possession to decrypt the trusted connection invitation.12-24-2009
20090307487APPARATUS AND METHOD FOR PERFORMING TRUSTED COMPUTING INTEGRITY MEASUREMENT REPORTING - The present application discloses a method and apparatus for using trusted platform modules (TPM) for integrity measurements of multiple subsystems. The state of the platform configuration registers (PCR) after boot up are stored as the base state of the system. Base state in this context is defined as the state of the system when the startup of the system is complete and can only be changed when new software is loaded at the kernel level. This state itself can be reported to challengers who are interested in verifying the integrity of the operating system. Also disclosed is a method where the application that is to be verified, requests that its state be extended from the base state of the system. When such a request is received, the state of the system is extended directly from the base state PCR contents and not from the system state.12-10-2009
20090307486SYSTEM AND METHOD FOR SECURED NETWORK ACCESS UTILIZING A CLIENT .NET SOFTWARE COMPONENT - A method for self-service authentication of a client and a server. The method includes the server receiving an initialization command from the client. The initialization command may be transmitted to the server via a client web browser over an unsecured data transfer link. The method continues with requesting authentication information from the client. In response to receiving the authentication information from the client, the server transmits a client software component to the client. The client software component utilizes a client-side library installed on the operating system of the client to generate the various client credentials described above. Thereafter, the certificate signing request may be transmitted to a certificate server for signing the certificate signing request. The signed certificate signing request is then received by the client via the client web browser. The client utilizes the information associated with the signed certificate signing request with the client-side library installed on the client to generate a client certificate.12-10-2009
20130073845ANONYMOUS CREDENTIAL SYSTEM, USER DEVICE, VERIFICATION DEVICE, ANONYMOUS CREDENTIAL METHOD, AND ANONYMOUS CREDENTIAL PROGRAM - A signature unit, in which a user device generates/transmits digital signature data to an authentication device, includes: a first function, which receives as input a plurality of subsets in which a plurality of characteristics of the users are classified; a second function, which generates a first encrypted text acquired by encrypting a user device public key with an identification device public key; a third function, which generates a second encrypted text, acquired by encrypting characteristic values belonging to a specific subset among the subsets with a characteristic value disclosure device public key; and a fourth function, which employs portions of a group public key and a member certificate to generates a signature of knowledge that denotes that data, of multiplication of a portion of the user device public key and all of the numerical values of a characteristic value certificate corresponding to each of the characteristics, satisfies the specific conditions.03-21-2013
20130073844QUARANTINE METHOD AND SYSTEM - A quarantine method and system for allowing a client terminal to connect to a user network. An authentication apparatus recognizes that a communication means of the client terminal has been activated. The authentication apparatus confirms a common certificate for the client terminal. An Internet Protocol (IP) address is provided to the client terminal to enable the client terminal to log in to the quarantine network. A first authentication server security checks the client terminal to determine whether each check item of at least two check items has a violation. The client terminal is allowed to connect to the user network, via a second authentication server confirming a user certificate for the client terminal followed by the second authentication server storing the user certificate in the client terminal. The security measure server, the first authentication server, and the second authentication server are physically distinct hardware servers.03-21-2013
20130061042Apparatus and Method for Monitoring Certificate Acquisition - A system that incorporates teachings of the present disclosure may include, for example, a set-top-box having a controller to transmit a request to a remote management server for status information associated with a x.509 certificate intended for the STB, and receive the status information associated with the x.509 certificate from the remote management server, where events associated with the status information are received by the remote management server from at least one of the STB, a certificates proxy, an external certificate web service, and a certificate authority, and where the status information comprises at least a portion of the received events. Other embodiments are disclosed.03-07-2013
20130061041IMAGE FORMING APPARATUS, PRINTING METHOD, AND STORAGE MEDIUM - An image forming apparatus, for use in a printing system including a print client, a printer server, and an authentication server, enables a secure print setting according to received policy information specifying that printing is to be performed using a secure print protocol employing a certificate.03-07-2013
20090282240Secure Decentralized Storage System - A secure decentralized storage system provides scalable security by addressing the performance bottleneck of the security manager and the complexity issue of security administration in large-scale storage systems. The storage system includes: an application client for accessing a file system using a plurality of storage devices and transmitting a command to a storage device; a storage device for storing data and access control entries associated to the data, analyzing the command from the client and performing corresponding operations of the command; a metadata server for storing and managing metadata, such as location and length information of data and system configuration; and a security manager for storing and managing global access control entries and policies of the system and performing the access policy and privilege control according to the global access control entries and policies, such as changing the priority and inheritance rule of access control entries, adding and deleting the access control entries.11-12-2009
20130067220COMMUNICATION SYSTEM, VEHICLE-MOUNTED TERMINAL, ROADSIDE DEVICE - There is a need to reduce the certificate verification time in a communication system.03-14-2013
20130067219CONFIGURING A VALID DURATION PERIOD FOR A DIGITAL CERTIFICATE - A valid duration period for a digital certificate is established by a process that includes assigning numeric values to certificate term. The numeric value assigned to each certificate term is representative of the valid duration period. The method continues by identifying one certificate term, which may include requesting a user to select a certificate term. The method may include transmitting the requested certificate term to a server. The certificate term requested is sent via a certificate request. The server is configured to convert the numeric value associated with the requested certificate term into a duration counter value. The method may also include a certificate server receiving from the server, the certificate request including the duration counter value. The method may conclude with transmitting the signed certificate request to a client device capable of generating the digital certificate with the requested certificate term03-14-2013
20130067218INCORPORATING DATA INTO CRYPTOGRAPHIC COMPONENTS OF AN ECQV CERTIFICATE - During generation of an implicit certificate for a requestor, a certificate authority incorporates information in the public-key reconstruction data, where the public-key reconstruction data is to be used to compute the public key of the requestor. The information may be related to one or more of the requestor, the certificate authority, and the implicit certificate. The certificate authority reversibly encodes the public-key reconstruction data in the implicit certificate and sends it to the requestor. After receiving the implicit certificate from the certificate authority, the requestor can extract the incorporated information from the public-key reconstruction data. The implicit certificate can be made available to a recipient, and the recipient can also extract the incorporated information.03-14-2013
20120117381System and Method for Component Authentication of a Secure Client Hosted Virtualization in an Information Handling System - A client hosted virtualization system (CHVS) includes a processor to execute code, a security processor, a component that includes a certificate, and a non-volatile memory. The non-volatile memory includes BIOS code for the CHVS and virtualization manager code to initialize the CHVS, launch a virtual machine on the CHVS, and authenticate the component with the security processor by determining that the certificate is valid. The CHVS is configurable to execute the first code and not the second code, or to execute the second code and not the first code.05-10-2012
20110022838Method and system for secure remote login of a mobile device - A system to securely login a mobile device may include a storage means for storing an encrypted file, a certification system to receive the encrypted file from the storage means, and a customer transaction system in communication with the certification system. The system may also include the mobile device to transmit the encrypted file from the storage means to the certification system to allow the mobile device to securely log into the customer transaction system.01-27-2011
20120198229INFORMATION PROCESSING APPARATUS, INFORMATION RECORDING MEDIUM MANUFACTURING APPARATUS, INFORMATION RECORDING MEDIUM, INFORMATION PROCESSING METHOD, INFORMATION RECORDING MEDIUM MANUFACTURING METHOD, AND COMPUTER PROGRAM - An information processing apparatus includes: a data processing unit that acquires content codes including a data processing program recorded in an information recording medium and executes data processing according to the content codes; and a memory that stores an apparatus certificate including an apparatus identifier of the information processing apparatus. The data processing unit is configured to execute an apparatus checking process applying the apparatus certificate stored in the memory on the basis of a code for apparatus checking process included in the content codes, acquire the apparatus identifier recorded in the apparatus certificate after the apparatus checking process, and execute data processing applying content codes corresponding to the acquired apparatus identifier.08-02-2012
20090235069Arrangement of and method for secure data transmission - A method of and system for secure data transmission between a client and a third party computer arrangement. The method includes authenticating a user of the client by a security server via a communication session; making available a key pair by the security server, the key pair including a public key and a private key; and performing the secure data transmission between the client and the third party computer arrangement while using the key pair. The key pair having a limited life time defined by: a predetermined duration in time, a predetermined number of communication sessions, or a predetermined number of actions.09-17-2009
20090235068Method and Apparatus for Identity Verification - A method for identity verification includes receiving a request for proof of identity from a service provider and receiving biometric information associated with a user of a communication device. The method also includes determining that the received biometric information matches a biometric profile that contains biometric information associated with a registered user of the communication device. The method also includes unlocking a private key associated with the registered user in response to determining that the received biometric information matches a biometric profile and sending a request for a digital certificate that is signed with the private key associated with the registered user. The method further includes receiving the digital certificate that includes a public key associated with the registered user and satisfies the request for proof of identity. The method also includes with forwarding the digital certificate to the service provider.09-17-2009
20090006845Management of Secure Access to a Secure Digital Content in a Portable Communicating Object - The invention concerns a terminal (T) comprising an agent (AS) for processing a secure content encrypted with a key (KCN) and transmitted by a first server (SCN). In order to manage a secure access to the secure content, an application (AG) of a portable communicating object, such as a chip card, associated with a terminal stores one type of related digital right (TDN) and a certificate and transmitted by the agent and stores an access right (DA) and the key (KCN) related to the secure content transmitted from a second server (SAD). The application adapts the access right and the key and modifies the secure content, based on the type of right, and produces a secure access file based on the adapted access right and the key and on the certificate, the produced file being accessible by the terminal so that the agent may process the modified content.01-01-2009
20130166907Trusted Certificate Authority to Create Certificates Based on Capabilities of Processes - A device certificate binds an identity of a first device to a public key of the first device. The first device comprises a certificate authority service that creates for a process on the first device a process certificate certifying one or more capabilities of the process on the first device. The process certificate is presented to the second device. Upon validating the process certificate using the device certificate, the second device permits the process on the first device to have on the second device one or more of the verified certified capabilities.06-27-2013
20110066847Just In Time Trust Establishment and Propagation - Trust relationships in an online service system are established at a domain level, and propagated to components of domains as they attempt cross domain communication. In attempting to communicate across domains, a first component in a first domain attempts to validate a certificate of a second component in a second domain. Where the attempt to validate the certificate indicates that a trust relationship does not exist between the first component and the second domain, the first component determines whether a domain level trust relationship exists between the two domains. The first component propagates the trust status between the first and second domains to itself. If there is an existing trust relationship between the first and second domains, the first component validates the certificate of the second component in response. The second component executes the same process to complete the connection.03-17-2011
20110283103ONE TIME PASSWORDS WITH IPSEC AND IKE VERSION 1 AUTHENTICATION - A system adapted to condition access to a network over an IPsec session to clients providing a proper one-time-password, even though the network access control uses IKEv1, which does not support one-time-passwords. An authentication service receives from a client an access request including the one-time-password, and provides the one-time-password to a service that checks the password. The one-time-password service returns a cookie when the password is successfully validated and the client is properly authenticated. The cookie is passed on to the client computer, which uses the cookie as part of a request for a certificate. A certificate authority generates a certificate if a request for a certificate is received from an authenticated client, which in turn may be used to form the IPsec session for access to the network.11-17-2011
20120290836ACCELERATED SIGNATURE VERIFICATION ON AN ELLIPTIC CURVE - A public key encryption system exchanges information between a pair of correspondents. The recipient performs computations on the received data to recover the transmitted data or verify the identity of the sender. The data transferred includes supplementary information that relates to intermediate steps in the computations performed by the recipient.11-15-2012
20120290835SYSTEM AND METHOD FOR VALIDATING CERTIFICATE ISSUANCE NOTIFICATION MESSAGES - To validate a received certificate issuance notification message, a device may verify that the certificate issuance notification message conforms to expected norms or authenticate a signature associate with the certificate issuance notification message. Upon validating, the device may then transmit a uniform resource locator, extracted from the certificate issuance notification message, to a network entity configured for processing certificate issuance.11-15-2012
20110289315Generic Bootstrapping Architecture Usage With WEB Applications And WEB Pages - A method includes receiving at a network application function a request related to a generic bootstrapping architecture key originated from a user equipment. The received request includes a network application function identifier that includes a uniform resource locator, where the network application function has a fully qualified domain name. The method further includes causing a generic bootstrapping architecture key to be generated for the user equipment based at least in part on the uniform resource locator that is part of the network application function identifier. Apparatus and computer programs for performing the method are also disclosed.11-24-2011
20110296171KEY RECOVERY MECHANISM - A method and system for server-side key generation for non-token clients is described.12-01-2011
20110296172SERVER-SIDE KEY GENERATION FOR NON-TOKEN CLIENTS - A method and system for server-side key generation for non-token clients is described.12-01-2011
20090077374Method and System for Secure Remote Transfer of Master Key for Automated Teller Banking Machine - A method for securely transferring a master key from a host to a terminal, such as an automated teller machine, is disclosed. Each of the host and terminal is initialized with a certificate, signed by a certificate authority, and containing a public key used in used in connection with public key infrastructure communication schemes. An identifier of an authorized host is stored in the terminal. Upon receiving a communication from a host including a host certificate, the terminal validates whether it is already bound to a host, if not, whether the host identifier of the remote host matches the preloaded authorized host identifier, before further communicating with the remote host, including the exchange of certificates. In this way, the terminal is protected against attacks or intruders. Following the exchange of certificates, the host may securely transfer the master key to the terminal in a message encrypted under the terminal's public key. The terminal may decrypt the message, including the master key, using its corresponding secret key.03-19-2009
20090037727METHOD AND APPARATUS FOR SECURELY EXCHANGING CRYPTOGRAPHIC IDENTITIES THROUGH A MUTUALLY TRUSTED INTERMEDIARY - A method of securely exchanging cryptographic identities through a mutually trusted intermediary is disclosed. Data, which specifies a petitioner's cryptographic identity and a petitioner's resource identifier, is received. Input, which specifies an authority's resource identifier, is received. The petitioner's cryptographic identity and the petitioner's resource identifier are sent to a destination that is associated with the authority's resource identifier. Data, which specifies the authority's cryptographic identity, is received. The authority's cryptographic identity is sent to a destination that is associated with the petitioner's resource identifier.02-05-2009
20100153711DOWNLOADABLE CONDITIONAL ACCESS SYSTEM EFFICIENTLY DETECTING DUPLICATED DCAS HOST - A technology that may efficiently detect a duplicated Downloadable Conditional Access System (DCAS) host in a DCAS is provided.06-17-2010
20100153710METHOD OF PREVENTING UNAUTHENTICATED VIEWING USING UNIQUE INFORMATION OF SECURE MICRO - A method of verifying a validity of a Secure Micro (SM) is provided. The method of verifying a validity of an SM, the method including: storing and maintaining a validity verification message used to verify the validity of the SM, the validity verification message being generated by a Trusted Authority (TA) based on unique information of the SM, and the SM and the TA sharing the unique information of the SM; and verifying the validity of the SM using the validity verification message and the unique information shared by the SM, when an SM client is executed.06-17-2010
20090282241METHOD AND APPARATUS TO PROVIDE A USER PROFILE FOR USE WITH A SECURE CONTENT SERVICE - A secure content service available through a network comprising a user profile stored in a user profile store and a profile access controller to enforce access rights to the user profile, wherein the user profile is used to provide access rights to other content.11-12-2009
20110167256ROLE-BASED ACCESS CONTROL UTILIZING TOKEN PROFILES - A method and system for managing role-based access control of token data using token profiles is described.07-07-2011
20110191580METHOD AND SYSTEM FOR EXECUTION MONITOR-BASED TRUSTED COMPUTING - A system and method to ensure trustworthiness of a remote service provided by a service provider. The method includes monitoring runtime dependencies invoked during execution of a service transaction associated with the remote service, the service transaction being requested by a service requester. The method further includes determining whether a deviation exists between the runtime dependencies and a trusted list of dependencies associated with the remote service. The method also includes blocking execution of the service transaction based on determining that the deviation between the runtime dependencies and the trusted list of dependencies exists.08-04-2011
20110191579 TRUSTED NETWORK CONNECT METHOD FOR ENHANCING SECURITY - A trusted network connect method for enhancing security, it pre-prepares platform integrity information, sets an integrity verify demand. A network access requestor initiates an access request, a network access authority starts a process for bi-directional user authentication, begins to perform the triplex element peer authentication protocol with a user authentication service unit. After the success of the bi-directional user authentication, a TNC server and a TNC client perform bi-directional platform integrity evaluation. The network access requestor and the network access authority control ports according to their respective recommendations, implement the mutual access control of the access requestor and the access authority. The present invention solves the technical problems in the background technologies: the security is lower relatively, the access requestor may be unable to verify the validity of the AIK credential and the platform integrity evaluation is not parity. The present invention may simplify the management of the key and the mechanism of integrity verification, expand the application scope of the trusted network connect.08-04-2011
20100169641Trust Authority Supporting Digital Communication - A trust authority includes a network connected server executing trust service software stored in a machine-readable medium, one or more network ports for communicating on the network, and a data repository coupled to the server, the repository storing indications of trustworthiness for one or both of enterprises and agents of enterprises. Queries from remote entities, the queries pertaining to one or both of enterprises and agents, are received at the server, and the trust service software, in response to the queries, provides to the remote entities providing the queries indications of trustworthiness for the one or both of enterprises and agents.07-01-2010
20100115268Network Device and Computer Readable Medium Therefor - A network device, connectable with a service providing server and an authentication sever via a network, includes an acquisition information storage storing acquisition information for acquiring a certificate corresponding to each of services the service providing server provides, a certificate storage storing certificates acquired from the authentication server, a determining unit that, in response to acceptance of a request for utilizing a service, determines whether a certificate necessary for utilizing the requested service is stored in the certificate storage, and a controller that, when the necessary certificate is not stored, reads out acquisition information for the necessary certificate from the acquisition information storage, makes a certificate acquiring unit acquire the necessary certificate from the authentication server using the acquisition information, and stores the necessary certificate into the certificate storage. When the necessary certificate is stored, the controller makes the certificate acquiring unit acquire the necessary certificate from the certificate storage.05-06-2010
20090063853INFORMATION PROCESSING APPARATUS, SERVER APPARATUS, MEDIUM RECORDING INFORMATION PROCESSING PROGRAM AND INFORMATION PROCESSING METHOD - A client PC 03-05-2009
20100268943Method and System for Source Authentication in Group Communications - A method and system for authentication is provided. A central node for issuing certificates to a plurality of nodes associated with the central node in a network is also provided. The central node receives a first key from at least one node from among the plurality of nodes and generates a second key based on the received first key and generates a certificate for the at least one node. The generated certificate is transmitted to the at least one node.10-21-2010
20090144541METHOD AND APPARATUS OF MUTUAL AUTHENTICATION AND KEY DISTRIBUTION FOR DOWNLOADABLE CONDITIONAL ACCESS SYSTEM IN DIGITAL CABLE BROADCASTING NETWORK - A method and apparatus of X.509 certificate-based mutual authentication and key distribution for a Downloadable Conditional Access System (DCAS) in a digital cable broadcasting network is provided for composing a software-based secure DCAS in various Conditional Access Systems (CASs) based on an embodiment form of Conditional Access (CA) application for CA of digital cable broadcasting.06-04-2009
20120239927SYSTEM AND METHOD FOR SEARCHING AND RETRIEVING CERTIFICATES - A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one broad aspect, a method is provided in which a certificate search request is received, a search of one or more certificate servers for certificates satisfying the request is performed, located certificates are retrieved and processed at a first computing device to determine data that uniquely identifies each located certificate, and search result data comprising the determined data is communicated to a second device (e.g. a mobile device) for use in determining whether each located certificate is already stored on the second device.09-20-2012
20090193249PRIVACY-PRESERVING INFORMATION DISTRIBUTION SYSTEM - A system, device and method for keeping the identity of a user secret, while managing requests for information, in an information distribution system. The identity of the user is kept secret by the use of a persistent pseudonym and a temporary pseudonym, which are associated with a user identity device. The process of information distribution is enhanced by the use of licenses and certificates, which the user obtains by representing himself with the permanent pseudonym. When accessing the requested information, the user is represented by the temporary pseudonym.07-30-2009
20080209208Method and apparatus for managing digital certificates - Method and apparatus for managing digital certificates are described herein. In one embodiment, an encryption certificate is extracted from an email received from an owner of the encryption certificate, where the encryption certificate being issued from a trusted party other than the owner. Then the encryption certificate is associated with an entry of a directory based on an identity (ID) of the owner, where the directory provides directory services to one or more email servers. Other methods and apparatuses are also described.08-28-2008
20080209207AUTOMATED CERTIFICATE PROVISIONING FOR NON-DOMAIN-JOINED ENTITIES - A method of certificate provisioning is provided for entities that are not associated with a domain. In some implementations, certificate provisioning methods allow non-domain-joined entities to request and receive certificates through an automated process with a certificate provisioning portal. Through the automated process, the identity of the client may be verified using security identity information. The security identity information may include a pre-shared secret or a previously issued certificate from a trusted Certificate Authority.08-28-2008
20120131333SERVICE KEY DELIVERY IN A CONDITIONAL ACCESS SYSTEM - A method is provided by which a client device obtains authorized access to content delivered over a content delivery network. The method includes receiving an entitlement management message (EMM). The EMM includes at least one cryptographic key and a device registration server certificate ID (DRSCID) identifying a currently valid device registration server (DRS) public key certificate. The DRSCID obtained from the EMM is compared to a stored DRSCID value. An entitlement control message (ECM), which includes an encrypted traffic key for decrypting content, is received. If the DRSCID obtained from the EMM is determined to match the stored DRSCID, the traffic key is decrypted with the cryptographic key or a key derived from the cryptographic key to thereby access the content.05-24-2012
20100088507SYSTEM AND METHOD FOR ISSUING DIGITAL CERTIFICATE USING ENCRYPTED IMAGE - The present invention relates to a system and method for issuing a digital certificate using an encrypted image, in which a digital certificate is sealed in a digital envelope image so as to protect a digital certificate user from damages caused by hacking, phishing attacks and the like in the course of issuance, update and re-issuance of the digital certificate, and the method for issuing a digital certificate comprises the steps of: storing a user select image for issuing the digital certificate, by a proxy server or a certificate server; and requesting the certificate server to issue the digital certificate and, if the digital certificate is issued, creating a sealed digital envelope image by combining the digital certificate with the user select image and transmitting the digital envelope image to a user terminal.04-08-2010
20090210702SECURE APPLICATION SIGNING - A system and method for facilitating approval of an application and for making the application available for download by mobile computing devices has a first module configured to receive a user input received from a software development environment, a second module configured to initiate an application approval process based on the user input, and a third module configured to make the application available for download by mobile computing devices based on the approval process.08-20-2009
20100082974PARALLEL DOCUMENT PROCESSING - Documents distributed in parallel are processed. One or more digital document packages are received, where each digital document package includes a content portion and an identity-verification code (IVC) verifying an identity of a source from which the digital document package is received. Each IVC may be a private-key encryption of a content-verification code hashed from the content portion of each digital document package. A master digital document package is created, which includes a master content portion equivalent to the content portion in each unmodified digital document package, and one or more different IVCs, each IVC obtained from a digital document package received from a different source.04-01-2010
20090083539Method for Securely Creating an Endorsement Certificate in an Insecure Environment - A method and system for ensuring security-compliant creation and signing of endorsement keys of manufactured TPMs. The endorsement keys are generated for the TPM. The TPM vendor selects an N-byte secret and stores the N-byte secret in the TPM along with the endorsement keys. The secret number cannot be read outside of the TPM. The secret number is also provided to the OEM's credential server. During the endorsement key (EK) credential process, the TPM generates an endorsement key, which comprises both the public key and a hash of the secret and the public key. The credential server matches the hash within the endorsement key with a second hash of the received public key (from the endorsement key) and the vendor provided secret. The EK certificate is generated and inserted into the TPM only when a match is confirmed.03-26-2009
20100100730SYSTEM AND METHOD FOR SEARCHING AND RETRIEVING CERTIFICATES - A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one broad aspect, a method is provided in which a certificate search request is received, a search of one or more certificate servers for certificates satisfying the request is performed, located certificates are retrieved and processed at a first computing device to determine data that uniquely identifies each located certificate, and search result data comprising the determined data is communicated to a second device (e.g. a mobile device) for use in determining whether each located certificate is already stored on the second device.04-22-2010
20100100729Distribution medium for professional photography - The display of very high definition still images on a high definition television is achieved through the decryption of received images within a DRM capable decryption device embedded within a high definition TV. The decryption device stores a pre-set decryption key, decrypts the incoming high definition still image content, and applies pre-set licensing parameters against the decrypted content. If the license for the encrypted content is determined to be valid the very high definition still images are displayed on the TV, otherwise the TV will display a lack of authorization message if the licensing is determined to be not valid. The embedded DRM decryption device is capable of determining and enforcing a number of licensure conditions for any and all received encrypted imagery. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract.04-22-2010
20090187760Security Mechanism within a Local Area Network - A local area network server may issue security certificates to client devices on the network for two-way authentication across the network. The certificates may be issued through a transaction performed over the network and, in some cases, may be automated. The server may have a self signed or a trusted security certificate which may serve as a basis for issuing certificates to various clients. After a certificate is issued, future communications on the network may be authenticated by both the server and client, and the communications may be encrypted using the certificates.07-23-2009
20110197061CONFIGURABLE ONLINE PUBLIC KEY INFRASTRUCTURE (PKI) MANAGEMENT FRAMEWORK - A method and apparatus is provided for establishing a process for provisioning a digital certificate service delivered by a PKI system. The method includes receiving a request for a digital certificate service and receiving data specifying a project that includes at least one product to be provisioned with a digital certificate. Data specifying an identification of an owner organization of the project and at least one participant organization participating in the project is also received. Attributes with which PKI data to be included in the digital certificates is to comply is received from the owner organization. Based on the received data and attributes, an account is established for each of the organizations associated with the project through which users associated with each of the organizations can respectively request digital certificates for the at least one product in accordance with the attributes received from the owner organization.08-11-2011
20090287923Reverse Mapping Method and Apparatus for Form Filling - In the presently preferred embodiment of the invention, every time a user submits a form the client software tries to match the submitted information with the stored profile of that user. If a match is discovered, the program tags the field of the recognized data with a corresponding type. The resulting profile can be used after that to help all subsequent users to fill the same form.11-19-2009
20100281253ISSUING A PUBLISHER USE LICENSE OFF-LINE IN A DIGITAL RIGHTS MANAGEMENT (DRM) SYSTEM - A publishing user publishes digital content and issues to itself a corresponding digital publisher license to allow itself to render the published digital content. The publishing user is supplied with a publishing certificate from a digital rights management (DRM) server, where the publishing certificate allows the publishing user to so publish the digital content and to so issue the publisher license.11-04-2010
20110271101Method, system and terminal device for realizing locking network by terminal device - A method, system and terminal device implement locking a terminal device onto a network. This method comprises a procedure of locking onto the network during accessing the network, namely performing locking-onto-network configuration verification in a network accessing authentication process, and if the locking-onto-network configuration verification is successful, allowing for verification for an authentication certificate, or else refusing the terminal device of access to the network. The method, system and terminal device in the present invention perform locking-onto-network configuration verification when performing authentication, and the terminal device and server uniformly configure a locking-onto-network character string, and thus it has a great security. Besides, the present invention also can implement unlocking and locking again after accessing the network via an air interface management in the OTA way, and thus it has high flexibility and applicability, and can satisfy the requirements of 4G networks such as the WiMAX network and LTE network.11-03-2011
20110208961SECURE MESSAGING SYSTEM - A method for secure data transactions over a computer network is described. In one embodiment, the act of generating at the first party a document, which authorizes the data transaction to proceed is performed. In one embodiment, the document content is signed using a computer network with audit-level encryption digital certificates. In one embodiment, a signed digital message (and/or document) is sent from the first party to the network transfer system electronically, and can be authenticated via the ICN certificate authorities to demonstrate the authorities of the signer of the signed document in assent to the transaction. In one embodiment, a copy of the signed digital document can be stored in a database associated with the transfer network system. In one embodiment, the system uses rules (patterns) of exchange agreed upon within and between organizations. These rules enable the exchange to progress smoothly and drive systematically the attention of participants to demands and problems etc. as a given transaction goes along.08-25-2011
20090037728Authentication System, CE Device, Mobile Terminal, Key Certificate Issuing Station, And Key Certificate Acquisition Method - Provided is an authentication system for improving user-friendliness. An IC card (02-05-2009
20080250241TRUSTED AND SECURE TECHNIQUES, SYSTEMS AND METHODS FOR ITEM DELIVERY AND EXECUTION - Documents and other items can be delivered electronically from sender to recipient with a level of trustedness approaching or exceeding that provided by a personal document courier. A trusted electronic go-between can validate, witness and/or archive transactions while, in some cases, actively participating in or directing the transaction. Printed or imaged documents can be marked using handwritten signature images, seal images, electronic fingerprinting, watermarking, and/or steganography. Electronic commercial transactions and transmissions take place in a reliable, “trusted” virtual distribution environment that provides significant efficiency and cost savings benefits to users in addition to providing an extremely high degree of confidence and trustedness. The systems and techniques have many uses including but not limited to secure document delivery, execution of legal documents, and electronic data interchange (EDI).10-09-2008
20090265546INFORMATION PROCESSING DEVICE, ELECTRONIC CERTIFICATE ISSUING METHOD, AND COMPUTER-READABLE STORAGE MEDIUM - An information processing device acquires first identification information of a computer to which the device is coupled, and records correspondence information indicating a correspondence between a product key of a predetermined program and the first identification information, and second identification information with respect to the correspondence information, in the device, if a license authentication with respect to the product key based on the first identification information is successful. The device generates an individual certificate package including a unique secret key and public key for each second identification information, and records the individual certificate package in the device in correspondence with each second identification information.10-22-2009
20090265545ELECTRONIC CERTIFICATE ISSUE SYSTEM AND METHOD - A registration part receives a product key of a program for performing a communication using a private key and a public key, and discrimination information of a computer using the program. The registration part registers in a management part, when an authentication of a license corresponding to the product key is completed in success, correspondence information between the product key and the discrimination information and other discrimination information regarding the correspondence information. A discrimination information sending part returns the other discrimination information to an electronic certificate issue apparatus. A checking part receives the other discrimination information and check whether the other discrimination information is registered in the management part. A certificate producing part produces, when the other discrimination information is registered in the management part, an individual certificate package containing the private key and the public key for each piece of the other discrimination information.10-22-2009
20090265544Method and system for using personal devices for authentication and service access at service outlets - Various embodiments of the present invention provide a method and an interaction system. A first set of information related to a user is received from a personal communication device with or without an embedded secure element, or from an independent secure element at a service outlet. The personal communication device and the secure element are associated with the user. Further, a trust is established between the service outlet and the secure element by a process of mutual authentication. If a personal communication device is used, a communication channel is established between the personal communication device and the service outlet. Thereafter, the user is provided access to multiple services offered by the service provider over the communication channel through the personal communication device. If a personal communication device is not used, the services are provided through the access point of the service outlet.10-22-2009
20080282085Method to Search for Affinities Between Subjects and Relative Apparatus - A method to search for affinities between subjects comprises the passages of effecting a step of registering a user with a certification authority (11-13-2008
20080313456Apparatus and method for irrepudiable token exchange - A server apparatus is operable in communication with mobile client apparatuses for securely recording the occurrence of a transactional exchange meeting between holders of the mobile client apparatuses. A token component sets up a meeting arrangement mediated by the server and to communicate a first issued token to a first mobile client apparatus and a second issued token to a second mobile client apparatus. A token validator component receives at least a portion of each of the tokens from the mobile client apparatuses. The token validator component validates that the at least a portion of the token received from the first mobile client apparatus matches at least a portion of the second issued token, and vice-versa. A transaction recorder component creates and maintains a secure record of at least the request, the response, the validation of the tokens, and a completion signal from each of the mobile client apparatuses.12-18-2008
20080276084Anonymity Revocation - Methods and systems for anonymity revocation, enabling a trusted entity to identify a user computer within an anonymous system. A system comprises an attester computer providing attestation value cert from a security module public key and an identifying value. The user computer having a module providing the module public key and a security module attestation value, the user computer providing a user public key, a user attestation-signature value derived from the attestation value cert, and an encryption computable under use of a trusted-entity public key and a module-generated-identifier value, the module-generated-identifier value relating to the identifying value; a verification computer verifying validity of received user attestation-signature value and the encryption; and a trusted entity having a trusted entity secret key, wherein the trusted entity is able to derive the module-generated-identifier value from the encryption, the module-generated-identifier value being usable to identify the user computer with the security module.11-06-2008
20110010540Method for Providing Information Security for Wireless Transmissions - A wireless communication system includes a pager or similar device that communicates to a home terminal. The home terminal confirms the identity of the pager and attaches a certificate to the message for ongoing transmission. Where the recipient is also a pager, an associated home terminal verifies the transmission and forwards it in a trusted manner without the certificate to the recipient.01-13-2011
20080307221Event-Ordering Certification Method - An event-ordering certification system 12-11-2008
20080270789METHOD AND SYSTEM FOR MESSAGING SECURITY - An e-mail firewall applies policies to e-mail messages transmitted between a first site and a plurality of second sites. The e-mail firewall includes a plurality of mail transfer relay modules for transferring e-mail messages between the first site and one of the second sites. Policy managers are used to enforce and administer selectable policies. The policies are used to determine security procedures for the transmission and reception of e-mail messages. The e-mail firewall employs signature verification processes to verify signatures in received encrypted e-mail messages. The e-mail firewall is further adapted to employ external servers for verifying signatures. External servers are also used to retrieve data that is employed to encrypt and decrypt e-mail messages received and transmitted by the e-mail firewall, respectively.10-30-2008
20080270787BIOMETRIC IDENTIFICATION NETWORK SECURITY - Systems and methods for regulating user access in the context of a biometric security system are disclosed. One method disclosed includes receiving a remotely transmitted data packet containing an encryption key, utilizing a decryption component to decrypt the data packet, and utilizing the encryption component to encrypt biometric data. Another method disclosed includes utilizing a processor, within a client computing device, to perform an encryption function within a biometric security system, wherein the encryption function is incorporated into an authentication process that involves a transfer of biometric information between the client computing device and a remotely implemented server.10-30-2008
20100005291APPLICATION REPUTATION SERVICE - The claimed subject matter is directed to the use of an application reputation service to assist users with minimizing their computerized machines' exposure to and infection from malware. Specifically, the claimed subject matter provides a method and system of an application reputation service that contains the reputations for elements that are known to be non-malicious as well as those known to be malicious.01-07-2010
20100146264METHOD AND SYSTEM FOR AUTHENTICATING A USER - The invention relates to a system and a method for authenticating a user. A removable storage medium (06-10-2010
20120272057Method and Apparatus for Secured Embedded Device Communication - In a computing device that includes a host operating system and a management engine separate from the host operating system, if the primary operating system is not operating, a management engine may obtain from a credential server via a first network connection logon information for a secured network and the management engine connects to the secure network through a secured connection using the logon information. If the operating system is operating the operating system provides the logon information to the management engine. Certificate verification may be performed by a remote server on behalf of the management engine. Other embodiments are disclosed and claimed.10-25-2012
20120272056KEY MANAGEMENT USING QUASI OUT OF BAND AUTHENTICATION ARCHITECTURE - To provide key management layered on a quasi-out-of-band authentication system, a security server receives a request for activation of a user interface window for a particular user from a network device via a communication channel. It then transmits an activation PIN to an out of band authentication system for forwarding to the user's telephone via a voice or text message. It next receives the previously transmitted PIN from the network device via the communication channel, and authenticates the user based on the received PIN. After authenticating the user, it establishes a secure, independent, encrypted communication channel between the user interface window and the security server on top of the original communication channel. It then generates and transmits to the user interface window and/or receives from the user interface window via the secure communication channel, key material and certificate material for public key and/or symmetric key cryptography based operations.10-25-2012
20110208962STREAMLINED PROCESS FOR ENROLLMENT OF MULTIPLE DIGITAL CERTIFICATES - The enrollment process for purchasing multiple digital certificates configured using different cryptographic algorithms or hashing algorithms is streamlined. A certificate purchaser wishing to purchase two or more certificates is prompted to provide answers to common enrollment questions, such as the purchaser's contact information, payment details, web sever software, and the like, using a simplified and streamlined enrollment process. Each certificate is optionally configured using a different hashing algorithm.08-25-2011
20090187761Methods and systems for proofing identities using a certificate authority - A digital certificate is provided to a customer having an electronic account linked to the customer's physical address. Using the digital certificate, the customer performs electronic transactions with a third party. A proofing workstation receives a request from a third party to validate the digital certificate. The proofing workstation communicates with a proofing server that maintains a list of valid certificates and a list of revoked certificates. The proofing server sends a response to the proofing workstation, where it is received by the third party.07-23-2009
20090259841Method for allocating multiple authentication certificates to vehicles in a vehicle-to-vehicle communication network - In a vehicle-to-vehicle communication network utilizing PKI security methods to protect communications and in which the PKI encryption utilizes a Certificate Authority having both a private key and a publicly distributed key, a method for allocating multiple certificates for each vehicle which are assigned to each vehicle in the communication network. The method includes the step of assigning a unique secret key k to each vehicle in the communication network. The Certificate Authority then creates a plurality of public key and private key encryption pairs for each vehicle and each encryption pair is associated with an index i. A plurality of certificates are then created with one certificate for each value of the index. A revocation list comprising the secret keys is maintained by the Certificate Authority so that all encryption pairs assigned to a particular vehicle may be revoked by the secret key k corresponding to that vehicle.10-15-2009
20090144540CERTIFICATE MANAGEMENT WITH CONSEQUENCE INDICATION - A certificate management operation request is managed on a device, access to which is governed by an authentication certificate. Upon receiving a request to perform a certificate management operation on a certificate, a consequence of performing the certificate management operation is determined and the consequence is indicated via a user interface of the device. For example, anytime a user attempts to use a certificate management application to delete, distrust or revoke a certificate, it is determined whether the certificate meets certain criteria, such as the certificate being the authentication certificate or being in the certificate chain of the authentication certificate. If the certificate meets the criteria, the user may be notified of a lack of permission to perform the requested operation and the operation may be prevented from completing. Alternatively, the user may be permitted to confirm the instruction to perform the requested operation, and the operation may be completed.06-04-2009
20090006844VERIFYING CRYPTOGRAPHIC IDENTITY DURING MEDIA SESSION INITIALIZATION - An authentication agent may cryptographically identify a remote endpoint that sent a media initialization message even though intermediate devices may modify certain fields in the message after a signature is inserted. The originating endpoint's agent may create the signature over some fields of the message using an enterprise network's private key. The agent may insert the signature into the message and send the message to a recipient endpoint's authentication agent. The recipient agent may verify the signature, receive a certificate including a second public key, and challenge the identity of the originating endpoint in order to confirm that identity. This challenge may request a confirmation that the originating endpoint knows the private key corresponding to the second public key and may occur while running encrypted media at the endpoints. After the originating endpoint is authenticated, the endpoints may exchange encrypted and/or unencrypted media.01-01-2009
20090024845METHOD AND SYSTEM FOR ENCRYPTION OF MESSAGES IN LAND MOBILE RADIO SYSTEMS - A method and system for authentication of a plurality of sites in a land mobile radio (LMR) system and for encryption of messages exchanged by the sites. The plurality of sites are connected by a data network (e.g., IP network). The method includes transmitting by a first site its certificate. The certificate is created by a trusted authority by applying a selected function to the public key, the ID and other relevant information of the first site with the trusted authority's private key to generate a reduced representation and then encrypting the reduced representation with the trusted authority's private key. The method further includes receiving, by the other sites in the LMR system, the certificate transmitted by the first site. The method further includes decrypting, by the other sites, the certificate transmitted by the first site and authenticating the first site, wherein the certificate is decrypted using the trusted authority's public key. The method further includes generating a session key, encrypting the session key with the public key of the first site, and transmitting the encrypted session key to the first site. The method further includes decrypting, by the first site, the encrypted session key with the first site's private key, and transmitting, by the first site, a message encrypted with the shared session key. The method further includes multicasting the encrypted message over the data network. The method further includes receiving, by the other sites in the LMR system, the encrypted message transmitted by the first site, and decrypting the message with the session key.01-22-2009
20090210701Multi-Media Access Device Registration System and Method - A method for enabling an access device to securely access content from at least a content provider and prevent a cloned access device from accessing such content. During registration of the access device with the content provider, the access device requests from a designated certificate authority a certificate having a public key of the content provider therein. Upon authentication of the certificate, the access device generates a key and uses the public key to exchange the key with the content provider. The key is then used for subsequent secure communications between the access device and the content provider. In this manner, a cloned device does not have access to the key and is unable to download content from the content provider.08-20-2009
20090083540Host device interfacing with a point of deployment (POD) and a method of processing Certificate status information - A host device interfacing with a point of deployment (POD) and a method of processing certificate status information are disclosed. A communication unit transmits/receives data via a network. A controller collects information associated with a certificate of the host device and information associated with a certificate of the POD, updates certificate status information on the basis of the collected information, and transmits the updated certificate status information via the communication unit when a request for the certificate status information is received via the communication unit.03-26-2009
20110145568HANDLING OF THE USAGE OF SOFTWARE IN A DISCONNECTED COMPUTING ENVIRONMENT - A method, computer program product and system of handling usage of software in a disconnected computing environment. A digital certificate including time frame constraints is generated, signed by a certificate authority and associated to the software. To be executed, the digital certificate previously signed must be validated by the certificate authority by checking public keys and the time frame constraints must be simultaneously satisfied in the disconnected computing environment. The use of software is controlled in disconnected computing environments and/or read-only computing environments, i.e. environments which are not modifiable or in which brought modifications are not persistent. The data collected by the software may be further encrypted and thus be controlled.06-16-2011
20110145567METHOD AND SYSTEM TO COMBINE MULTIPLE DIGITAL CERTIFICATES USING THE SUBJECT ALTERNATIVE NAME EXTENSION - A method for forming a digital certificate includes receiving contact information associated with the digital certificate. The contact information includes at least a name, a mailing address, and an email address. The method also includes receiving billing information associated with the digital certificate and receiving a Certificate Signing Request (CSR) for the digital certificate. The method further includes receiving a first name for use in forming the digital certificate and receiving a second name for use in forming the digital certificate. Moreover, the method includes receiving an indication of a vendor of web server software, receiving an indication of a service period for the digital certificate, and forming the digital certificate. The first name is stored in a Subject field of the digital certificate and the second name is stored in the SubjectAltName extension of the digital certificate.06-16-2011
20120079269SYNCHRONIZING CERTIFICATES BETWEEN A DEVICE AND SERVER - Systems and methods for processing messages within a wireless communications system are disclosed. A server within the wireless communications system maintains a list of certificates contained in devices that use the server. The server synchronizes or updates the list of certificates based on information contained in message to and from the device. By providing a server with certificates associated with devices that use the server, and providing a system and method for synchronizing the certificates between the device and server, the server can implement powerful features that will improve the efficiency, speed and user satisfaction of the devices. The exemplary embodiments also enable advantageous bandwidth savings by preventing transmission of certificates unnecessarily03-29-2012
20120079268SEPARATING AUTHORIZATION IDENTITY FROM POLICY ENFORCEMENT IDENTITY - The present invention extends to methods, systems, and computer program products for separating authorization identity from policy enforcement identity. Embodiments of the invention extend the consumption phase for protected information. Two identities, an authorization identity and a policy enforcement identity, are used for acquiring, issuing and enforcing usage license instead of one identity certificate. The authorization identity is used to evaluate against usage policy. The authorization identity is similar to identification information in an identity certificate. The policy enforcement identity is used to ensure the confidentiality of granted permissions and content key. The policy enforcement identity enforces a usage license on an authorization principal's (e.g., recipient's) machine. The policy enforcement identity's enforcement of a usage license is similar use of a cryptographic key in an identity certificate.03-29-2012
20120079267Securing Locally Stored Web-based Database Data - The present invention extends to methods, systems, and computer program products for locally storing Web-based database data in a secure manner. Embodiments of the present invention permit Web-based database data to be locally stored at a computer system to increase the efficiency of rendering the Web-based database data within a Web browser at the computer system. Web-based database data can be sandboxed per domain to mitigate (and possibly eliminate) the exposure of the Web-based database data to malicious computer systems. A web server may be required to authenticate itself before it may present database data to be locally stored at a computer system. A web server may be required to authenticate itself before being allowed to access database data stored locally at a computer system.03-29-2012
20090204809INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD, AND COMPUTER-READABLE RECORDING MEDIUM - An information processing device is arranged to acquire a first public key certificate and a first secret key from a server device by acquiring an individual identification information which is uniquely discriminable for the information processing device from the information processing device and transmitting the individual identification information to the server device. The information processing device is arranged to determine whether the information processing device is permitted to transmit device information to the server device through an encryption communication using the first public key certificate and the first secret key, by acquiring the individual identification information from the information processing device and comparing the acquired individual identification information with the individual identification information associated with at least one of the first public key certificate and the first secret key.08-13-2009
20090100263METHODS AND SYSTEMS FOR ENCOURAGING SECURE COMMUNICATIONS - Embodiments of the present invention enable a user to engage in secure communications using digital certificates and other cryptographic technologies in an easy way with a minimum of distracting interaction. In some embodiments of the present invention, webmail is enabled to allow users to obtain and use S/MIME certificates to secure his or her e-mails. Embodiments of the present invention can also be implemented to other forms of messaging, such as text messages, instant messages, etc.04-16-2009
20090063852AUTHENTICATION FOR AD HOC NETWORK SETUP03-05-2009
20090204810Architecture and Design for Central Authentication and Authorization in an On-Demand Utility Environment - A Centralized Authentication & Authorization (CAA) system that facilitates secure communication between service clients and service providers. CAA comprises a Service Request Filter (SRF), a Service Client Authentication Program (SCAP), a Service Authorization Program (SAP), and an Authorization Database (ADB). The SRF intercepts service requests, extracts the service client's identifier from a digital certificate attached to the request, and stores the identifier in memory accessible to service providers. In the preferred embodiment, the SRF forwards the service request to a web service manager. The web service manager invokes SCAP. SCAP matches the identifier with a record stored in ADB. SAP queries ADB to determine if the service request is valid for the service client. If the service request is valid, SAP authorizes the service request and the appropriate service provider processes the service request.08-13-2009
20090106549METHOD AND SYSTEM FOR EXTENDING ENCRYPTING FILE SYSTEM - Users can share encrypted files without having access to other users' public key certificates, by specifying only the other users' identity information. A client agent interacts with a trusted service account to transparently add user encryption certificates to encrypted files after it was created. A header of each encrypted file includes signed encrypted data blocks, file system metadata, and a digital signature. When a user attempting to open an encrypted file is denied access, the client agent transmits the header data and the encryption certificate of the user to the trusted service account, with a request that the user encryption certificate be added to modify the encrypting file system metadata. After the trusted service account determines tampering has not occurred enroute and the user is authorized to access the file, the modified header data are returned to the client agent to enable the user to open the file.04-23-2009
20090222658ROAMING UTILIZING AN ASYMMETRIC KEY PAIR - Techniques for generating a portion of a split private key are provided. A first symmetric key and a second symmetric key different than the first symmetric key are generated at a first location. The generated second symmetric key and a first one of multiple factors for generating the private key portion encrypted with the generated first symmetric key are transmitted. Then, at a second network location, the symmetric keys are again generated. The encrypted first factor is received at the second network location subsequent to a user authentication based upon the second symmetric key generated at the second network location. The received encrypted first factor is then decrypted with the first symmetric key generated at the second network location, the decrypted first factor usable to generate the portion of the split private key of the asymmetric key pair.09-03-2009
20090222659COMMUNICATION DEVICE AND COMMUNICATION METHOD - A communication device for performing communication by employing first and second communication units, includes: a reception unit for receiving a communication packet including a random number generated for every connection with another communication device, a certificate calculated with the random number, and authentication method information indicating whether or not an authentication method at the second communication unit is compatible with the public key system, through the first communication unit; and a method determining unit for determining whether or not an originator of the communication packet accepts public key encryption based on the authentication method information included in the communication packet; wherein in a case of the method determining unit determining that the originator of the communication packet does not accept the public key system, the random number included in the communication packet is replied to the originator as the identification information of the device itself.09-03-2009
20090249061CERTIFYING A VIRTUAL ENTITY IN A VIRTUAL UNIVERSE - An invention for certifying a virtual entity in a virtual universe is disclosed. A virtual business may opt to register with a security certificate administration center to obtain a security certificate. A user of another virtual entity is provided with an ability to initiate a verifying process to check whether a security certificate symbol or a graphic resembling a security certificate symbol represents a valid security certificate. Virtual universe client and server software may be modified to enable a secured connection between the user and the security certificate administration center for the verification.10-01-2009
20090249060DATA SECURITY MANAGEMENT SYSTEM AND METHODS - A system is provided for managing security rights of protected data having a plurality of security groups. The system comprises a client configured to generate the protected data, wherein a user of the client is a member of a subset of the plurality of security groups. The client comprising a key generator configured to generate a plurality of security group keys, wherein each membership key is associated with a security group selected by the user of the client and a combination key generator configured to generate a combination key based on the plurality of security group keys, wherein the client is configured to encrypt the protected data with the combination key.10-01-2009
20100275012SERVER CERTIFICATE ISSUING SYSTEM AND PERSON AUTHENTICATION METHOD - A server certificate issuing system in which existence of a Web server for which a certificate is to be issued can be confirmed and security is further improved is realized, wherein the user authentication is carried out using a test certificate having the SSL certificate format. Servers transmit server certificate request to the registration server which transmits the test certificate request to the test certificate issuing authority. The test certificate issuing server transmits the generated test certificate to the registration server which transmits the test certificate to the corresponding server and requests to install the test certificate. Then, the registration server accesses with SSL protocol to the server and verifies whether or not the session of the SSL protocol has been established. The registration server transmits the CSR to the certificate issuing server only when the SSL protocol has been established.10-28-2010
20100153712SIGNATURE SCHEMES USING BILINEAR MAPPINGS - Methods and systems are provided for generating and verifying signatures of digital messages communicated between signers and verifiers. Using bilinear mappings, such as Weil or Tate pairings, these methods and systems enable generation and verification of efficient multisignatures, identity-based ring signatures, hierarchical proxy signatures, and hierarchical online/offline signatures.06-17-2010
20100161970USER TERMINAL AND METHOD OF MANAGING USER INFORMATION - A user terminal and a method of managing user information are provided. The method includes issuing a request for issuance of a certificate for a user to a certification authority; generating a document including at least part of user information using a certificate issued by the certification authority; and issuing a subscription request to a desired web service provider by providing the document including the at least part of the user information to the desired web service provider. Therefore, it is possible to strengthen the user's right to self-determination and control over the exposure and use of his or her personal information. In addition, it is possible to improve the reliability of user information provided to each website by the user.06-24-2010
20100161968Delivering content in digital postal envelope - Methods and apparatus, including computer program products, for generating and processing a digital document. The digital document includes private content that is accessible only upon a request for the private content, and presentation data that is accessible without the request for the private content. The presentation data defines a graphical representation of an addressed postal envelope that has a stamp side on which one or more intended recipients of the private content are represented as addressees.06-24-2010
20100161971AUTOMATED PROCESS FOR A WEB SITE TO RECEIVE A SECURE SOCKET LAYER CERTIFICATE - The present invention provides systems and methods for enabling encrypted communication capabilities for a Subscriber's Web Site, thereby allowing Customers to access the Subscriber's Web Site in a secure manner. A Hosting Provider, that hosts the Subscriber's Web Site, and a Certificate Authority (CA), that verifies the identity of the Subscriber, provide the Subscriber's Web Site with Secure Sockets Layer (SSL) encrypted communications capability. The Hosting Provider and CA communicate directly with each other as needed, typically via the Internet, without using the Subscriber as an intermediary in their communications.06-24-2010
20100161969NETWORK DEVICE AUTHENTICATION - The present invention relates to using digital certificates to allow network devices to authenticate themselves upon being accepted into and forming part of a communication network.06-24-2010
20100228968SPLIT TERMINATION OF SECURE COMMUNICATION SESSIONS WITH MUTUAL CERTIFICATE-BASED AUTHENTICATION - A method and apparatus are provided for split-terminating a secure client-server communication connection when the client and server perform mutual authentication by exchanging certificates, such as within a Lotus Notes environment. When the client submits a certificate to the server, an intermediary device intercepts the certificate and submits to the server a substitute client certificate generated by that intermediary. A certificate authority's private key is previously installed on the intermediary to enable it to generate public keys, private keys and digital certificates. With the private key corresponding to the substitute certificate, the intermediary extracts a temporary key from a subsequent server message. The intermediary uses the temporary key to read a session key issued later by the server. Thereafter, the intermediary shares the session key with another intermediary, and together they use the session keys to access and optimize (e.g., accelerate) messages sent by the client and the server.09-09-2010
20100241851SYSTEM AND METHOD FOR VALIDATING CERTIFICATE ISSUANCE NOTIFICATION MESSAGES - To validate a received certificate issuance notification message, a device may verify that the certificate issuance notification message conforms to expected norms or authenticate a signature associate with the certificate issuance notification message. Upon validating, the device may then transmit a uniform resource locator, extracted from the certificate issuance notification message, to a network entity configured for processing certificate issuance.09-23-2010
20100228969CUSTOMIZABLE PUBLIC KEY INFRASTRUCTURE AND DEVELOPMENT TOOL FOR SAME - A public key infrastructure comprises a client side to request and utilize certificates in communication across a network and a server side to administer issuance and maintenance of said certificates. The server side has a portal to receive requests for a certificate from a client. A first policy engine to processes such requests in accordance with a set of predefined protocols. A certification authority is also provided to generate certificates upon receipt of a request from the portal. The CA has a second policy engine to implement a set of predefined policies in the generation of a certificate. Each of the policy engines includes at least one policy configured as a software component e.g. a Java bean, to perform the discreet functions associated with the policy and generate notification in response to a change in state upon completion of the policy.09-09-2010
20100235626APPARATUS AND METHOD FOR MUTUAL AUTHENTICATION IN DOWNLOADABLE CONDITIONAL ACCESS SYSTEM - A mutual authentication apparatus in a Downloadable Conditional Access System (DCAS) includes an announce protocol processor to authenticate SecurityAnnounce information using an Authentication Proxy (AP) and to transmit the authenticated SecurityAnnounce information to a Secure Micro (SM), a keying protocol processor to relay KeyRequest information and KeyResponse information between a Trusted Authority (TA) and the SM in response to the SecurityAnnounce information, a decryption unit to decrypt the KeyResponse information using the SM, an authentication protocol processor to determine whether a first encryption key of the KeyResponse information is identical to a second encryption key generated by the AP, and a download protocol processor to control DownloadInfo to be transmitted from the AP to the SM, the DownloadInfo permitting the SM to download SM Client Image information.09-16-2010
20100241852Methods for Producing Products with Certificates and Keys - The embodiments described herein provide methods for producing products with certificates and keys. In one embodiment, a requesting entity transmits a request for a plurality of certificates and corresponding keys to a certifying entity that generates the certificates and corresponding keys. The request preferably includes information for use by the certifying entity to verify an identity of the requesting entity rather than information to verify unique product identifiers of the respective products. The requesting entity then receives the plurality of certificates and corresponding keys from the certifying entity, preferably in a plurality of organized sets instead of in a single series of certificates. The requesting entity then stores the certificates and corresponding keys in respective products. Each stored certificate is thereafter useable for both identification and authentication of the respective product in which it is stored.09-23-2010
20100235625TECHNIQUES AND ARCHITECTURES FOR PREVENTING SYBIL ATTACKS - Techniques and architectures for preventing Sybil attacks are provided. A node authenticates to a local certificate authority associated with a social networking group. The local certificate authority issues an encrypted certificate with a secret to the node. The node then makes a request to participate in another external group via a remote certificate authority. The remote certificate authority verifies the secret and grants permission to the node to participate in the external group. Also, a dynamic architecture permits local nodes in a social networking group self organize with some nodes becoming local certificate authorities and others becoming regular participants.09-16-2010
20100211773Validating the Origin of Web Content - Described herein is a technique of protecting users against certain types of Internet attacks. The technique involves obtaining certificates from visited web sites and qualifying communications with those web sites based on the content of the certificates.08-19-2010
20100211772Collaborative Reconciliation of Application Trustworthiness - A mobile terminal receives trustworthiness information for a software application by receiving a voucher that indicates the trustworthiness of that application as represented by a third party. To ensure the integrity of this information, the mobile terminal authenticates the voucher and verifies that the software application is the one having its trustworthiness indicated by the voucher. Given such indications of trustworthiness, a user of the mobile terminal may decide whether install and run it. If decided in the affirmative, the user may form his or her own basis for the trustworthiness of the software application. Accordingly, the mobile terminal may also create a new voucher that indicates the trustworthiness of the software application as represented by the user. With third parties representing the trustworthiness of software applications in this manner, their development is not hindered by the imposition of security requirements on application developers.08-19-2010
20120144190DEVICES AND METHODS FOR ESTABLISHING AND VALIDATING A DIGITAL CERTIFICATE - A digital certificate is configured to confirm the association of a public key assigned to a device as the owner of the public key to the device. The digital certificate further has an additional digital certificate, the additional digital certificate being a certificate of an additional device configured to digitally sign the digital certificate of the device. The certification process can be improved, wherein particularly the verification of digital certificates is improved. The various embodiments are particularly useful for applications where a secure communication of information or data is desired and/or should be made possible.06-07-2012
20100049970METHODS AND SYSTEMS FOR SECURE COMMUNICATIONS USING A LOCAL CERTIFICATION AUTHORITY - A local network traffic processor and an application are resident on a common computer system. The application is configured to trust a server certificate issued by a local network traffic processor, the local network traffic processor operatively being paired with a remote network traffic processor. A proxy server certificate, generated using identification information of a server associated with the remote network traffic processor and signed by the local certification authority, is used to establish a secure session between a local network traffic processor and the application.02-25-2010
20100049969System and method for providing security in mobile WiMAX network system - A system for providing security in a mobile Microwave Access (WiMAX) network system is constructed with a licensed certification authority providing a certificate and a first encryption module storing the certificate provided by the licensed certification authority, encrypting a traffic encryption key and a message generated by the first encryption module with the stored certificate, and transmitting the encrypted traffic encryption key and message to a destination. When receiving a message encrypted with a traffic encryption key, the first encryption module decrypts the received message with the traffic encryption key generated by the first encryption module and processes the message. The system is further constructed with a second encryption module. When receiving the message encrypted with the certificate from the first encryption module, the second encryption module decrypts the received message with the certificate provided by the licensed certification authority to detect the traffic encryption key, and encrypts a message with the detected traffic encryption key to transmit the encrypted message.02-25-2010
20110113238CERTIFICATE ENROLLMENT WITH PURCHASE TO LIMIT SYBIL ATTACKS IN PEER-TO-PEER NETWORK - A system may protect against Sybil attacks on a peer-to-peer (P2P) network based on each one the nodes in the P2P network being identified by a corresponding certificate. In particular, a node may receive a license key, where the license key is evidence of a purchased product license. The node may transmit a message included in the license key to a certificate authority. The node may receive a certificate from the certificate authority in response to authentication of the message. The node may be identified in the P2P network with a node identifier included in the certificate.05-12-2011
20090259842METHOD, PRODUCT AND APPARATUS FOR ACCELERATING PUBLIC-KEY CERTIFICATE VALIDATION - A validation authority for certificates searches for and verifies paths and certificate revocation lists periodically, and classifies the paths into valid paths and invalid paths in accordance with the results of the validations, so as to register the paths in databases beforehand. Besides, in a case where a request for authenticating the validity of a certificate has been received from an end entity, the validation authority judges the validity of the public key certificate by checking in which of the valid-path database and the invalid-path database a path corresponding to the request is registered. On the other hand, in a case where the path corresponding to the validity authentication request is not registered in either of the databases, the validity of the public key certificate is authenticated by performing path search and validation anew.10-15-2009
20090327706ACCOUNT MANAGEMENT SYSTEM, ROOT-ACCOUNT MANAGEMENT APPARATUS, DERIVED-ACCOUNT MANAGEMENT APPARATUS, AND PROGRAM - A root-account management apparatus generates an electronic signature based on a survival condition and a secret key when an authentication result of a user of a client apparatus is proper, and transmits derived-account credence element information including the survival condition, the electronic signature and a public key certificate to a derived-account management apparatus. The derived-account management apparatus creates derived-account information which becomes valid when the survival condition is satisfied so that the derived-account information includes both the derived-account credence element information which becomes invalid when a validity term of the public key certificate expires and a biometric information template of the user which is valid regardless of this validity term. Accordingly, even if an authentication element as a root (public key certificate) becomes invalid, a derived authentication element (biometric information template) can be prevented from becoming invalid.12-31-2009
20110113240CERTIFICATE RENEWAL USING ENROLLMENT PROFILE FRAMEWORK - A method and system for renewing digital certificates using an enrollment profile framework is described.05-12-2011
20110113239RENEWAL OF EXPIRED CERTIFICATES - A method and system for renewal of expired certificates is described. In one embodiment, a method, implemented by a computing system programmed to perform operations, includes receiving, at a certificate manager of a computing system from a requester, a certificate renewal request for an original digital certificate that has already expired, and renewing the expired certificate as a renewed certificate by the certificate manager when the certificate renewal request is approved. The renewed certificate comprises the same key pair as the original certificate, but includes a new expiration date, and wherein the renewed certificate is functionally identical to the original certificate.05-12-2011
20100191960TOKEN BASED TWO FACTOR AUTHENTICATION AND VIRTUAL PRIVATE NETWORKING SYSTEM FOR NETWORK MANAGEMENT AND SECURITY AND ONLINE THIRD PARTY MULTIPLE NETWORK MANAGEMENT METHOD - A two-factor network authentication system uses “something you know” in the form of a password/Pin and “something you have” in the form of a key token. The password is encrypted in a secure area of the USB device and is protected from brute force attacks. The key token includes authentication credentials. Users cannot authenticate without the key token. Four distinct authentication elements that the must be present. The first element is a global unique identifier that is unique to each key. The second is a private credential generated from the online service provider that is stored in a secure area of the USB device. The third element is a connection profile that is generated from the online service provider. The fourth element is a credential that is securely stored with the online service provider. The first two elements create a unique user identity. The second two elements create mutual authentication.07-29-2010
20090222657Methods And Apparatus For Use In Obtaining A Digital Certificate For A Mobile Communication Device - In one illustrative scenario, a mobile device receives configuration information which includes information for use in constructing a request message for obtaining a digital certificate from a certificate authority (CA). After receipt of the configuration information, the mobile device constructs the request message for the digital certificate and causes it to be sent to a host server of a communication network. In response, the host server requests and obtains the digital certificate from the CA on behalf of the mobile device, and thereafter “pushes” the received digital certificate to the mobile device. The mobile device receives the digital certificate and stores it for use in subsequent communications. The host server may be part of a local area network (LAN) which includes a wireless LAN (WLAN) adapted to authenticate the mobile device based on the digital certificate, so that the mobile device may obtain access to the WLAN.09-03-2009
20110066849METHOD AND SYSTEM FOR VERIFYING THE IDENTITY OF A COMMUNICATION PARTNER - A method for verifying the identity of a communication partner, in particular in real-time communications, wherein a caller (A) sends a message towards a callee (B), and wherein the caller (A) attaches a self-signed certificate to the message, characterized in that the caller (A) and the callee (B) are part of a web-of-trust, wherein certificates of users within the web-of-trust are stored by one or more key-servers (03-17-2011
20110066848REMOTE CERTIFICATE MANAGEMENT - A system for managing security certificates on a plurality of remote computers comprises a certificate manager that can determine in accordance with at least one preestablished criterion whether a security certificate on a remote computer is to be managed. The system also includes an installer module that can access an account of the remote computer to manage the security certificate. Methods of using the system are also provided.03-17-2011
20100268942Systems and Methods for Using Cryptographic Keys - Systems and methods for using cryptographic keys read an existing digital certificate from a hardware cryptographic device and extract a public key from the existing digital certificate. A certificate request message is generated that identifies a new usage and/or certificate field associated with the public key. The certificate request message is signed and communicated to a certification authority. A new digital certificate is received from the certification authority that includes the new usage/field. The new digital certificate is then applied to cryptographic operations, such as signing procedures, encryption procedures and so forth using the existing key pair.10-21-2010
20090319782Interconnectable personal computer architectures that provide secure, portable, and persistent computing environments - Disclosed are interconnectable personal computer architectures comprising secure, portable and persistent computing environments that provide secure computing sessions with persistence. The computing environments are implemented using a secure non-computing client device, such as a USB device, that interfaces with a host computer and, optionally, a trusted server. The secure non-computing client device is used to instantiate a secure BIOS and a secure cold or warm boot of the host computer, from the client device, in a host protected area of the host computer, or from the trusted server. The client device comprises a security device, such a trusted platform module, that encrypts and decrypts data transferred between the client apparatus and the host computer to provide a sealed computing environment on the host computer. The client device may implement keyboard logger attack prevention. The client device may also implement a high assurance guard to protect applications. The client device may also comprise security wrapper software that encapsulates malware processed by the host computer. Computing methods and software are also disclosed.12-24-2009
20090319779METHOD AND DEVICE FOR ENSURING INFORMATION INTEGRITY AND NON-REPUDIATION OVER TIME - The present invention relates to a method and a device for ensuring information integrity and non-repudiation over time. A basic idea of the present invention is to provide a mechanism for secure distribution of information, which information relates to an instance in time when usage of cryptographic key pairs associated with a certain brand identity commenced, as well as when the key pairs ceased to be used, i.e. when the key pairs were revoked. The mechanism further allows a company or an organization to tie administration of cryptographic key pairs and a procedure for verifying information integrity and non-repudiation to their own brand. This can be seen as a complement or an alternative to using a certificate authority (CA) as a trusted third party, which CA guarantees an alleged relation between a public key and the identity of the company or organization using the cryptographic key pair to which that public key belongs.12-24-2009
20090319783Method of Aggregating Multiple Certificate Authority Services - The disclosure relates to the management of PKI digital certificates, including certificate discovery, installation, verification and replacement for endpoints over an insecure network. A database of certificates may be maintained through discovery, replacement and other activities. Certificate discovery identifies certificates and associated information including network locations, methods of access, applications of use and non-use, and may produce logs and reports. Automated requests to certificate authorities for new certificates, renewals or certificate signing requests may precede the installation of issued certificates to servers using installation scripts directed to a particular application or product, which may provide notification or require approval or intervention. An administrator may be notified of expiring certificates, using a database or scanning or server agents. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims.12-24-2009
20090319781SECURE MESSAGE DELIVERY USING A TRUST BROKER - An email security system is described that allows users within different organizations to securely send email to one another. The email security system provides a federation server on the Internet or other unsecured network accessible by each of the organizations. Each organization provides identity information to the federation server. When a sender in one organization sends a message to a recipient in another organization, the federation server provides the sender's email server with a secure token for encrypting the message to provide secure delivery over the unsecured network.12-24-2009
20090106548METHOD FOR CONTROLLING SECURED TRANSACTIONS USING A SINGLE PHYSICAL DEVICE, CORRESPONDING PHYSICAL DEVICE, SYSTEM AND COMPUTER PROGRAM - A method is provided for controlling secure transactions using a physical device held by a user and bearing at least one pair of asymmetric keys, including a device public key and a corresponding device private key. The method includes, prior to implementing the physical device, certifying the device public key with a first certification key of a particular certifying authority, delivering a device certificate after verifying that the device private key is housed in a tamper-proof zone of the physical device; verifying the device certificate by a second certification key corresponding to the first certification key; and in case of a positive verification, registering the user with a provider delivering a provider certificate corresponding to the signature by the provider of the device public key and an identifier of the user.04-23-2009
20090106547AUTHENTICATION SYSTEM, AUTHENTICATION DEVICE, TERMINAL, AND VERIFYING DEVICE - An authentication system, including a service use device 04-23-2009
20080229098ON-LINE TRANSACTION AUTHENTICATION SYSTEM AND METHOD - A system and method for authenticating an on-line user by authenticating the computing device being used by the user. The method may comprise reading device information from a computing device, creating a device credential from the device information; and, communicating the device credential to an authenticating body for authentication. The method may additionally comprise receiving personal information from a user; creating a user credential from the personal information and, communicating the user credential along with the device credential to the authenticating body for authentication.09-18-2008
20090106550EXTENDING ENCRYPTING WEB SERVICE - A data encryption service is provided over the Internet. Users specifying only authorized users' identity information can share encrypted information without sharing passwords or accessing public key certificates. A user sends data to be encrypted to a trusted EWS, along with authorization information. An encrypted data envelope including signed encrypted data blocks, authorization information, and a digital signature is returned to the user. When a second user attempts to access the data inside the encrypted data envelope, it is transmitted to the EWS. If the EWS authenticates the second user, determines that tampering has not occurred, and verifies the second user's identity against the authorization information in the data envelope, then the data are returned. The encrypted data envelope can be expressed as a raw byte stream or encoded within an HTML file to enable browser-based data envelope submission and retrieval.04-23-2009
20100306533SYSTEM, METHOD, AND APPARATA FOR SECURE COMMUNICATIONS USING AN ELECTRICAL GRID NETWORK - A secure communications and location authorization system using a power line or a potion thereof as a side-channel that mitigates man-in-the-middle attacks on communications networks and devices connected to those networks. The system includes a power grid server associated with a substation, or curb-side distribution structure such as a transformer, an electric meter associated with a structure having electric service and able to communicate with the power grid server, a human authorization detector input device connected to the electric meter and the power grid server. The human authorization detector is able to receive an input from a user physically located at the structure and capable of communicating with the power grid server via the electric meter. The user's physical input into the device causing a request to be sent to the power grid server that then generates a location certificate for the user. Without the location certificate, access to the communications network and devices connected to those networks can be denied.12-02-2010
20100306532AUTHENTICATION VERIFYING METHOD, AUTHENTICATION VERIFYING MEMBER AND AUTHENTICATION VERIFYING MEMBER PRODUCING METHOD - Authentication verifying for an object to be certified is carried out. An authentication verifying chip in which authentication verifying information is stored is mounted non-removably on a certificate. A confirmation chip in which the authentication verifying information is encrypted by a crypt key of a certificate issuer and is stored is mounted non-removably on the object to be certified. When verifying the authenticity of the object to be certified, the encrypted authentication verifying information in the confirmation chip is decrypted by the crypt key of the certificate issuer, and it is compared to the authentication verifying information in the authentication verifying chip.12-02-2010
20110113241IC CARD, IC CARD SYSTEM, AND METHOD THEREOF - An IC card includes: a common key set upon issuance of a card by an IC card issuer; a public key certificate of a parent IC card issued by an authentication station; a signed public key which has been signed by using the parent IC card secret key; a key storage unit which stores the secret key; a data transmission/reception unit which receives at least the public key certificate and the signed public key from the parent IC card; an encryption calculation unit which decodes encrypted user biometric information received from the parent IC card; and a biometric information storage unit which stores first biometric information which has been decoded. The use of the IC card is limited depending on whether biometric information is correct.05-12-2011
20130132717Mobile Handset Identification and Communication Authentication - Disclosed is a system and method for authenticating a communications channel between a mobile handset associated with a user and an application server, for uniquely identifying the mobile handset and for encrypting communications between the mobile handset and the application server over the communication channel is provided. The system includes a certificate authority configured to issue digital certificates to the handset and the application server, as well as software applications operating on both the handset and application server. The digital certificates may be used by the handset and application server to uniquely identify one another as well as to exchange encryption keys by means of which further communication between them may be encrypted.05-23-2013
20100318788METHOD OF MANAGING SECURE COMMUNICATIONS - An exemplary method of managing secure communications between nodes includes receiving a public key of a node associated with a certification authority. A root node certificate is provided to the node responsive to the received public key. The root node certificate indicates that the received public key belongs to the node. A root self-signed certificate corresponding to a public key of the certification authority is also provided to the node.12-16-2010
20100306531Hardware-Based Zero-Knowledge Strong Authentication (H0KSA) - Systems and methods are provided for a device to engage in a zero-knowledge proof with an entity requiring authentication either of secret material or of the device itself. The device may provide protection of the secret material or its private key for device authentication using a hardware security module (HSM) of the device, which may include, for example, a read-only memory (ROM) accessible or programmable only by the device manufacturer. In the case of authenticating the device itself a zero-knowledge proof of knowledge may be used. The zero-knowledge proof or zero-knowledge proof of knowledge may be conducted via a communication channel on which an end-to-end (e.g., the device at one end and entity requiring authentication at the other end) unbroken chain of trust is established, unbroken chain of trust referring to a communication channel for which endpoints of each link in the communication channel mutually authenticate each other prior to conducting the zero-knowledge proof of knowledge and for which each link of the communication channel is protected by at least one of hardware protection and encryption.12-02-2010
20130138953COMBINING MULTIPLE DIGITAL CERTIFICATES - A method for forming a digital certificate includes receiving contact information associated with the digital certificate. The contact information includes at least a name, a mailing address, and an email address. The method also includes receiving billing information associated with the digital certificate and receiving a Certificate Signing Request (CSR) for the digital certificate. The method further includes receiving a first name for use in forming the digital certificate and receiving a second name for use in forming the digital certificate. Moreover, the method includes receiving an indication of a vendor of web server software, receiving an indication of a service period for the digital certificate, and forming the digital certificate. The first name is stored in a Subject field of the digital certificate and the second name is stored in the SubjectAltName extension of the digital certificate.05-30-2013
20100325427METHOD AND APPARATUS FOR AUTHENTICATING A MOBILE DEVICE - An approach is provided for authenticating a mobile device. A mobile device initiates transmission of a request to an authentication platform for generating a public-key certificate to access a service from the mobile device. The mobile device receives an identity challenge and responds by initiating transmission of a tag specific to the mobile device to the authentication platform. The authentication platform uses the tag to generate a public-key certificate.12-23-2010
20100325426PROTECTED SOFTWARE IDENTIFIERS FOR IMPROVING SECURITY IN A COMPUTING DEVICE - A computing device is operated in a manner such that, where application software includes a unique software identifier, this can be taken from an unprotected range (which can be allocated to any application software) or from a protected range (which can only be used by digitally signed software). On installation, the unique software identifiers are checked to ensure they do not clash with any belonging to software already on the device, and that, if they are from the protected range, the software being installed was digitally signed. Checks for ownership of the unique identifiers can also made at the time an application is signed.12-23-2010
20130145151Derived Certificate based on Changing Identity - A first device with a changing identity establishes a secure connection with a second device in a network by acting as its own certificate authority. The first device issues itself a self-signed root certificate that binds an identity of the first device to a long-term public key of the first device. The root certificate is digitally signed using a long-term private key, where the long-term public key and the long-term private key form a public/private key pair. The first device provides its root certificate to the second device in any trusted manner. The first device can then create a certificate for one or more short-term identities acquired by the first device and sign the newly-created certificate using the long-term private key. The first device can authenticate itself to the second device by sending the newly-created certificate to the second device.06-06-2013
20130145152SECURE PREFIX AUTHORIZATION WITH UNTRUSTED MAPPING SERVICES - In one embodiment, a first router associated with a first network node sends a first map lookup that includes a particular device identifier associated with a second network node to a mapping service that maintains a plurality of mappings that associate device identifiers with device locations. The first router receives, from a second router associated with the second network node, a map response that includes a particular device location that corresponds to the particular device identifier for the second network node. The first router establishes a secure session with the second router, and determines, based on the secure session, whether the second router is authorized to reply for the particular device identifier associated with the second network node.06-06-2013
20130145153METHOD AND DEVICE FOR SECURE NOTIFICATION OF IDENTITY - A system, methods and devices for the secure notification of an identity in a communications network. The methods include sending or receiving a communication including a hash of a certificate of a device to notify or detect the presence of the device in a network. Each certificate is associated with an identity which is excluded from the communication of the hash of the certificate. The received hash is compared to hashes of certificates stored in an electronic device to determine an identity. The identity may represent an electronic device or a user of the electronic device.06-06-2013
20130145154GAMING MACHINE CERTIFICATE CREATION AND MANAGEMENT - Methods and systems for creating and managing certificates for gaming machines in a gaming network using a portable memory device. A gaming machine creates a certificate signing request which is stored on a portable memory device at the machine. Then, the memory device is coupled with an appropriate CA server. A certificate batch utility program on the server downloads and processes the CSRs. A certificate services program on the server issues gaming machine certificates according to the CSRs. In one embodiment, the certificates are uploaded onto the memory device, along with copies of certificate authority server certificates, including a root CA certificate. Then, the memory device is coupled with the gaming machine and software on the machine identifies and downloads its certificate based on the certificate file name.06-06-2013
20130145155PROVISIONING MULTIPLE DIGITAL CERTIFICATES - A method of provisioning a first digital certificate and a second digital certificate based on an existing digital certificate includes receiving information related to the existing digital certificate. The existing digital certificate includes a first name listed in a Subject field and a second name listed in a SubjectAltName extension. The method also includes receiving an indication from a user to split the existing digital certificate and extracting the first name from the Subject field and the second name from the SubjectAltName extension of the existing digital certificate. The method further includes extracting the public key from the existing digital certificate, provisioning the first digital certificate with the first name listed in a Subject field of the first digital certificate and the public key, and provisioning the second digital certificate with the second name listed in a Subject field of the second digital certificate and the public key.06-06-2013
20130145156SYSTEMS AND METHODS FOR CREDENTIALING - A method includes issuing non-unique credentials to an operations management agent (“the agent”). The method further includes establishing a first encrypted communication channel between an operations management server (“the server”) and the agent based on the non-unique credentials. The method further includes issuing, automatically based on the establishing, unique credentials to the agent. The method further includes replacing, automatically based on the issuing of the unique credentials, the first encrypted communication channel with a second encrypted communication channel that is based on the unique credentials.06-06-2013
20100325428System and Method for Authentication of a Hardware Token - A method for authentication. A computer obtains a random number R generated by a hardware token. The computer forms and returns to the hardware token a signature Ck′(R) formed using the random number R with a computer secret key Ck′. The computer receiving from the hardware token authentication of the signature Ck′(R) that is performed by the hardware token using a computer public key Ck stored in the hardware token.12-23-2010
20090144542SYSTEM FOR DISTRIBUTING DIGITAL MEDIA TO EXHIBITORS - A system for packaging digital media and distributing digital media to exhibitors is described, which system enables distribution by utilizing media content booking, media content packaging, encryption, and delivery components.06-04-2009
20100185850METHOD AND DEVICE FOR AUTHENTICATING LEGAL NEIGHBOR IN GROUP KEY MANAGEMENT - Method and device for authenticating a legal neighbor in group key management (GKM) are disclosed. The method includes: members on a local network that needs the automatic GKM service store a group shared key and a group authentication algorithm; an authenticating member receives a first authentication value and authentication information of an authenticated member sent from the authenticated member, where the first authentication value is calculated by the authenticated member by using the group shared key and the authentication information of the authenticated member according to the group authentication algorithm; the authenticating member calculates a second authentication value by using the authentication information of the authenticated member and the group shared key according to the group authentication algorithm; the authenticating member authenticates the authenticated member as a legal neighbor when confirming that the first authentication value is the same as the second authentication value.07-22-2010
20100185849METHOD AND ARRANGEMENT FOR CERTIFICATE HANDLING - The present invention relates to a method and an arrangement for authentication and authorization in an access network. In an initial phase of the method according to the invention the user equipment and the security gateway exchange information on available certificate(s). If the user equipment and the security gateway lack matching certificates, the attempted authentication of the security gateway can not take place according to existing protocols and arrangements. According to the invention, if a certificate mismatch is identified, a certificate server is engaged. The certificate server, which is a separate entity from the security gateway, assists in at least part of the authentication procedure. Once the authentication is confirmed a secure tunnel can be established between the user equipment and the security gateway and payload traffic can be transferred.07-22-2010
20110119485METHOD AND APPARATUS FOR PROVIDING RADIO COMMUNICATION WITH AN OBJECT IN A LOCAL ENVIRONMENT - A method and apparatus for providing radio communication with an electronic object in a local environment are disclosed. For example the method receives via a mobile endpoint device of a user at least one first digital certificate associated with the local environment from a trusted source, and a second digital certificate from the electronic device deployed in the local environment via a wireless connection. The method then authenticates the electronic device using the at least one first digital certificate and the second digital certificate.05-19-2011
20110040965ENTERPRISE SECURITY SYSTEM - A platform of Trust Management software which is a single, customizable, complete distributed computing security solution designed to be integrated into an enterprise computing environment. Digital Network Authentication (DNA) is the centerpiece of the system of the present invention. It is a unique means to authenticate the identity of a communicating party and authorize its activity. The whole mechanism can be thought of as a trusted third party providing assurances to both clients and servers that each communicating entity is a discrete, authenticated entity with clearly defined privileges and supporting data. Furthermore, the level of trust to be placed in the authorization of every entity communicating within the system is communicated to every entity within a distributed computing environment.02-17-2011
20110047373USER AUTHENTICATION SYSTEM AND METHOD FOR THE SAME - At the user authentication apparatus 02-24-2011
20110119486METHOD AND APPARATUS FOR MANAGING ACCESS RIGHTS TO INFORMATION SPACES - An approach is provided for managing access rights of users to information spaces using signatures stored in a memory tag. A signature manager caused reading of a memory tag to initiate a request, from a device, for an initial access to an information space. The request includes an authorization signature associated with the device. The signature manager determines a level of access to the information space by comparing the authorization signature against a lattice of signature primitives associated with the information space. The signature manager then modifies the authorization signature based on the determination and stores the modified authorization signature for validation of subsequent access to the information space by the device.05-19-2011
20100031028SYSTEMS AND METHODS FOR SELECTING A CERTIFICATE FOR USE WITH SECURE MESSAGES - Systems and methods for selecting a certificate for use in securing a message to be transmitted from a computing device is described herein. A set of certificates is determined and the certificates are ranked based on one or more predetermined ranking criteria. At least the highest ranking certificate is displayed, and a certificate is selected for securing the message.02-04-2010
20100031031SYSTEMS, METHODS AND COMPUTER-ACCESSIBLE MEDIA FOR ACQUIRING AND AUTHENTICATING PUBLIC KEY CERTIFICATE STATUS - Exemplary embodiments of systems, methods and computer-accessible medium can be provided for obtaining and verifying a public key certificate status. In particular, it is possible to construct and send a certificate query request, construct and send a combined certificate query request, construct and send a combined certificate status response, deliver a certificate status response, perform a verification by the general access point, and/or perform a verification by the user equipment. The exemplary embodiments address some of the deficiencies of conventional methods which have a complicated implementation as well as likely inability of such conventional methods to be applied to the network architecture of user equipment, a general access point and a server. The exemplary embodiments of the systems, methods and computer-accessible medium can obtain a user certificate status to provide certificate statuses of the user or the user equipment and the general access point when the user equipment accesses the network via the general access point. Message exchanges can be reduced, bandwidth and calculation resources can be saved, and higher efficiency can be achieved. According to another exemplary embodiment, by way of adding random numbers into the certificate query request and the combined certificate query request, as well as the message m, freshness of the certificate status response can be facilitated and even ensured, and security protection can be enhanced.02-04-2010
20100031027METHOD AND DEVICE FOR DISTRIBUTING PUBLIC KEY INFRASTRUCTURE (PKI) CERTIFICATE PATH DATA - A method and device for distributing public key infrastructure (PKI) certificate path data enables relying nodes to efficiently authenticate other nodes in an autonomous ad-hoc network. The method includes compiling, at a certificate path management unit (CPMU), the PKI certificate path data (step 02-04-2010
20110087882APPARATUS AND METHODS FOR PROTECTING NETWORK RESOURCES - Apparatus and methods are provided for protecting network resources, particularly in association with automatic provisioning of new client devices. A global PKI (Public Key Infrastructure) scheme is rooted at a globally available server. Roots of PKIs for individual organizations also reside at this server or another globally available resource. To enable access to an organization's network, one or more authenticators are deployed, which may be co-located with access points or other network components. After a client device enabler (CDE) and an authenticator perform mutual authentication with certificates issued within the global PKI, the CDE is used to provision a new client device for the organization. After the client is provisioned, it and an authenticator use certificates issued within the per-organization PKI to allow the client access to the network.04-14-2011
20110087883SELF-SIGNED IMPLICIT CERTIFICATES - There are disclosed systems and methods for creating a self-signed implicit certificate. In one embodiment, the self-signed implicit certificate is generated and operated upon using transformations of a nature similar to the transformations used in the ECQV protocol. In such a system, a root CA or other computing device avoids having to generate an explicit self-signed certificate by instead generating a self-signed implicit certificate.04-14-2011
20110087881APPARATUS AND METHOD FOR MONITORING CERTIFICATE ACQUISITION - A system that incorporates teachings of the present disclosure may include, for example, a set-top-box (STB) having a controller to transmit a request to a remote management server for status information associated with a x.509 certificate intended for the STB, wherein at least one of the STB and the remote management server operate in an interactive television (iTV) network, and receive the status information associated with the x.509 certificate from the remote management server, wherein events associated with the status information are received by the remote management server from at least one of the STB, a certificates proxy, an external certificate web service, and a certificate authority, and wherein the status information comprises at least a portion of the received events. Other embodiments are disclosed.04-14-2011
20090031126Trust Management Systems and Methods - The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied. The certificates may be evaluated until the state of the root authority indicates that the request should be granted, or until further evaluation of the certificates is ineffective in changing the state of the principals.01-29-2009
20090327705ATTESTED CONTENT PROTECTION - The present invention extends to methods, systems, and computer program products for protecting content. Embodiments of the invention permit a local machine increased participation in authorizing access to protected content. An operating system attests to a computing environment at a corresponding computer system. If the computing environment is one permitted to access protected content, the operating system is permitted to regulate further (e.g., application) access to protected content in accordance with a procreation policy. As such, authorization decisions are partially distributed, easing the resource burden on a content protection server. Accordingly, embodiments of the invention can facilitate more robust and efficient authorization decisions when access to protected content is requested.12-31-2009
20090327703METHOD FOR PAYLOAD ENCRYPTION OF DIGITAL VOICE OR DATA COMMUNICATIONS - A security platform or network for transmitting end-to-end encrypted voice or data communications between at least a first digital device and a second device is disclosed. The network includes a network portal for registering the first digital device and the second device. The portal provides the first digital device and second device with at least first and second keys and receives requests from each device to communicate with each other. The portal searches for and receives authorization from the called device to set up a secure session with the calling device. The portal receives encrypted messages from the devices, decrypts the encrypted messages with the keys provided to the devices, and re-encrypts the received messages. The portal sends the re-encrypted messages to the other device. Accordingly, the devices are capable of securely communicating with each other by encrypting and decrypting the messages sent to and received from the portal. The intent is to provide a commercially feasible approach to protect sensitive information that is not government classified, with potential users including (a) Individuals—for protecting private information and conversations; (b) Companies—for protecting proprietary/sensitive information; and (c) Government—for protecting SBU conversations and information.12-31-2009
20090313468CERTIFICATE RENEWAL USING SECURE HANDSHAKE - A method, system, and computer usable program product for certificate renewal using a secure handshake are provided in the illustrative embodiments. A determination is made, forming an expiration determination, whether a validity period associated with a certificate ends within a predetermined period from a time of receiving the certificate. If the expiration determination is true, a holder of the certificate is notified about the expiration. The holder may be an application executing in a data processing system or the data processing system itself. A new certificate is requested on behalf of the holder. The requested new certificate is received. The new certificate is sent to the holder of the certificate over a network.12-17-2009
20090217034Multi-step digital signature method and system - A multi-step signing system and method uses multiple signing devices to affix a single signature which can be verified using a single public verification key. Each signing device possesses a share of the signature key and affixes a partial signature in response to authorization from a plurality of authorizing agents. In a serial embodiment, after a first partial signature has been affixed, a second signing device exponentiates the first partial signature. In a parallel embodiment, each signing device affixes a partial signature, and the plurality of partial signatures are multiplied together to form the final signature. Security of the system is enhanced by distributing capability to affix signatures among a plurality of signing devices and by distributing authority us affix a partial signature among a plurality of authorizing agents.08-27-2009
20100070760TICKET-BASED SPECTRUM AUTHORIZATION AND ACCESS CONTROL - Aspects describe spectrum authorization, access control, and configuration parameters validation. Devices in an ad-hoc or peer-to-peer configuration can utilize a licensed spectrum if the devices are authorized to use the spectrum, which can be determined automatically. Aspects relate to distribution of authorization tickets by an authorization server as a result of validating a device's credentials and services to which the device is entitled. An exchange and verification of authorization tickets can be performed by devices as a condition for enabling a validated wireless link using the spectrum.03-18-2010
20100070761RELIABLE AUTHENTICATION OF MESSAGE SENDER'S IDENTITY - A method is provided in a telecommunications network for authenticating a sender (03-18-2010
20110154025COMPUTER IMPLEMENTED METHOD FOR AUTHENTICATING A USER - The invention relates to a computer implemented method for performing a user authentication, wherein an asymmetric cryptographic key pair is associated with the user, said key pair comprising a public key and a private key, wherein the method comprises selecting the user to be authenticated using a pseudonym of said user, wherein said pseudonym comprises the public key of the user, the method further comprising performing a cryptographic authentication of the user using the asymmetric cryptographic key pair.06-23-2011
20100064135Secure Negotiation of Authentication Capabilities - A network (03-11-2010
20110154024METHOD AND APPARATUS FOR SELECTING A CERTIFICATE AUTHORITY - A certificate authority selection unit implements a method for selecting one of a plurality of certificate authorities servicing a plurality of administrative domains in a communication system. The method includes: receiving, from an end-entity via an interface, a certificate service request associated with an identifier; selecting, based on the identifier, one of the plurality of administrative domains in the communication system, wherein the plurality of administrative domains are serviced by a plurality of certificate authorities; retrieving a security profile for the end-entity; and selecting, based on the security profile for the end-entity, one of the plurality of certificate authorities to process the certificate service request.06-23-2011
20110078439APPARATUS AND METHOD FOR USER IDENTITY AUTHENTICATION IN PEER-TO-PEER OVERLAY NETWORKS - Disclosed is a method for user identity authentication for a peer device joining a peer-to-peer overlay network. In the method, a credential server of the overlay network receives a registered user identity from a joining peer device. The credential server verifies the registered user identity with an identity provider. Upon receiving, at the credential server, successful verification of the registered user identity from the identity provider, the credential server issues to the joining peer device a signed certificate for use by an authenticated peer device in the overlay network to authenticate the registered user identity of the joining peer device, wherein the signed certificate is signed by a private key of the credential server.03-31-2011
20120303950Implicit Certificate Scheme - A method of generating a public key in a secure digital communication system, having at least one trusted entity CA and subscriber entities A. The trusted entity selects a unique identity distinguishing each entity A. The trusted entity then generates a public key reconstruction public data of the entity A by mathematically combining public values obtained from respective private values of the trusted entity and the entity A. The unique identity and public key reconstruction public data of the entity A serve as A's implicit certificate. The trusted entity combines the implicit certificate information with a mathematical function to derive an entity information ƒ and generates a value k11-29-2012
20110213961DYNAMIC USER INTERFACE GENERATION BASED ON CONSTRAINTS OF A CERTIFICATE PROFILE - A method and system for dynamic user interface generation based on constraints of a certificate profile is described.09-01-2011
20120278613ELECTRONIC APPARATUS AND INTRODUCING METHOD THEREBY - An electronic apparatus capable of introducing an apparatus certificate of the electronic apparatus and an intermediate certificate of an intermediate certificate authority which signs the apparatus certificate is disclosed. The electronic apparatus includes a communication unit; a separation unit configured to separate the intermediate certificate and the apparatus certificate acquired by the communication unit from the intermediate certificate authority; an apparatus certificate verifying unit configured to verify a validity of the apparatus certificate separated by the separating unit; an intermediate certificate verifying unit configured to verify a validity of the intermediate certificate separated by the separating unit; and an introducing unit configured to introduce the apparatus certificate and the intermediate certificate only when both the apparatus certificate and the intermediate certificate are verified.11-01-2012
20110029771Enrollment Agent for Automated Certificate Enrollment - Automated generation of certificates from a Certificate Authority through the use of an Enrollment Agent. Devices needing certificates generate the necessary keys and package public key information with other identifying information about the device and send this information to an Enrollment Agent. The Enrollment Agent takes this information and submits it on behalf of the device to a Certificate Authority, managing the interaction with the Certificate Authority on behalf of the device. The Certificate Authority signs the request, returning a certificate to the Enrollment Agent. The Enrollment Agent packages the certificate along with the other certificates needed to establish a chain of trust and returns these to the device. Certificates may be stored in the device in flash memory. The process is secure as long as the communications path between the devices and the Enrollment Agent is secure; a secure VPN or HTTPS: connection allows the devices and the Enrollment Agent to be in separate locations.02-03-2011
20110016312SYSTEM AND METHOD FOR ACCESSING HOST COMPUTER VIA REMOTE COMPUTER - In a peer-to-peer fashion, various host computers communicate with various remote computers using the Internet so that user inputs from the remote computers are transferred to the host computers as if the user inputs occurred locally, and information generated by the host computers is displayed on the remote computers. Thus, a remote computer is able to access all of the information and application programs on the host computer.01-20-2011
20100115267METHOD AND DEVICE FOR ENABLING A TRUST RELATIONSHIP USING AN EXPIRED PUBLIC KEY INFRASTRUCTURE (PKI) CERTIFICATE - A method and device are useful for enabling a trust relationship using an expired public key infrastructure (PKI) certificate. The method includes determining at a relying party a maximum permissible grace period during which the PKI certificate can be conditionally granted a valid status (step 05-06-2010
20100115266METHOD AND DEVICE FOR ENABLING A TRUST RELATIONSHIP USING AN UNEXPIRED PUBLIC KEY INFRASTRUCTURE (PKI) CERTIFICATE - A method and device are useful for enabling a trust relationship using an unexpired public key infrastructure (PKI) certificate, where a current status of the PKI certificate is unavailable. The method includes determining at a relying party that a certificate status update for the PKI certificate is unavailable (step 05-06-2010
20080320299ACCESS CONTROL POLICY IN A WEAKLY-COHERENT DISTRIBUTED COLLECTION - A system is disclosed for creating and implementing an access control policy framework in a weakly coherent distributed collection. A collection manager may sign certificates forming equivalence classes of replicas that share a specific authority. The collection manager and/or certain privileged replicas may issue certificates that delegate authority for control of item policy and replica policy. Further certificates may be signed that create one or more items, set policy for these one or more items, and define a set of operations authorized on the one or more items. The certificates issued according to the present system for creating and implementing a control policy framework cannot be modified or simply overridden. Once a policy certificate is issued, it may only be revoked by the collection manager or by a replica having revocation authority.12-25-2008
20080307222Verifying authenticity of webpages - A certificate registry system is configured to issue authentication certificates issued to each one of a plurality of information providers and to maintain a root certificate corresponding to all of the authentication certificates. Each one of the authentication certificates links respective authentication information thereof to identification information of a corresponding one of the information providers. Each one of the authentication certificates is devoid of linkage between the corresponding one of the information providers and domain name information thereof. The authentication certificates of the certificate registry are associated in a manner at least partially dependent upon at least one of a particular type of information that the information providers provide, a particular organization that the information providers are associated with, a particular type profession in which the information providers are engaged and a particular geographical region in which the information providers are located.12-11-2008
20080270788EXTENSION OF X.509 CERTIFICATES TO SIMULTANEOUSLY SUPPORT MULTIPLE CRYPTOGRAPHIC ALGORITHMS - A technique permitting an X.509 certificate to simultaneously support more than one cryptographic algorithm. An alterative public key and alternative signature are provided as extensions in the body of the certificate. These extensions define a second (or more) cryptographic algorithm which may be utilized to verify the certificate. These are not authenticated by the primary signature and signature algorithm in the primary cryptographic algorithm. These newly defined extensions are reviewed by a receiving entity if the entity does not support the cryptographic algorithm of the primary signature.10-30-2008
20110161662SYSTEM AND METHOD FOR UPDATING DIGITAL CERTIFICATE AUTOMATICALLY - A system and method for automatically updating a digital certificate prompts a user of a client computer to update a current digital certificate if a period of validity of the current digital certificate elapses or is about to elapse, and creates a new digital certificate if the current digital certificate needs to be updated. The system and method further deletes the current digital certificate, and loads the new digital certificate into a storage system of the client computer.06-30-2011
20110161661ENHANCED AUTHORIZATION PROCESS USING DIGITAL SIGNATURES - A method is provided for enhancing security of a communication session between first and second endpoints which employs a key management protocol. The method includes sending a first message to a first end point over a communications network requesting a secure communication session therewith. The message includes an identity of a second end point requesting the authenticated communication session. A digital certificate is received from the first endpoint over the communications network. The digital certificate is issued by a certifying source verifying information contained in the digital certificate. The digital certificate includes a plurality of fields, one or more of which are transformed in accordance with a transformation algorithm. A reverse transform is applied to the one or more transformed fields to obtain the one or more fields. The digital certificate is validated and a second message is sent to the first endpoint indicating that validation is complete.06-30-2011
20110161660TEMPORARY REGISTRATION OF DEVICES - In a method of temporarily registering a second device with a first device, in which the first device includes a temporary registration mode, the temporary registration mode in the first device is activated, a temporary registration operation in the first device is initiated from the second device, a determination as to whether the second device is authorized to register with the first device is made, and the second device is temporarily registered with the first device in response to a determination that the second device is authorized to register with the first device, in which the temporary registration requires that at least one of the second device and the first device delete information required for the temporary registration following at least one of a determination of a network connection between the first device and the second device and a powering off of at least one of the first device and the second device.06-30-2011
20110161659METHOD TO ENABLE SECURE SELF-PROVISIONING OF SUBSCRIBER UNITS IN A COMMUNICATION SYSTEM - A method to enable remote, secure, self-provisioning of a subscriber unit includes, a security provisioning server: receiving, from a subscriber unit, a certificate signing request having subscriber unit configuration trigger data; generating provisioning data for the subscriber unit using the subscriber unit configuration trigger data; and in response to the certificate signing request, providing to the subscriber unit the provisioning data and a subscriber unit certificate having authorization attributes associated with the provisioning data, to enable the self-provisioning of the subscriber unit.06-30-2011
20110047374METHOD AND APPARATUS FOR A CONFIGURABLE ONLINE PUBLIC KEY INFRASTRUCTURE (PKI) MANAGEMENT SYSTEM - A method and apparatus are provided for generating identity data to be provisioned in product devices that are a part of a project. The method includes establishing a template associated with each CA in a hierarchical chain of CAs having a root CA at a highest level in the chain and a signing CA at a lowest level in the chain. The template associated with the signing CA inherits mandatory attribute fields specified in the root CA and any intermediate CA in the hierarchical chain. The mandatory attribute fields are user-specifiable fields to be populated with PKI data. A configuration file is generated upon receipt of an order for digital certificates using PKI data provided by a user to populate the mandatory attribute fields of the template associated with the signing CA. The digital certificates requested in the order are generated using the PKI data in the configuration file.02-24-2011
20110055557COMMUNICATION APPARATUS MEDIATING COMMUNICATION BETWEEN INSTRUMENTS - A communication apparatus makes a request to issue an electronic certificate of a first instrument to a certificate authority and acquires the electronic certificate from the certificate authority. The communication apparatus communicates with a second instrument using the electronic certificate of the first instrument in response to reception of a request for communication with the second instrument from the first instrument. Therefore, the communication apparatus mediates information communication between the second instrument and the first instrument.03-03-2011
20110055556METHOD FOR PROVIDING ANONYMOUS PUBLIC KEY INFRASTRUCTURE AND METHOD FOR PROVIDING SERVICE USING THE SAME - Provided is a method for providing an anonymous public key infrastructure (PKI) in a user terminal. The method includes receiving a real-name certificate from a real-name PKI service domain, requesting an anonymous certificate to an anonymous PKI service domain, and receiving the anonymous certificate from the anonymous PKI service domain. Accordingly, the method can ensure anonymity when a user uses a service by providing the anonymous certificate in association with the PKI-based real-name certificate.03-03-2011
20110055555LICENSING AND CERTIFICATE DISTRIBUTION VIA SECONDARY OR DIVIDED SIGNALING COMMUNICATION PATHWAY - In one embodiment, the present invention is directed to the use of separate communication pathways over different types of networks to handle bearer and control signaling in connection with a license transaction.03-03-2011
20090240936SYSTEM AND METHOD FOR STORING CLIENT-SIDE CERTIFICATE CREDENTIALS - A method and system is provided for storing a plurality of client certificate credentials via a client web browser into one or more keystore file(s). The client web browser is used to establish the secure data transfer link between the client and the server. The client web browser includes a plug-in software component. The plug-in software component is configured to generate the keystore file and a key pair. The method may continue with generating a certificate request on the client. The certificate request generated is then transmitted to a certificate server. The certificate server is configured to digitally sign the certificate request generated. The method continues with the client receiving a signed certificate request. The signed certificate request is received by the client via the client web browser. The method may conclude by storing the plurality of client certificate credentials associated with the signed certificate request in one or more keystore file(s).09-24-2009
20080201575Systems and methods for automating certification authority practices - Systems and methods for efficiently verifying identities and for generating and signing digital certificates associated with those identities are disclosed. Generation of a digital certificate of an entity may begin by receiving a certificate signing request from the entity at a certification authority, the certificate signing request including verification information. The certificate signing request may be transmitted to a registration authority and the information of the certificate signing request may be processed. Whether to approve the certificate signing request may be determined, based on a result of the processing, and an approval may be granted when the certificate signing request is approved. A certificate associated with the entity may be generated when the approval is received, and the certificate may be transmitted to the entity.08-21-2008
20110167258Efficient Secure Cloud-Based Processing of Certificate Status Information - A cloud-based system having a secure database of certificate information and associated methods are provided. The system and methods may be used to supplement or replace traditional OCSP processing systems. Responses to OCSP requests are digitally signed and cached in a cloud database server remote from the requester. Other servers in the cloud may access the cached OCSP responses from the database server, rather than the originating certificate authority. Thus, the work traditionally done by the certificate authority is moved to the cloud, which eliminates a single point of failure and improves the resources available to perform transactional processing.07-07-2011
20110179268PROTECTING APPLICATIONS WITH KEY AND USAGE POLICY - One or more files of an application are obtained and configured as a virtual storage volume. An application package is generated by encrypting, using a key, the one or more files configured as a virtual storage volume. A license generation module generates a license including both a usage policy for the application and the key. A computing device, to run the application, obtains and attempts to authenticate the application package. If the application package is authenticated, then a license associated with the application package is obtained and at least part of the application package is decrypted using the key in the license. A virtual storage volume that includes the application is mounted, and the application is executed in accordance with the usage policy in the license. However, if the application is not authenticated, then the application is not executed.07-21-2011
20110072260METHOD AND SYSTEM OF DOWNLOADABLE CONDITIONAL ACCESS USING DISTRIBUTED TRUSTED AUTHORITY - Disclosed is a downloadable conditional access system (DCAS) and an operational method thereof that distributes a part of a function of a Trusted Authority to each multiple system operator (MSO) to enable the MSO server to process authentication with respect to a secure micro (SM) chip and a transport processor (TP) chip, and thus, a normal DCAS service is possible even when there is a problem with a security, and a DCAS host terminal for rental use is effectively operated.03-24-2011
20100293371GENERATING PKI EMAIL ACCOUNTS ON A WEB-BASED EMAIL SYSTEM - The present invention provides systems and methods for allowing an Email User to create a Public Key Infrastructure (PKI) Email Account and thereafter to digitally sign, send, verify and receive PKI encrypted emails over a computer network, such as the Internet. The systems and methods preferably include a Web-based Email System and a Certificate Authority that coordinate their actions to make the process of creating, maintaining and using the PKI Account as easy as possible for the Email User. In a preferred embodiment, a Keystore System may also be used to enhance the management and use of digital keypairs.11-18-2010
20120151207Method and System for Guiding Smart Antenna - A method and system for guiding smart antenna is provided. The method includes: a terminal accessing a WLAN Authentication and Privacy Infrastructure (WAPI) access point, acquiring a position information from the WAPI access point; the terminal directly sending the position information to a base station, and the base station obtaining a terminal position information according to the position information; or after the terminal obtains a terminal position information according to the position information, sending the terminal position information to the base station; the base station guiding the smart antenna by using the terminal position information. The method and system adopts a WAPI function to position the terminal, the implementation is simple and the startup time is very short.06-14-2012
20110126004DEVICE MANAGEMENT SYSTEM, SITE MONITORING APPARATUS AND METHOD - A server certificate and root certificate for performing secure communication with monitoring target devices are issued in a site monitoring apparatus. Using a secret key that is paired with a public key, a digital signature is issued based on communication destination information in which the site monitoring apparatus is the communication destination and the issued root certificate, and the communication destination information, root certificate, and digital signature are transmitted to the monitoring target devices. The monitoring target devices receive the communication destination information, root certificate, and digital signature from the site monitoring apparatus. Authentication is performed on the received digital signature using the public key, and in accordance with successful authentication, the communication destination for device monitoring information is changed from a management server to the site monitoring apparatus and secure communication is performed with the site monitoring apparatus, using the received communication information and root certificate.05-26-2011
20110126003SSL CLIENT AUTHENTICATION - A client authentication system receives an authentication request from a server for a session between a client and the server. The authentication system determines whether a storage device contains a configuration that corresponds to the authentication request. The authentication system configures client authentication based on whether the storage device contains the corresponding configuration and displays in a graphical user interface (GUI) a status indicator to show the client authentication configuration for the session. The GUI allows a user to change the client authentication configuration for the session.05-26-2011
20120311322Secure Access to Data in a Device - The invention concerns secure access to data in an electronic device (12-06-2012
20100122079COPYRIGHT PROTECTION SYSTEM, REPRODUCTION APPARATUS AND METHOD - The object of the present invention is to provide a reproduction apparatus that is capable of preventing personal information of users from being transmitted to an external apparatus that is under management of a malicious person.05-13-2010
20100228970Public key certificate issuing system, public key certificate issuing method, digital certification apparatus, and program storage medium - A public key certificate issuing system is disclosed which comprises a certificate authority for issuing a public key certificate used by an entity, and a registration authority which, on receiving a public key certificate issuance request from anyone of entities under jurisdiction thereof, transmits the received request to the certificate authority. The certificate authority, having a plurality of signature modules each executing a different signature algorithm, selects at least one of the plurality of signature modules in accordance with the public key certificate issuance request from the registration authority, and causes the selected signature module to attach a digital signature to message data constituting a public key certificate.09-09-2010
20110126001AUTOMATIC CERTIFICATE RENEWAL - A method and system for automatic certificate renewal is described.05-26-2011
20100235627SECURING COMMUNICATIONS SENT BY A FIRST USER TO A SECOND USER - A computer-implemented method of securing communications sent by a first user to a second user may include receiving, by a first user from a trusted third party, at least one public cryptographic value corresponding to the first user and at least one private cryptographic value corresponding to the first user, providing, by the first user to a second user, a plurality of values corresponding to an identification device identified by an identifier, deriving, by the first user, a shared key, using the at least one private cryptographic value of the first user, and at least one of the plurality of values corresponding to the identification device identified by the identifier and protecting communications sent by the first user to the second user with the shared key.09-16-2010
20100122080PSEUDONYM CERTIFICATE PROCESS SYSTEM BY SPLITTING AUTHORITY - The present invention can't independently know real name information of a user unless a server of an authority treating real name certificate and a server of an authority treating pseudonym certificate collaborate mutually, so that privacy of a user isn't infringed. The present invention can acquire real name information of a user with collaboration of real name certification sever and pseudonym certification sever only if you need real name information for a user.05-13-2010
20090300349VALIDATION SERVER, VALIDATION METHOD, AND PROGRAM - A validation server using HSM, which reduces required process time from receiving a validation request to responding with a validation result, and comprises a first software cryptographic module 12-03-2009
20090300348PREVENTING ABUSE OF SERVICES IN TRUSTED COMPUTING ENVIRONMENTS - Methods and systems for regulating services provided by a first computing entity, such as a server, to a second computing entity, such as a client are described. A first entity receives a request for a service from a second entity over a network. The first entity determines whether the second entity has a trusted agent by examining an attestation report from the second entity. The first entity transmits a message to the second entity. The trusted agent on the second entity may receive the message. A response is created at the second computing entity and received at the first entity. The first entity then provides the service to the second entity. The first entity may transmit an attestation challenge to the second entity and in response receives an attestation report from the second entity.12-03-2009
20090292916Certificate Management and Transfer System and Method - A method and system for Certificate management and transfer between messaging clients are disclosed. When communications are established between a first messaging client and a second messaging client, one or more Certificates stored on the first messaging client may be selected and transferred to the second messaging client. Messaging clients may thereby share Certificates. Certificate management functions such as Certificate deletions, Certificate updates and Certificate status checks may also be provided.11-26-2009
20100031030METHOD AND SYSTEM FOR MANAGING NETWORK IDENTITY - A method and a system for managing network identity are provided. The method and the system realize a management mechanism of temporary identification (ID) and real ID, which simultaneously achieves functionalities such as anonymity, accounting, and authorization. A short-term certificate and a corresponding public/private key pair are used to protect a temporary ID usable for accounting. This protection prevents the temporary ID from theft. The user generates a digital signature in the reply to a charge schedule statement from the visited network. This procedure is incorporated into an existing authentication framework based on Transport Layer Security (TLS) in order to provide an undeniable payment mechanism. The payment mechanism is applicable in an environment of multiple network operators and reduces the difficulty of integrating network operators. The method and the system do not have to consult a certificate revocation list (CRL) for authentication and thus are able to shorten authentication time.02-04-2010
20100031029TECHNIQUES TO PROVIDE ACCESS POINT AUTHENTICATION FOR WIRELESS NETWORK - According to an example embodiment, an apparatus may include a client device including a processor and memory. The client device may be configured to obtain, via a secure communication, a certificate identifying a publically accessible wireless access point (AP) and a public key for the AP, the AP being publically accessible. The client (or client device) may be configured to generate a challenge, send the challenge to the AP, wherein the AP has a private key securely stored in a hardware security module of the AP. The private key may correspond to the public key for the AP. The client may be configured to receive a response from the AP, the response being generated by the AP based on the challenge and the private key for the AP, and authenticate the AP based on the response.02-04-2010
20100031026METHOD AND SYSTEM FOR TRANSFERRING INFORMATION TO A DEVICE - A system and method for transferring information to a device include sending a first challenge from an information provider to programming equipment, and responding to the first challenge by the programming equipment. A second challenge is sent from the programming equipment to the information provider, which responds to the second challenge. Information is encrypted by the information provider and sent from the information provider to the programming equipment.02-04-2010
20100031025Method and system to authorize and assign digital certificates without loss of privacy, and/or to enhance privacy key selection - A method and system for public key infrastructure key and certificate management provides anonymity to certificate holders and protects the privacy of certificate holders from the compromise of a certificate authority. Functional separation is provided in the authorization of a certificate request and the assignment of certificates and key pairs. The authorizing certificate authority approves or denies each certificate request from a requestor whose identity is not made available to the assigning certificate authority. The assigning certificate authority, upon approval from the authorizing certificate authority, issues one or more certificates and optionally generates and provides the associated key pairs to the requester without disclosing these certificates and key pairs to the authorizing certificate authority. In another aspect, a distributed method is disclosed that allows individual nodes and/or units in a network to select certificates for broadcasting messages to a community of interest with a non-unique key.02-04-2010
20100031024METHOD FOR REAL-TIME DATA AUTHENTICATION - A digital signature is applied to digital data in real-time. The digital signature serves as a mark of authenticity assuring a recipient that the digital data did in fact originate from an indicated source. The digital signature may be applied to any digital data, including video signals, audio signals, electronic commerce information, data pertaining to land vehicles, marine vessels, aircraft, or any other data that can be transmitted and received in digital form.02-04-2010
20100023756SPLITTING AN SSL CONNECTION BETWEEN GATEWAYS - A system for secure communication, including a first security computer communicatively coupled with a client computer via an SSL connection, including a certificate creator, for receiving certificate attributes of a server computer certificate and for creating a signed certificate therefrom, and an SSL connector, for performing an SSL handshake with the client computer using the signed certificate created by said certificate creator, and a second security computer communicatively coupled with a server computer via an SSL connection, and communicatively coupled with the first security computer via a non-SSL connection, including an SSL connector, for performing an SSL handshake with the server computer using a signed certificate provided by the server computer, and a protocol appender, for appending attributes of the signed certificate provided by the server computer within a message communicated to the first security computer. A method is also described and claimed.01-28-2010
20100023757METHODS AND SYSTEMS FOR SENDING SECURE ELECTRONIC DATA - A method and system for providing encryption are provided, involving a) transmitting a request from a sender to a database for a public key for a selected recipient, the database being configured to store for each member in a plurality of members a member public key for encrypting electronic data; b) determining if the selected recipient is in the plurality of members, and; c) if the selected recipient is in the plurality of members, then executing a member procedure, the member procedure comprising transmitting from the database to the sender the member public key stored in the database for the selected recipient; d) if the selected recipient is not in the plurality of members, then executing a non-member procedure, the non-member procedure comprising determining if at least one predetermined criterion is met, and, if the at least one predetermined criterion is met, generating a non-member public key for encrypting electronic data and a non-member private key for decrypting the electronic data encrypted using the non-member public key; otherwise, if the at least one predetermined criterion is not met the non-member public key and the non-member private key are not generated.01-28-2010
20100023755METHOD AND APPARATUS FOR SECURE INFORMATION TRANSFER TO SUPPORT MIGRATION - A system and method are disclosed for providing and maintaining a high level of security during migration of data from one platform to another. The disclosed system combines user and equipment authentication with equipment environment authorization guaranteed by a security module such as supported by a trusted platform module (TPM) in parallel, for secure information transfer to support migration between platforms.01-28-2010
20100017598Secure E-Mail Messaging System - According to one embodiment, a secure e-mail messaging system includes an e-mail relay server coupled to a secure client configured on a secure domain and an external client configured on an external domain. The e-mail relay server has a memory for storage of an actual address of the secure client, a first certificate associated with the actual address, an alias address associated with the actual address, and a second certificate associated with the alias address. The e-mail relay server receives an e-mail message that includes the alias address from the external client and decrypts the e-mail message according to the second certificate. The e-mail messaging server then replaces the alias address with the actual address to form a modified e-mail message, encrypts the modified e-mail message according to the first certificate, and transmits the modified e-mail message to the secure client.01-21-2010
20100017597SECURE NETWORK ADDRESS PROVISIONING - A network in which a client receives a network credential, such as a valid network address, following an exchange of messages with a credential server that includes security information. The security information may validate the credential, avoiding rogue devices inadvertently or maliciously distributing credential information that can interfere with clients attempting to connect to the network or with the network itself. If obtaining a network credential requires an exchange of information about the configuration of the client that could reveal security vulnerabilities, the security information may be used to ensure the confidentiality of that configuration information. The security information may be incorporated into messages according to a known protocol, such as by incorporating it into options fields of DHCP messages.01-21-2010
20120042161SYSTEM AND METHOD FOR SENDING SECURE MESSAGES - Electronic messages are sent from a sending system to an identified recipient and are encrypted using information contained in a certificate for that recipient. An electronic device and method are provided for detecting receipt of a command to initiate transmission of a composed message to a recipient, and after said detection but prior to transmitting the message, determining that no valid digital certificate for said recipient is available at the communication device; retrieving a valid digital certificate for said recipient from a source over a network; and encrypting said composed message using the valid digital certificate; then initiating transmission of the encrypted, composed message to the recipient. Retrieval of the valid digital certificate can include repeated retrieval and validation of certificates until a valid certificate is obtained.02-16-2012
20090089575Service Providing System, Outsourcer Apparatus, Service Providing Method, and Program - When an entrustor entrusts an outsourcer with the supply of a service for members, member information managed by the entrustor is kept secret from the outsourcer, and users can receive the service without communicating with the entrustor. For using the service, user apparatus 04-02-2009
20090172392METHOD AND SYSTEM FOR TRANSFERRING INFORMATION TO A DEVICE - A system and method for transferring information include generating a public/private key pair for programming equipment and sending the programming equipment public key to a certificate authority. A programming equipment certificate is generated using the programming equipment public key and a private key of the certificate authority. The programming equipment certificate and a certificate authority certificate are sent to the programming equipment. Information is transferred to or from the programming equipment in response to an authentication using the programming equipment certificate and the certificate authority certificate.07-02-2009
20090172391COMMUNICATION HANDOVER METHOD, COMMUNICATION MESSAGE PROCESSING METHOD, AND COMMUNICATION CONTROL METHOD - There is disclosed a technique whereby, in a case wherein a mobile node (MN) performs a handover, between access points (APs) present on the links of different access routers (ARs), security is quickly established between the MN and the AP so as to reduce the possibility of a communication delay or disconnection due to the handover. According to this technique, before performing a handover, the MN 07-02-2009
20120210123ONE-TIME PASSWORD CERTIFICATE RENEWAL - Embodiments are directed to providing a certificate extension to an authentication certificate, to validating an authentication certificate request and to implementing authentication certificates that include certificate extensions. In an embodiment, a computer system accesses an authentication certificate request that is to be sent to a validation server for validation and to a certificate authority for issuance of an authentication certificate. The computer system appends an extension to the authentication certificate request. The extension includes origination information about the authentication certificate. The computer system then sends the authentication certificate request with the appended extension to the validation server for validation.08-16-2012
20120047363Implicit Certificate Verification - A method of computing a cryptographic key to be shared between a pair of correspondents communicating with one another through a cryptographic system is provided, where one of the correspondents receives a certificate of the other correspondents public key information to be combined with private key information of the one correspondent to generate the key. The method comprises the steps of computing the key by combining the public key information and the private key information and including in the computation a component corresponding to verification of the certificate, such that failure of the certificate to verify results in a key at the one correspondent that is different to the key computed at the other correspondent.02-23-2012
20110167257Method for issuing, verifying, and distributing certificates for use in public key infrastructure - The invention relates to a method for issuing, verifying, and distributing digital certificates for use in Public Key Infrastructure, in which a requester 07-07-2011
20120017082Virtual Private Supply Chain - A generic Internet based system for viewing supply chain data is provided. The system includes an Internet based data viewing engine and a data store that holds both viewable data and metadata associated with the viewable data. The metadata can be employed by the Internet based data viewing engine to control the presentation of the viewable data. The generic Internet based supply chain data viewing engine may be employed in a virtual private supply chain (VPSC). A VPSC includes a data acceptor that can receive supply chain data items from supply chain members, a supply chain data store that can store transformed, validated supply chain data items received from the supply chain members and a data accessor operable to selectively present supply chain data items stored in the supply chain data store to viewing supply chain members. One example of the data accessor is the generic Internet based viewing engine.01-19-2012
20120017081METHOD FOR AUTHENTICATING DEVICE CAPABILITIES TO A VERIFIED THIRD PARTY - A system, devices and methods for verifying an administrator computing device to a guest computing device, verifying the guest device to the administrator device and outputting a list of the guest device capabilities for the administrator device such that the guest device is capable of verifying the administrator device, for example to ensure it does not divulge its capabilities to imposters, and the administrator device is capable of identifying whether the list of device capabilities is authentic. Verification can be achieved through cryptographic hashes of private certificates, digital signatures or expected output from verified modules. The list of device capabilities may be restricted based on the authorization granted to the administrator computer and may be altered or watermarked for verification. A failure to verify the administrator device may restrict execution of instructions on the guest device to prevent unauthorized access to the guest device's capabilities.01-19-2012
20120023328Trust Information Delivery Scheme for Certificate Validation - A unique TIO based trust information delivery scheme is disclosed that allows clients to verify received certificates and to control Java and Javascript access efficiently. This scheme fits into the certificate verification process in SSL to provide a secure connection between a client and a Web server. In particular, the scheme is well suited for incorporation into consumer devices that have a limited footprint, such as set-top boxes, cell phones, and handheld computers. Furthermore, the TIO update scheme disclosed herein allows clients to update certificates securely and dynamically.01-26-2012
20120023326AUTOMATED PROVISIONING OF A NETWORK APPLIANCE - Network communication and provisioning systems and methods are provided to enable automatic provisioning of an appliance to provide encryption services for email messages and other types of electronic messages addressed to or from an email domain.01-26-2012
20120023327INFORMATION PROCESSING APPARATUS - An information processing apparatus includes: an acquiring unit that acquires specific information; a preparation unit that makes out a certificate signing request based on the specific information, wherein the preparation unit makes out a first type certificate signing request including extensions and makes out a second type certificate signing request not including extensions; a display control unit that displays a selection screen on a display unit; and an output unit that is configured to output one of the first type certificate signing request and the second type certificate signing request to an outside according to selecting by a user in the selection screen.01-26-2012
20120060027CERTIFYING THE IDENTITY OF A NETWORK DEVICE - According to one aspect, a method for certifying the identity of a network device. The method includes an initial step of coupling the network device to a provisioning device via a physically secure communications link. The provisioning device then certifies the identity of the network device including generating a cryptographic private key for the network device and sending the generated private key to the network device over the physically secure communications link.03-08-2012
20120060026CERTIFICATE MANAGEMENT AND TRANSFER SYSTEM AND METHOD - A method and system for Certificate management and transfer between messaging clients are disclosed. When communications are established between a first messaging client and a second messaging client, one or more Certificates stored on the first messaging client may be selected and transferred to the second messaging client. Messaging clients may thereby share Certificates. Certificate management functions such as Certificate deletions, Certificate updates and Certificate status checks may also be provided.03-08-2012
20120060028SIGNATURE DEVICE, SIGNATURE VERIFICATION DEVICE, ANONYMOUS AUTHETICATION SYSTEM, SIGNING METHOD, SIGNATURE AUTHENTICATION METHOD, AND PROGRAMS THEREFOR03-08-2012
20120159156TAMPER PROOF LOCATION SERVICES - A secure location system is described herein that leverages location-based services and hardware to make access decisions. Many mobile computers have location devices, such as GPS. They also have a trusted platform module (TPM) or other security device. Currently GPS location data is made directly accessible to untrusted application code using a simple protocol. The secure location system provides a secure mechanism whereby the GPS location of a computer at a specific time can be certified by the operating system kernel and TPM. The secure location system logs user activity with a label indicating the geographic location of the computing device at the time of the activity. The secure location system can provide a difficult to forge, time-stamped location through a combination of kernel-mode GPS access and TPM security hardware. Thus, the secure location system incorporates secure location information into authorization and other operating system decisions.06-21-2012
20120159157REMOTE CONFIGURATION OF COMPUTING PLATFORMS - An embodiment of the invention relates to a computing platform (06-21-2012
20120159158VALIDATION SERVER, VALIDATION METHOD, AND PROGRAM - A validation server using HSM, which reduces required process time from receiving a validation request to responding with a validation result, and comprises a first software cryptographic module 06-21-2012
20120072717Dynamic identity authentication system - An authenticating device (03-22-2012
20120072716MULTITENANT-AWARE PROTECTION SERVICE - Implementing a data protection service. One method includes receiving a request to provision a first tenant among a plurality of tenants managed by a single data protection service. A tenant is defined as an entity among a plurality of entities. A single data protection service provides data protection services to all tenants in the plurality of tenants. A first encryption key used to decrypt the first tenant's data at the data store is stored. The first encryption key is specific to the first tenant and thus cannot be used to decrypt other tenants' data at the data store from among the plurality of tenants. Rather each tenant in the plurality of tenants is associated with an encryption key, not usable by other tenants, used at the data store to decrypt data on a tenant and corresponding key basis.03-22-2012
20110072261PROVIDING SECURITY BETWEEN NETWORK ELEMENTS IN A NETWORK - A first network element receives a message from a second network element. The message is modified by the first network element by inserting a certificate into the message, wherein the certificate includes an identity of the first network element and a digital signature produced by the first network element. The modified message is sent to a third network element.03-24-2011
20110107089METHODS AND SYSTEMS FOR IMPLEMENTING POLICY BASED TRUST MANAGEMENT - This disclosure describes, generally, methods and systems for implementing policy based trust management. The method includes receiving, at an host server, a trust request from a partner, and identifying, at the host server via a trust policy enforcer, parameters and attributes associated with the partner. The method further includes identifying, at the host server via the trust policy enforcer, parameters and attributes associated with the requested resource, and accessing, by the trust policy enforcer, a policy database. Furthermore, the method includes retrieving, by the trust policy enforcer, one or more trust policies associated with the requested resource, and based on the attributes and parameters of the partner, applying, by the trust policy enforcer, the one or more associated trust policies to the request. Further, the method includes based on conformity with the one or more trust policies, providing the partner with access to the requested resource.05-05-2011
20110099369FILE ENCRYPTION SYSTEM AND METHOD - An electronic document comparison system and method converts a test file into a compressed file having a specific format. A public key of the CA certificate of a user is obtained and a random key is generated using a random function. Furthermore, the compressed file is symmetrically encrypted using the random key, and the random key is asymmetrically encrypted using the public key to generate an asymmetric encryption key. A header of the compressed file is attached with the asymmetric encryption key and data length of the asymmetric encryption key.04-28-2011
20110099368CABLE MODEM AND CERTIFICATE TESTING METHOD THEREOF - A cable modem stores certificates including a root certificate authority (CA) certificate, a root CA public key, a manufacturer CA certificate, and a cable modem certificate. The cable modem reads the root CA public key, determines whether the root CA public key complies with a key industry standard, determines whether the manufacturer CA certificate is generated according to the root CA certificate, and determines whether the cable modem certificate is generated according to the manufacturer CA certificate.04-28-2011
20110099367KEY CERTIFICATION IN ONE ROUND TRIP - Certification of a key, which a Trusted Platform Module (TPM) has attested as being non-migratable, can be performed in a single round trip between the certificate authority (CA) and the client that requests the certificate. The client creates a certificate request, and then has the TPM create an attestation identity key (AIK) that is bound to the certificate request. The client then asks the TPM to sign the new key as an attestation of non-migratability. The client then sends the certificate request, along with the attestation of non-migratability to the CA. The CA examines the certificate request and attestation of non-migratability. However, since the CA does not know whether the attestation has been made by a trusted TPM, it certifies the key but includes, in the certificate, an encrypted signature that can only be decrypted using the endorsement key of the trusted TPM.04-28-2011
20120124369SECURE PUBLISHING OF PUBLIC-KEY CERTIFICATES - The current application is directed to methods and systems for secure distribution of public-key certificates using the domain name system with security extensions (“DNSSEC”), a publisher component, and additional client-side functionality. These methods and systems, when combined with public/private-key-based cryptography used for encrypting digitally encoded information, provides a computationally efficient and well-understood method and system for secure communications and digitally-encoded-information verification without current difficulties and inefficiencies attendant with distributing and managing the public keys used for encrypting digitally encoded information.05-17-2012
20090132812METHOD AND APPARATUS FOR VERIFYING REVOCATION STATUS OF A DIGITAL CERTIFICATE - Verifying revocation status of a digital certificate is provided in part by a receiver verifying a security certificate for a sender. In an embodiment, an approach comprises receiving a first security certificate associated with the sender and storing the security certificate in a location accessible to the receiver; updating the first security certificate in the location accessible to the receiver if the first security certificate is changed or revoked; receiving a second security certificate from the sender when identity of the sender needs to be verified; comparing the second security certificate to the first security certificate; and confirming the sender's identity only if the second security certificate matches the first security certificate for the sender.05-21-2009
20090132811ACCESS TO AUTHORIZED DOMAINS - In a domain comprising a plurality of devices, the devices in the domain sharing a common domain key, a method of enabling a entity that is not a member of the domain to create an object that can be authenticated and/or decrypted using the common domain key, the method comprising providing to the entity that is not a member of the domain a diversified key that is derived using a one-way function from at least the common domain key for creating authentication data related to said object and/or for encrypting said object, the devices in the domain being configured to authenticate and/or decrypt said object using the diversified key.05-21-2009
20120221852SANCTIONED CACHING SERVER AND METHODS FOR USE THEREWITH - A caching server includes a network interface receives first sanction data from the sanction server and transmits first cryptographic data to a client device, receives second cryptographic data from the device and that transmits scrambled media content to the client device. A random number generator generates a random number. A caching processing module, in response to the first sanction data, generates the first cryptographic data based on the random number and the first sanction data, generates a scrambling control word based on the first sanction data and the second cryptographic data and that generates the scrambled media content based on the scrambling control word.08-30-2012
20120221851SOURCE CENTRIC SANCTION SERVER AND METHODS FOR USE THEREWITH - A sanction server includes a network interface that receives proxy data from a content source that includes cryptographic parameters that are based on a scrambling control word used to scramble the media content, receives a request for the media content from a client device, transmits the proxy data to the client device and transmits notification data to a caching server. The content source generates cryptographic data and sends the cryptographic data and the scrambled media content to the caching server. The caching server forwards the cryptographic data and the scrambled media content to the client device. The client device generates the scrambling control word for descrambling the scrambled media content based on the proxy data and the cryptographic data.08-30-2012
20120221850System and Method for Reducing Computations in an Implicit Certificate Scheme - There are disclosed systems and methods for reducing the number of computations performed by a computing device constructing a public key from an implicit certificate associated with a certificate authority in an implicit certificate scheme. In one embodiment, the device first operates on the implicit certificate to derive an integer e. The device then derives a pair of integers (e08-30-2012
20120317412IMPLICITLY CERTIFIED DIGITAL SIGNATURES - Methods, systems, and computer programs for using an implicit certificate are disclosed. In some aspects, a message and an implicit certificate are accessed. The implicit certificate is associated with an entity. A modified message is generated by combining the message with a value based on the implicit certificate. A digital signature can be generated based on the modified message and transmitted to a recipient. In some aspects, a digital signature from an entity and a message to be verified based on the digital signature are accessed. An implicit certificate associated with the entity is accessed. A modified message is generated by combining the message with a value based on the implicit certificate. The message is verified based on the digital signature and the modified message.12-13-2012
20120131334Method for Attesting a Plurality of Data Processing Systems - A technique for attesting a plurality of data processing systems. The method includes: configuring a chain of data processing systems wherein a first data processing system is responsible for retrieving attestation data associated with a second data processing system; sending a request for attestation of the first data processing system; in response to receiving the request, retrieving a list of associated one or more children, wherein the one or more children comprise the second data processing system; retrieving and storing attestation data associated with each child; retrieving and storing attestation data associated with the first data processing system; and sending to the requester a concatenated response containing the attestation data associated with the first and second data processing systems, such that the attestation data associated with the first and second data processing systems can be used to attest the first and second data processing systems, respectively.05-24-2012
20100205430Network Reputation System And Its Controlling Method Thereof - A network reputation system and its controlling method are provided. A credentials and exchange component permits a user to generate credentials and exchange matching keys with those persons having a social relationship with the user. A reputation evaluation component enables other users to make evaluations about an estimatee via the sharing of social network information. A query and response component receives a query from a person having a social relationship with the user for requesting an evaluation about the estimatee, and responds an associated evaluation result to the person having a social relationship with the user, via the sharing of social network information and the evaluations made by the other users about the estimatee.08-12-2010
20100205429SYSTEM AND METHOD FOR VERIFYING THAT A REMOTE DEVICE IS A TRUSTED ENTITY - Methods and systems are provided for verifying that a remote device is a trusted entity. The method comprises receiving a first digital certificate from a first certificate authority, wherein the first certificate authority is a trusted entity, receiving a second digital certificate from the remote device during a first handshake procedure for establishing a secure connection, the second digital certificate corresponding to a second certificate authority, determining if the second digital certificate was issued by the first certificate authority based on at least a portion of the contents of the first digital certificate, and storing the second digital certificate to enable subsequent authentication of additional digital certificates received from the remote device, if the second digital certificate was issued by the first certificate authority.08-12-2010
20120137128System and Method for Securing a Credential via User and Server Verification - Systems and methods for securing a credential generated by or stored in an authentication token during an attempt to access a service, application, or resource are provided. A secure processor receives a credential from an authentication token and securely stores the credential. The secure processor then verifies the identity of the individual attempting to use the authentication token and cryptographically verifies the identity of the server being accessed. The credential is only released for transmission to the server if both the identity of the individual and the identity of the server are successfully verified. Alternatively, a secure connection is established between the secure processor and the server being accessed and a secure connection is established between the secure processor and a computing device. The establishment of the secure connections verifies the identity of the server. After the secure connections are established, the identity of the user is verified.05-31-2012
20120137126SMART METER AND METER READING SYSTEM - The present invention provides a smart meter for use in automatic meter reading of power, gas, and the like, preventing falsification of a program and data and assuring security in a communication path. A smart meter has: a data processor receiving a measurement signal according to a use amount, computing meter read data, and performing communication control by a communication unit coupled to a network; and a secure processor having tamper resistance for internally held information and performing secure authenticating process for a remote access. The data processor encrypts computed meter read data with a public key unique to the smart meter and supplies the encrypted data to the secure processor. The secure processor decrypts the encrypted meter read data with the secret key unique to the smart meter and stores the decrypted or encrypted meter read data into a nonvolatile storage region.05-31-2012
20120137129METHOD FOR ISSUING A DIGITAL CERTIFICATE BY A CERTIFICATION AUTHORITY, ARRANGEMENT FOR PERFORMING THE METHOD, AND COMPUTER SYSTEM OF A CERTIFICATION AUTHORITY - In a method for issuing a digital certificate by a certification authority (B), a device (A) sends a request message to the certification authority (B) for issuing the certificate, the certification authority (B) receives the request message and sends a request for authenticating the device (A) to the device (A), the device (A) sends a response to the certification authority (B) in response to the received request, and the certification authority (B) checks the received response and generates the certificate and sends the certificate to the device (A), if the response was identified as correct.05-31-2012
20120137127DEVICE CERTIFICATE INDIVIDUALIZATION - A method of generating a device certificate. A method of generating a device certificate comprising, constructing a device certificate challenge at a device, sending information to a device certificate individualization server in response to the device certificate challenge, validating the device certificate challenge by the device certificate individualization server, and validating the device certificate response by the device.05-31-2012
20110185172GENERATING PKI EMAIL ACCOUNTS ON A WEB-BASED EMAIL SYSTEM - The present invention provides systems and methods for allowing an Email User to create a Public Key Infrastructure (PKI) Email Account and thereafter to digitally sign, send, verify and receive PKI encrypted emails over a computer network, such as the Internet. The systems and methods preferably include a Web-based Email System and a Certificate Authority that coordinate their actions to make the process of creating, maintaining and using the PKI Account as easy as possible for the Email User. In a preferred embodiment, a Keystore System may also be used to enhance the management and use of digital keypairs.07-28-2011
20120173873SMART GRID DEVICE AUTHENTICITY VERIFICATION - Methods and articles of manufacture are provided. Some embodiments are directed to smart grid device authenticity verification. In an exemplary embodiment a method is provided that generates a firmware package image for a device. The method goes on to manufacture a microcontroller using the image. A ship file is then generated with unique data associated to the device. A board is then manufactured and a board ship file generated. The device is then authenticated on a network using the two ship files and the firmware image. This Abstract is provided for the sole purpose of complying with the Abstract requirement rules. This Abstract is submitted with the explicit understanding that it will not be used to interpret or to limit the scope or the meaning of the claims.07-05-2012
20100299520COMMUNICATION SYSTEM AND METHOD IN PUBLIC KEY INFRASTRUCTURE - In a communication system wherein a device and a client communicate data with each other through a network, the device holds a root certificate including a public key in a pair of the public key and a private key and signed with the public key. When data is sent, a certificate creator creates a second certificate including the root certificate designated as a certificate authority at a higher level and signed with the root certificate, and the second certificate is sent to the client. In the client, the root certificate has been stored beforehand, and a verifier verifies the signature of the second certificate with the root certificate.11-25-2010
20120179907METHODS AND SYSTEMS FOR PROVIDING A SIGNED DIGITAL CERTIFICATE IN REAL TIME - A method and system for signing a digital certificate in real time for accessing a service application hosted within a service provider (SP) computer system through an open application programming interface (API) platform is provided. The API platform is in communication with a memory device. The method includes receiving registration data from a developer computer device wherein the developer computer device is associated with a developer and configured to store a developer application, receiving a certificate signing request (CSR) from the developer computer device wherein the CSR includes a public key associated with the developer, verifying the registration data as being associated with the developer, signing the CSR to produce a signed certificate after verifying the registration data wherein the verifying and signing steps are performed by the SP computer system in real time, and transmitting the signed certificate and a client ID to the developer computer device.07-12-2012
20100275013Method for Communicating Certificates to Computers - A method includes receiving at a first computer a new certificate which is to replace an old certificate associated with the first computer and associating by the first computer the new certificate with the first computer. In response to the first computer associating the new certificate with the first computer, the first computer accesses an email address book of the first computer having information identifying a second computer as having received the old certificate to determine from the information that the second computer is to associate the new certificate in place of the old certificate with the first computer. In turn, the first computer transmits the new certificate to the second computer for the second computer to associate the new certificate with the first computer.10-28-2010
20120233457ISSUING IMPLICIT CERTIFICATES - Methods, systems, and computer programs for issuing an implicit certificate are disclosed. In some implementations, a certificate authority of an elliptic curve cryptography (ECC) system performs one or more operations for issuing the implicit certificate. A certificate request associated with a requester is received, and the certificate request includes a first element R09-13-2012
20100023759METHOD AND SYSTEM FOR AUTHORIZING CLIENT DEVICES TO RECEIVE SECURED DATA STREAMS - A method and system for authorizing client devices to receive secured data streams through the use of digital certificates embedded in the client devices. A freely distributed cryptographically signed group file with an embedded expiration date is associated with each individual digital certificate. A single group file can be associated with more than one digital certificate but each digital certificate is associated with a single group file. The group file contains cryptographic keys that can be used to decrypt a section of the digital certificate revealing a set of client keys. The client keys are then used to encrypt a program key which are then sent back to the client device. When the client device requests a specific data stream or digital content, an issuance timestamp associated with the content is compared to the expiration date in the group file. If the issuance timestamp is after the expiration date, the client device is declined. If the issuance timestamp is before the expiration date, the requested content, encrypted utilizing the program key, is sent to the client device.01-28-2010
20100017599SECURE DIGITAL CONTENT MANAGEMENT USING MUTATING IDENTIFIERS - Methods and system for managing manipulation of digital content stored in a content server. One method includes receiving a first mutating identifier at a content manipulation device. The first mutating identifier includes a first secret key. The method also includes generating a content request for digital content stored in the content server at the content manipulation device, the content request encrypted with the first secret key and including an identifier of the digital content; transmitting the content request to an authenticator over at least one communication link; transmitting access rights from the authenticator to the content manipulation device over at least one communication link; transmitting the digital content from the content server to the content manipulation device; manipulating the digital content at the content manipulation device based on the access rights; and marking the first mutating identifier as used at the authenticator.01-21-2010
20100011208CRYPTOGRAPHIC CONTROL AND MAINTENANCE OF ORGANIZATIONAL STRUCTURE AND FUNCTIONS - Methods, systems and devices for cryptographic control and maintenance of organizational structure and functions are provided. A method for control and maintenance of an operational organizational structure, the method includes associating entities with cryptographic capabilities; organizing entities within the organizational structure as roles; and maintaining roles within the organizational structure. The system may involve at least a Public Key Infrastructure operation. Elements in said organizational structure may be assigned to roles and/or groups within said organizational structure.01-14-2010
20090327704STRONG AUTHENTICATION TO A NETWORK - Embodiments for providing strong authentication to a network from a networked device are disclosed. In accordance with one embodiment, a method for authentication to a server includes sharing a session key between the networked device and the server. The method further includes sending an encrypted secret key that is encoded based on the session key to a memory of the networked device. The also method includes sending original data to the networked device for encryption into encrypted data using the secret key. The method additionally includes decrypting the encrypted data received from the networked device using the secret key to obtain decrypted data for comparison with the original data for determining access to networked resources.12-31-2009
20120084557TAMPERING MONITORING SYSTEM, CONTROL DEVICE, AND TAMPERING CONTROL METHOD - Provided is a tampering monitoring system that can identify a monitoring module that has been tampered with among a plurality of monitoring modules. A management apparatus is provided with an acquisition unit that acquires a new monitoring module that has not been tampered with, a generation unit that generates a decoy monitoring module by modifying the acquired monitoring module, a transmission unit that transmits the decoy monitoring module to the information security device and causes the information security device to install the decoy monitoring module therein, a reception unit that receives from the information security device, after the decoy monitoring module has been installed, monitoring results generated by the monitoring modules monitoring other monitoring modules, and a determination unit that identifies, by referring to the received monitoring results, a monitoring module that determines the decoy monitoring module to be valid and determines the identified monitoring module to be invalid.04-05-2012
20120084556SYSTEM AND METHOD FOR RETRIEVING RELATED CERTIFICATES - A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one embodiment, all certificates related to an identified certificate are retrieved from the certificate servers automatically by the certificate synchronization application, where the related certificates comprise at least one of one or more CA certificates and one or more cross-certificates. Embodiments described herein facilitate at least partial automation of the downloading and establishment of certificate chains, thereby minimizing the need for users to manually search for individual certificates.04-05-2012
20110126002TOKEN RENEWAL - A method and system for renewing certificates stored on tokens is described.05-26-2011
20080301439Validation Server, Program and Verification Method - A technique of managing public keys updated by a certificate authority and a plurality of hash algorithms is provided.12-04-2008
20110004753CERTIFICATE GENERATING/DISTRIBUTING SYSTEM,CERTIFICATE GENERATING/DISTRIBUTING METHOD AND CERTIFICATE GENERATING/DISTRIBUTING PROGRAM - In a certificate generating/distributing system, an authentication apparatus includes token transmitting means transmitting, to a service mediating apparatus, a certificate generation request token, which is information corresponding to a first certificate valid in the service mediating apparatus, together with the first certificate. The service mediating apparatus includes mediating apparatus token forwarding means forwarding the certificate generation request token to a service providing apparatus. The service providing apparatus includes certificate requesting means transmitting the certificate generation request token to the authentication apparatus when requesting a second certificate valid in the service providing apparatus. The authentication apparatus includes certificate transmitting means transmitting, to the service providing apparatus , the second certificate generated based on the first certificate in response to the request of the second certificate by the certificate requesting means.01-06-2011
20120265984NETWORK WITH PROTOCOL, PRIVACY PRESERVING SOURCE ATTRIBUTION AND ADMISSION CONTROL AND METHOD - A device implemented, carrier independent packet delivery universal addressing networking protocol for communication over a network between network nodes utilizing a packet. The protocol has an IP stack having layers. At least some of the layers have privacy preserving source node attribution and network admission control. The packet is admitted to the network only if a source node of the network nodes admits the packet.10-18-2012
20100100728METHOD OF HANDLING A CERTIFICATION REQUEST - In a certification request, a user device includes an object identifier. When a certification authority generates an identity certificate responsive to receiving the certification request, the certification authority includes the object identifier, thereby allowing improved management of the identity certificate at the user device and elsewhere.04-22-2010
20120272058TRANSPARENT PROXY OF ENCRYPTED SESSIONS - In one embodiment, a proxy device located between a first device and a second device intercepts a security session request for a security session between the first device and the second device. The proxy device obtains security information from the first device that includes at least a subject name of the first device. The proxy device creates a dynamic certificate using the subject name of the first device and a trusted proxy certificate of the proxy device. The proxy device establishes a security session between the proxy device and the second device using the dynamic certificate. Further, the proxy device establishes a security session between the first device and the proxy device using the trusted proxy certificate of the proxy device. The two security sessions collectively operate as a security session between the first device and the second device.10-25-2012
20110238982Trust-Management Systems and Methods - The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied. The certificates may be evaluated until the state of the root authority indicates that the request should be granted, or until further evaluation of the certificates is ineffective in changing the state of the principals.09-29-2011
20120089832METHODS OF ISSUING A CREDIT FOR A CERTIFICATE FOR A DOMAIN NAME - The invention provides methods for efficiently registering a domain name and issuing a certificate without a Subscriber submitting a separate request for the certificate. A notice may be provided to the Subscriber after requesting to register the domain name that a credit for a certificate may be issued for the domain name. In other embodiments a credit may be given to the Subscriber for the certificate without receiving a separate request for the credit or certificate. The credit may be saved in a Subscriber's account to enable the Subscriber to use a certificate at a later time. In yet other embodiments, a single vetting process may be used to facilitate one or more of: creating a Subscriber's account; registering a domain name; and issuing a certificate.04-12-2012
20110276798SECURITY MANAGEMENT METHOD AND SYSTEM FOR WAPI TERMINAL ACCESSING IMS NETWORK - The present invention discloses a security management method and a security management system for a WAPI terminal accessing an IMS network. The method comprises: an authentication service unit (ASU) sending, under the circumstance that an access point and the WAPI terminal pass the verification of the ASU, a security information request message to a home subscriber server (HSS) (S11-10-2011
20120331289METHOD AND SYSTEM FOR ENCRYPTION OF MESSAGES IN LAND MOBILE RADIO SYSTEMS - A method and system for authentication of sites in a land mobile radio (LMR) system and encryption of messages exchanged by the sites. In some embodiments, the method includes transmitting a certificate created by a trusted authority by applying a function to a first site public key using the trusted authority's private key to generate a reduced representation, which is encrypted with the trusted authority's private key. Other sites may receive the certificate, decrypt it using the trusted authority's public key, and authenticate the first site. The method may further include generating a session key, encrypting it with the public key of the first site, and transmitting the encrypted session key to the first site. The first site decrypts the encrypted session key with the first site's private key, and transmits a message encrypted with the shared session key to other sites for decryption using the session key.12-27-2012
20120331288CUSTOMIZABLE PUBLIC KEY INFRASTRUCTURE AND DEVELOPMENT TOOL FOR SAME - A public key infrastructure comprises a client side to request and utilize certificates in communication across a network and a server side to administer issuance and maintenance of said certificates. The server side has a portal to receive requests for a certificate from a client. A first policy engine to processes such requests in accordance with a set of predefined protocols. A certification authority is also provided to generate certificates upon receipt of a request from the portal. The CA has a second policy engine to implement a set of predefined policies in the generation of a certificate. Each of the policy engines includes at least one policy configured as a software component e.g. a Java bean, to perform the discreet functions associated with the policy and generate notification in response to a change in state upon completion of the policy.12-27-2012
20120331287Provisioning a Shared Secret to a Portable Electronic Device and to a Service Entity - Systems and methods are provided for computing a secret shared with a portable electronic device and service entity. The service entity has a public key G and a private key g. A message comprising the public key G is broadcast to the portable electronic device. A public key B of the portable electronic device is obtained from a manufacturing server and used together with the private key g to compute the shared secret. The portable electronic device receives the broadcast message and computes the shared secret as a function of the public key G and the portable electronic device's private key b. The shared secret can be used to establish a trusted relationship between the portable electronic device and the service entity, to activate a service on the portable electronic device, and to generate certificates.12-27-2012
20120331286APPARATUS AND METHOD FOR PROVIDING SERVICE TO HETEROGENEOUS SERVICE TERMINALS - An apparatus and method for providing a service to heterogeneous service terminals without modifying a security framework are provided, in which a gateway that controls a first service terminal transmits a right delegation request to a server in order to provide the service to a second service terminal as well, and upon receipt of a service right verification request from the second service terminal after receiving a right delegation certificate from the server, the gateway transmits a service right verification response including the right delegation certificate to the second service terminal.12-27-2012
20120102319System and Method for Reliably Authenticating an Appliance - A system and an apparatus (04-26-2012
20120102318Method for the Application of Implicit Signature Schemes - A method of certifying a correspondent in data communication system by a certifying authority. The certifying authority includes a cryptographic unit. The method includes generating a random number and implicit certificate components based on the random number using the cryptographic unit. The implicit certificate components have a first component and a second component. The method also includes providing the implicit certificate components for use in the data communication system and providing a public key of the certifying authority for use in derivation of a public key of the correspondent from the first component. The certifying authority recertifies the correspondent by providing implicit certificate components using a changed value for the random number.04-26-2012
20120102317SECURE CONTENT DISTRIBUTION - In an example, a method of securing content is described. The method may include instantiating a content server on a client device. The method may also include operating the content server to retrieve content identified by a Uniform Resource Identifier (URI). The method may also include serving the content from the content server to a content renderer on the client device. The content renderer may be configured to render the content at the client device and to prohibit saving the content in the clear on the client device.04-26-2012
20120290834KEY DISTRIBUTION DEVICE, TERMINAL DEVICE, AND CONTENT DISTRIBUTION SYSTEM - A terminal device used in a content distribution system including a key distribution device, the terminal device, and a recording medium device, the key distribution device distributing a title key for protecting a content to the recording medium device, the terminal device for controlling writing of the title key on the recording medium device, and the recording medium device recording the content, wherein the key distribution device and the recording medium device comprise a communication unit configured to transfer the title key safely between the key distribution device and the recording medium device without direct involvement by the terminal device, and the terminal device confirms a supported function of the key distribution device and determines whether to permit operations pertaining to the key distribution device in accordance with the supported function.11-15-2012
20100199087SYSTEM AND METHOD FOR GENERATING A DIGITAL CERTIFICATE - A system and method for generating a digital certificate is provided wherein a new digital record is received and is assigned a sequence value. A first composite digital value is generated by applying a first deterministic function to the digital records stored in a repository. The sequence value and first composite digital value are included in a first certificate. After the digital record is added to the repository, a second composite digital value is generated by applying a second deterministic function to the digital records in the repository. This second composite digital value, and a composite sequence value, are published. An interval digital value which is based upon the first and second composite digital values, and the sequence value, are included in a second certificate which thus verifies the authenticity and sequence value of the digital record.08-05-2010
20130013919UPDATING CERTIFICATE STATUS IN A SYSTEM AND METHOD FOR PROCESSING CERTIFICATES LOCATED IN A CERTIFICATE SEARCH - A system and method for processing certificates located in a certificate search. Certificates located in a certificate search are processed at a data server (e.g. a mobile data server) coupled to a computing device (e.g. a mobile device) to determine status data that can be used to indicate the status of those certificates to a user of the computing device. Selected certificates may be downloaded to the computing device for storage, and the downloaded certificates are tracked by the data server. This facilitates the automatic updating of the status of one or more certificates stored on the computing device by the data server, in which updated status data is pushed from the data server to the computing device.01-10-2013
20130013918SYSTEM AND METHOD FOR RETRIEVING CERTIFICATES ASSOCIATED WITH SENDERS OF DIGITALLY SIGNED MESSAGES - A system and method for retrieving certificates and/or verifying the revocation status of certificates. In one embodiment, when a user opens a digitally signed message, a certificate that is required to verify the digital signature on the message may be automatically retrieved if it is not stored on the user's computing device (e.g. a mobile device), eliminating the need for users to initiate the task manually. Verification of the digital signature may also be automatically performed by the application after the certificate is retrieved. Verification of the revocation status of a certificate may also be automatically performed if it is determined that the time that has elapsed since the status was last updated exceeds a pre-specified limit.01-10-2013
20130013917SYSTEM AND METHOD FOR ENABLING BULK RETRIEVAL OF CERTIFICATES - A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one embodiment, a certificate synchronization application is programmed to perform certificate searches by querying one or more certificate servers for all of the certificates on those certificate servers. If all of the certificates on a certificate server cannot be successfully retrieved using a single search query, due to a search quota on the certificate server being exceeded for example, the search is re-performed through multiple queries, each corresponding to a narrower subsearch. Embodiments described herein enable large amounts of certificates to be automatically searched for and retrieved from certificate servers, thereby minimizing the need for users to manually search for individual certificates.01-10-2013
20130173913SECURE MECHANISMS TO ENABLE MOBILE DEVICE COMMUNICATION WITH A SECURITY PANEL - A method of arming or disarming a building security system includes transferring an electronic security credential file from an authorizing environment to a mobile computing device. The electronic security credential file is read by the mobile computing device to extract authentication data. The authentication data is transmitted from the mobile computing device and received at the building security system. Within the building security system, the authentication data is used to verify that a user of the mobile computing device is authorized to communicate with the building security system. The mobile computing device is enabled to communicate with the building security system only if the electronic security credential file has been used to verify that a user of the mobile computing device is authorized to communicate with the building security system.07-04-2013
20130173914Method for Certificate-Based Authentication - A method is disclosed for certificate-based authentication, in which a first subscriber authenticates himself to a second subscriber using a digital certificate associated to the first subscriber. The certificate specifies requirement(s) and the fulfillment of a requirement is ensured by a third subscriber. Within the framework of the authentication by the second subscriber, a validity condition is checked, and the certificate is classified as valid if the validity condition is fulfilled, based on the issue and/or absence of issue of the requirement(s) specified in the certificate by the third subscriber. Requirements may be used to restrict the validity of the certificate. The validity of a certificate can thereby be controlled in a simple and flexible manner without explicitly defining the validity in the certificate. The method can be used for authentication in any technical field, e.g., to authentication subscribers in the form of components of an automation system.07-04-2013
20130173912DIGITAL RIGHT MANAGEMENT METHOD, APPARATUS, AND SYSTEM - A digital right management method, including: generating, by a first user equipment having access right to shared digital contents, a common public key based on one or more public keys of one or more second user equipments intended to share the digital contents, respectively; encrypting, by the first user equipment, a key of the digital contents with the common public key to generate a ciphertext of the key of the digital contents; generating, by the first user equipment, from the ciphertext a new authorization certificate corresponding to the digital contents; and transmitting, by the first user equipment, the new authorization certificate and the digital contents to the second user equipments to instruct the second user equipments to share the digital contents in accordance with the new authorization certificate.07-04-2013
20090132810Distributed digital certificate validation method and system - A distributed digital certificate validation method of a client connectable in communication with a host is provided. The method comprises making a first connection with the host to establish data communication with the host, sending to the host a request for a certificate validation result, importing from the host a file containing at least the requested certificate validation result, and storing the imported file locally for later retrieval of at least the requested certificate validation result.05-21-2009
20080256358System and method for managing digital certificates on a remote device - A system and method for managing a digital certificate associated with a remote device is provided. The method includes providing a Web Service Application Programming Interface (API) and communicating digitally between the Web Service API and a remote device, including one of requesting the remote device to perform a task associated with managing digital certificates, and responding to a request from the remote device for performing a task associated with managing digital certificates.10-16-2008
20080235509METHOD FOR EXCHANGING MESSAGES AND VERIFYING THE AUTHENTICITY OF THE MESSAGES IN AN AD HOC NETWORK - A method for exchanging messages containing reliable information between nodes in an ad hoc network, such as a vehicle ad hoc network. The method includes the steps of providing a public key for a PKI encrypted certificate authority signature to all nodes known to transmit reliable information. Each node transmits a signal containing node identification information and the PKI encrypted certificate authority signature associated with that node. Each node also receives like signals from other nodes and then decrypts the certificate authority signatures from the received signals by using the certificate authority public key to ascertain the authenticity of the received certificate authority signatures and the reliability of the received message. Thereafter, the nodes receive and accept messages with a TESLA encrypted signature only with nodes identified to have authentic certificate authority signatures until the occurrence of a subsequent predefined event, such as a new node in the network or the elapse of a predetermined time period.09-25-2008
20080222413METHOD AND APPARATUS FOR INTEGRATED PROVISIONING OF A NETWORK DEVICE WITH CONFIGURATION INFORMATION AND IDENTITY CERTIFICATION - According to one aspect, a provisioning server comprises a configuration module that configures a network device and an identification certification module that certifies the identity of the network device. With use of the provisioning server, the network device does not require configuration with network connectivity in order to obtain its certified identity. In one embodiment, configuration module configures the device for operation at the device's point of deployment in a network. In one embodiment, the identity certification module is configured to generate a digital certificate for the network device and the configuration module is configured to automatically configure the network device based on its digital certificate. The provisioning server is coupled to the network device with a secure communication link. As a result, a more trusted network device is ultimately deployed into its network of operation.09-11-2008
20080222412Network data security system and protecting method thereof - The invention presents a network data security system and a protecting method applied in network data transmission. Meanwhile the network data security system includes a client, an authentication dispatching server and a number of distributed servers. The authentication dispatching server includes a first determination device and a user certificate generator; and each distributed server includes a second determination device, a second user certificate generator and a processor. The method for protecting data of the present invention introduces the authentication dispatching server providing the client with a user certificate in a valid period of time and further introduces an updated certificate mechanism for preventing the user certificate from being stolen and further preventing network data from being let out.09-11-2008
20110271100UNATTENDED CODE UPDATE OF STORAGE FACILITY - Various embodiments for providing an update to at least one storage facility in a computing storage environment are provided. In one embodiment, a security verification is performed on the update via a certificate authentication mechanism to confirm a validity of the update. Subsequent to confirming the validity of the update, a safety verification on the update is performed to confirm a suitability of the update to the at least one storage facility. If the security and safety verifications are validated, the update is provided and installed in the at least one storage facility.11-03-2011
20130091353APPARATUS AND METHOD FOR SECURE COMMUNICATION - A method and apparatus are for transferring a client device certificate and an associated encrypted client private key to a client device from a secure device. The secure device receives over a secure connection, a secure device certificate, a secure device private key and a plurality of client device certificates. Each client certificate is associated with a bootstrap public key but is not assigned to any particular client device. A plurality of encrypted client private keys is also received. Each of the encrypted client private keys comprises a client private key associated with one of the client device certificates encrypted with the bootstrap public key. The plurality of client device certificates is stored. The encrypted client private keys are stored in double encrypted protected form. A client device certificate and an associated encrypted client private key are transferred to a client device that has successfully registered with the secure device.04-11-2013
20130091352Techniques to Classify Virtual Private Network Traffic Based on Identity - Techniques are provided for obtaining first and second digital certificates from a certificate authority database for establishing a secure exchange between network devices. The first digital certificate contains identity information of a first network device, and the second digital certificate contains classification information of the first network device. In one embodiment, a secure key exchange is initiated with the second network device, and the first and second digital certificates are transmitted as a part of the secure key exchange to the second network device. In another embodiment, the first and second digital certificates are received by an intermediate network device. The first digital certificate is encrypted and is not evaluated by the intermediate network device. The second digital certificate is evaluated for classification information of the first network device. Source information associated with the first network device is stored, and encrypted traffic is processed between the network devices.04-11-2013
20130097420Verifying Implicit Certificates and Digital Signatures - Methods, systems, and computer programs for verifying a digital signature are disclosed. The verifier accesses an implicit certificate and a digital signature provided by the signer. The implicit certificate includes a first elliptic curve point representing a public key reconstruction value of the signer. The verifier accesses a second elliptic curve point representing a pre-computed multiple of the certificate authority's public key. The verifier uses the first elliptic curve point and the second elliptic curve point to verify the digital signature. The verifier may also use a third elliptic curve point representing a pre-computed multiple of a generator point. Verifying the digital signature may provide verification that the implicit certificate is valid.04-18-2013
20130124857COMMUNICATION APPARATUS AND CONTROL METHOD THEREFOR - It is determined whether a user who has logged in in communication using a selfsigned certificate stored by default is an administrator or a general user. If it is determined that the user is an administrator, an install page for a CA-signed certificate which is more reliable than the selfsigned certificate is returned to the user. Alternatively, if it is determined that the user is a general user, an error page is returned to the user.05-16-2013
20110213962DOMAIN MANAGEMENT FOR DIGITAL MEDIA - In accordance with the domain management for digital media, a device obtains multiple pieces of protected content from multiple content providers, where two or more of the content providers employ different digital rights management systems. The device also accesses a license server to obtain, for each piece of protected content, a content license that is bound to a domain. The content license permits the device to play back a piece of protected content.09-01-2011
20100287369ID SYSTEM AND PROGRAM, AND ID METHOD - [PROBLEMS] To appropriately authenticate a user, a biometric device, and an authentication timing of a client side and prevent leak or tampering of the biometric information.11-11-2010
20130151847Authentication Certificates as Source of Contextual Information in Business Intelligence Processes - A certificate of a user is presented by a client to a server. The certificate is used to authenticate communications between the client and the server. Thereafter, data from the certificate is cached at the server. The server then initiates one or more business intelligence processes of a business intelligence application at the client using the cached data to provide context to the one or more business intelligence processes. Related apparatus, systems, techniques and articles are also described.06-13-2013
20130138952SYSTEM AND METHOD TO PASS A PRIVATE ENCRYPTION KEY - A method and system may include receiving, by a certificate authority computing device, a request to provision and provide a private key. A connection may be established between a requester device and a network for identification. The identity of the requester device may be verified via a network path utilized by the connection. A secure session with the requester device may be initiated using an intermediate agent on the network. A private key may be provided from the certificate authority to the requester device using the secure session. The private key may be provisioned. The intermediate agent may be connected to the network at a location that provides the requester device with a connection to the network. The intermediate agent may further authenticate the requester device using the location of the connection to the network of the requesting device.05-30-2013
20130151846Cryptographic Certification of Secure Hosted Execution Environments - Implementations for providing a secure execution environment with a hosted computer are described. A security-enabled processor establishes a hardware-protected memory area with an activation state that executes only software identified by a client system. The hardware-protected memory area is inaccessible by code that executes outside the hardware-protected memory area. A certification is transmitted to the client system to indicate that the secure execution environment is established, in its activation state, with only the software identified by the request.06-13-2013
20100318789METHOD AND SYSTEM FOR LICENSE MANAGEMENT - System and method are disclosed for securing and managing individual end-user platforms as part of an enterprise network. The method/system of the invention has three main components: a security module, a manager appliance, and a console appliance. The security module enforces the enterprise licenses and security policies for the end-user platforms while the manager appliance provides secure, centralized communication with, and oversight of, the security module. The console appliance allows an administrator to access the manager appliance for purposes of monitoring and changing the licenses. Security is established and maintained through an innovative use of data encryption and authentication procedures. The use of these procedures allows the appliances to be uniquely identified to one another, which in turn provides a way to dynamically create unique identifiers for the security modules. These various components together form an infrastructure over the enterprise network to securely manage the end-user platforms.12-16-2010
20100318787Method for Certifying a Public Key by an Uncertified Provider - The invention concerns a method for guaranteeing certification of a user's public key by reducing requests to key-certifying appropriate authorities. More particularly, the invention concerns a method for managing a public key of a user capable of being implemented in an asymmetric cryptosystem. According to the invention, a certification, or validation of the correspondence between a public key and a user, is performed by a validating entity, a provider separate from the certifying authority via a validation step. The password is verifiable by the validating entity, but without the latter being aware of it.12-16-2010
20120284509COMMUNICATION SYSTEM AND METHOD FOR SECURELY COMMUNICATING A MESSAGE BETWEEN CORRESPONDENTS THROUGH AN INTERMEDIARY TERMINAL - A wireless communication system includes a pager or similar device that communicates to a home terminal. The home terminal confirms the identity of the pager and attaches a certificate to the message for ongoing transmission. Where the recipient is also a pager, an associated home terminal verifies the transmission and forwards it in a trusted manner without the certificate to the recipient.11-08-2012
20120284508VALIDATING A BATCH OF IMPLICIT CERTIFICATES - Methods, systems, and computer programs for validating a batch of implicit certificates are described. Data for a batch of implicit certificates are received and validated. In some aspect, the data include key-pair-validation values that can be used to validate the public and private keys for each implicit certificate. For example, the key-pair-validation values can include a private key, a public key reconstruction value, a public key of the certificate authority, and a hash of the implicit certificate. The key-pair-validation values are either valid or invalid according to a key-pair-validation function. In some cases, modification values are obtained independent of the key-pair-validation values, and the modification values are combined with the key-pair-validation values in a batch-validation function. The batch-validation function is evaluated for the batch of implicit certificates. Evaluating the batch-validation function identifies whether the key-pair-validation data include key-pair-validation values that are invalid according to the key-pair-validation function.11-08-2012
20130159706SECRET COMMUNICATION METHOD AND SYSTEM BETWEEN NEIGHBORING USER TERMINALS, TERMINAL, SWITCHING EQUIPMENT - The present invention provides a secret communication method, apparatus and system. The method comprises: 1) determining a neighboring encryption switching equipment shared by a first user terminal and a second user terminal, wherein the first user terminal and the second user terminal are neighboring user terminals (06-20-2013
20130159705SECURITY SYSTEM FOR HANDHELD WIRELESS DEVICES USING TIME-VARIABLE ENCRYPTION KEYS - In one embodiment, the invention provides a portable wireless personal communication system for cooperating with a remote certification authority to employ time variable secure key information pursuant to a predetermined encryption algorithm to facilitate convenient, secure encrypted communication. The disclosed system includes a wireless handset, such as PDA, smartphone, cellular telephone or the like, characterized by a relatively robust data processing capability and a body mounted key generating component which is adapted to be mounted on an individual's body, in a permanent or semi-permanent manner, for wirelessly broadcasting, within the immediate proximity of the individual, a secret or private key identifying signal corresponding to a time variable secure key information under the control of the certification authority. The key identifying signal is generated in a format that facilitates secure wireless communication with the individual in accordance with a predetermined encryption algorithm including a PKI encryption algorithm. The disclosed system may be used with a console for coordinating access to a variety of different communication system and networks.06-20-2013
20130159704SYSTEM AND METHOD OF ENFORCING A COMPUTER POLICY - A method and system of enforcing a computer policy uses a central server to manage user profiles, policies and encryption keys. The server securely supplies the keys to client devices only after checking that the policy has been complied with. The checks include both the identity of the user and the machine identity of the client device. The keys are held in a secure environment of the client device, for example in a Trusted Platform Module (TPM), and remain inaccessible at all times to the end user. Theft or loss of a portable client device does not result in any encrypted data being compromised since the keys needed to decrypt that data are not extractable from the secure environment.06-20-2013
20130159703UTILIZING A STAPLING TECHNIQUE WITH A SERVER-BASED CERTIFICATE VALIDATION PROTOCOL TO REDUCE OVERHEAD FOR MOBILE COMMUNICATION DEVICES - A certificate issuer (06-20-2013
20130159702COMBINED DIGITAL CERTIFICATE - A system can comprise a memory to store computer readable instructions and a processing unit to access the memory and to execute the computer readable instructions. The computer readable instructions can comprise a certificate manager configured to request generation of N number of random values, where N is an integer greater than or equal to one. The certificate manager can also be configured to request a digital certificate from at least one certificate authority of at least two different certificate authorities. The request can include a given one of the N number of random values. The certificate manager can also be configured to generate a private key of a public-private key pair, wherein the private key is generated based on a private key of each of the least two certificate authorities.06-20-2013
20130185552Device Verification for Dynamic Re-Certificating - A method for authenticating a device is provided. The method comprises receiving, by a network component, from the device, an access request and an encryption key; sending, by the network component, to the device, a request for at least one of current information associated with the device and an identification number associated with the device; receiving, by the network component, a response from the device; comparing, by the network component, the response with a known version of the at least one of current information associated with the device and identification number associated with the device; and determining, by the network component, that the device has passed an authenticity test when at least one of: current information included in the response matches the known version of the current information, and the identification number included in the response matches the known version of the identification number.07-18-2013
20130124856System And Method For A Single Request And Single Response Authentication Protocol - Various embodiments of a system and method for a single request and single response authentication protocol are described. A client may send to an authentication server a request to authenticate the identity of a user attempting to access an electronic document protected by a rights management policy. The single request may be generated according to rights management configuration information included within the document. Such rights management information may include one or more parameters for requesting authentication from an authentication server. In response to the request, an authentication server may send a single response to the client. The single response may include information indicating that the identity is authenticated (e.g., a license to access the document, or an encryption key to decrypt the document). The client system may be configured to, in response to the single response, provide access to the document according to the rights management policy.05-16-2013
20120290833Certificate Blobs for Single Sign On - A system, method and a computer-readable medium for generating an authentication password for authenticating a client to a server. A digital certificate that includes private key, and a public key is provided. A hash of a content of a digital certificate is generated. The hash is also encrypted with a private key. The encrypted hash and the content of the digital certificate are encoded into a certificate blob, which is utilized as an authorization password.11-15-2012
20120030460Authority-Neutral Certification for Multiple-Authority PKI Environments - A method for facilitating electronic certification, and systems for use therewith, are presented in the context of public key encryption infrastructures. Some aspects of the invention provide methods for facilitating electronic certification using authority-neutral service requests sent by an application, which are then formatted by a server comprising a middleware that can convert the authority-neutral request into certification authority specific objects. The server and middleware then return a response from a selected certification authority back to the service requesting application. Thus, the server and/or middleware act as intermediaries that facilitate user transactions in an environment having multiple certification authorities without undue burden on the applications or the expense and reliability problems associated therewith.02-02-2012
20130198511IMPLICIT SSL CERTIFICATE MANAGEMENT WITHOUT SERVER NAME INDICATION (SNI) - Embodiments disclose a reverse lookup using an IP:Port-to-hostname table to identify a hostname when only an IP address and port is present in an SSL hello connection, which may occur, for example, when a non-SNI-capable client initiates the SSL hello. Once the hostname is successfully looked up, a naming convention is used to simplify the management and identification of SSL certificates. Different types of SSL certificates are supported. Multiple hostname matches may be associated with a given IP address and port in the IP:Port-to-hostname table. In such case, the first-matching hostname is always used with the naming convention to identify related SSL certificates. The naming convention is applied in such a way that it will first look for the most matching file name to the least matching file name.08-01-2013
20120297187Trusted Mobile Device Based Security - A method for performing user security operations using a mobile communications device includes, storing at least one security credential for a user in the mobile communications device, receiving a request from a client computer to perform an action requiring the stored at least one security credential, wherein the request includes information regarding a service application for which the action is requested, determining a response to the request based upon at least one user configured personal security preference at the mobile communications device, and transmitting the determined response to the client computer. Corresponding system and computer program products are also described.11-22-2012
20120066492METHOD FOR MAKING SECURITY MECHANISMS AVAILABLE IN WIRELESS MESH NETWORKS - The invention relates to a method for making safety mechanisms available in wireless mesh networks which have a plurality of nodes that are interconnected by multi-hop communication in a wireless network meshed by mesh routing in the MAC layer, every node being active as a router to forward the data traffic of the other nodes. At least two differentiated levels of confidence are defined by a type of protection (ToP) the value of which represents a specific level of confidence for the nodes and data packets, the data packets being labeled with a ToP value in the mesh header, and at least one ToP value being allocated to the participating nodes, the nodes forwarding the data packet in the mesh network using the ToP values of the node and of the data packet if this ToP value combination is admissible in the node.03-15-2012
20130205134METHODS AND APPARATUSES FOR ACCESS CREDENTIAL PROVISIONING - Methods and apparatuses are provided for access credential provisioning. A method may include causing a trusted device identity for a mobile apparatus to be provided to an intermediary apparatus. The intermediary apparatus may serve as an intermediary between the mobile apparatus and a provisioning apparatus for a network. The method may further include receiving, from the intermediary apparatus, network access credential information for the network. The network access credential information may be provisioned to the mobile apparatus by the provisioning apparatus based at least in part on the trusted device identity. Corresponding apparatuses are also provided.08-08-2013
20120072719Method Enabling Real-Time Data Service, Realization, Real-Time Data Service System and Mobile Terminal - The present invention discloses a method for implementing a real-time data service, a real-time data service system and a mobile terminal. Said method for implementing a real-time data service includes the following steps: before encapsulating a Media Access Control Protocol Data Unit (MPDU), a Wireless Local Area Network Privacy Infrastructure (WPI) module in an Access Point (AP) needs to determine the type of the data to be encapsulated in the MPDU; if the data is a control signalling message of a real-time data service, the WPI module encrypts said data, then encapsulates the encrypted data in a data (e.g. PDU) field of the MPDU, and transmits the encapsulated data to the mobile terminal; if the data is an audio/video data message of a real-time data service, the data is not to be encrypted, but is encapsulated directly into the data (e.g. PDU) field of the MPDU in plaintext, and then transmitted to the mobile terminal. The present invention can reduce the processing load and the software and hardware costs of the AP and the mobile terminal.03-22-2012
20120072718System And Methods For Online Authentication - A method of establishing a communication channel between a network client and a computer server over a network is described. The network client may be configured to communicate with the computer server over the network and to communicate with a token manager. The token manager may be configured with a parent digital certificate that is associated with the token manager. The token manager or network client generates a credential from the parent digital certificate, and transmits the credential to the computer server. The credential may be associated with the computer server. The network client may establish the communications channel with the computer server in accordance with an outcome of a determination of validity of the credential by the computer server.03-22-2012
20130212379DYNAMIC GENERATION AND PROCESSING OF CERTIFICATE PUBLIC INFORMATION DIRECTORIES - Digital certificate public information is extracted using a processor from at least one digital certificate stored within at least one digital certificate storage repository. The extracted digital certificate public information is stored to at least one dynamically-created certificate public information directory. At least a portion of the digital certificate public information stored within the at least one dynamically-created certificate public information directory is provided in response to a digital certificate public information request.08-15-2013
20130212380SECURELY UPGRADING OR DOWNGRADING PLATFORM COMPONENTS - A method for securely altering a platform component is provided, comprising: assigning certificates for public encryption and signature verification keys for the device; assigning certificates for public encryption and signature verification keys for an upgrade server; mutually authenticating a device containing the platform component and the upgrade server; causing the device and the upgrade server to exchange a session key; and providing an alteration to be made to the platform component from the upgrade server to the device using the session key.08-15-2013
20130212381SYSTEM AND METHOD FOR CONTROLLING AUTHORIZED ACCESS TO A STRUCTURED TESTING PROCEDURE ON A MEDICAL DEVICE - Methods and systems for authorizing access to a medical device are disclosed. The methods and systems use authorization certificates to allow and prevent access to one or more operations of the medical device. The methods and systems also allow the tracking of changes made to the medical device by an authorized user.08-15-2013
20130212382DEVICE-BOUND CERTIFICATE AUTHENTICATION - A device-bound certificate authority binds a certificate to one or more devices by including digital fingerprints of the devices in the certificate. A device only uses a device-bound certificate if the digital fingerprint of the device is included in the certificate and is verified. Thus, a certificate is only usable by one or more devices to which the certificate is explicitly bound. Such device-bound certificates can be used for various purposes served by certificates generally such as device driver authentication and authorization of access to secure content, for example.08-15-2013

Patent applications in class By certificate

Patent applications in all subclasses By certificate