3589 results about "Key management" patented technology

The invention combines cryptographic key management technology with various authentication options and the use of a companion PKI system in a web-centric cryptographic key management security method and apparatus called PXa3(TM) (Precise eXtensible Authentication, Authorization and Administration). The PXa3 model uses a security profile unique to a network user and the member domain(s) he/she belongs to. A PXa3 server holds all private keys and certificates, the user's security profile, including credentials and the optional authentication enrollment data. The server maintains a security profile for each user, and administrators simply transmitted credential updates and other periodic maintenance updates to users via their PXa3 server-based member accounts. Domain and workgroup administrators also perform administrative chores via a connection to the PXa3 web site, rather than on a local workstation. A member's security profile, containing algorithm access permissions, credentials, domain and maintenance values, a file header encrypting key, optional biometric templates, and domain-specific policies is contained in one of two places: either on a removable cryptographic token (e.g., a smart card), or on a central server-based profile maintained for each member and available as a downloadable "soft token" over any Internet connection.

Methods, systems and computer program products are provided which provide for controlling access to digital data in a file by encrypting the data with a first key, encrypting the first key with a second personal key generated from a password/passphrase associated with the file and further encrypting the encrypted first key with a control key which is managed by the system. In certain embodiments, user authentication may also be provided by issuing a ticket which is utilized to create, access and administer the files in the system.

Systems and methods for performing financial transactions are provided. In one embodiment, the invention provides for method for bank card transactions, including: reading the token information at the point of swipe for traditional and non-traditional POS platforms; performing a low-security task on the token information using a first microprocessor, wherein the non-security task includes one or more tasks from the group of encryption determination, encryption-decryption request, key management, token information delivery, or transactional data delivery; and performing a security-related task on the token information using a second microprocessor based on a request from the first microprocessor, wherein the security-related task includes one or more tasks from the group of token information authentication, token information decryption, or token information encryption. Formatting the encrypted information such that it is compatible with the format of the current POS system.

In one embodiment, a device includes a first interface, a second interface, a memory, and a processor coupled to the first and second interfaces and to the memory. The processor is configured to receive key-management information via the second interface, and to store the key-management information in a protected portion of the memory as stored key-management information. The processor is also configured to perform a challenge-response authentication interaction via the first interface. The challenge-response authentication interaction is based at least in part on the stored key-management information. The device is configured to prevent data in the protected portion of the memory from being modified in response to information received via the first interface.

According to some embodiments, systems and methods for binding dynamic host configuration and network access authentication are provided related to, inter alia, interactions between a PAA (PANA Authentication Agent) and a DHCP (Dynamic Host Configuration Protocol) server, such as, e.g., for synchronization between the PANA SA state and the DHCP SA state, such as, e.g., maintaining synchronization when a connection is lost. In some embodiments, systems and methods for binding network bridge and network access authentication are also provided related to, inter alia, interactions between a PAA and a layer-2 switch, such as, e.g., for avoiding service thefts and the like (such as, e.g., MAC address and/or IP address spoofing) in the context of, e.g., the above. In some other embodiments, systems and methods for bootstrapping multicast security from network access authentication protocol are also provided related to, inter alia, key management for protected IP multicast streams, such as, e.g., to avoid IP multicast streams unnecessarily received and/or processed by unauthorized receivers connected to the same layer 2 segment as authorized receivers in the context of, e.g., the above.

An integrated circuit for data encryption/decryption and secure key management is disclosed. The integrated circuit may be used in conjunction with other integrated circuits, processors, and software to construct a wide variety of secure data processing, storage, and communication systems. A preferred embodiment of the integrated circuit includes a symmetric block cipher that may be scaled to strike a favorable balance among processing throughput and power consumption. The modular architecture also supports multiple encryption modes and key management functions such as one-way cryptographic hash and random number generator functions that leverage the scalable symmetric block cipher. The integrated circuit may also include a key management processor that can be programmed to support a wide variety of asymmetric key cryptography functions for secure key exchange with remote key storage devices and enterprise key management servers. Internal data and key buffers enable the device to re-key encrypted data without exposing data. The key management functions allow the device to function as a cryptographic domain bridge in a federated security architecture.

The present invention provides a method and system for secured remote provisioning of a universal integrated circuit card of a user equipment. A system includes a user equipment for initiating a request for remote provisioning of an universal integrated circuit card (UICC) in the user equipment, where the request for remote provisioning includes a machine identifier (MID) associated with the user equipment and a public land mobile network (PLMN) identifier (ID) associated with an network operator. The system also includes at least one shared key management server for dynamically generating security keys and an operator shared key using the security keys, the MID. Moreover, the system includes an operator network for generating a subscription key using the operator shared key and an international mobile subscriber identity (IMSI), and provisioning the IMSI in a secured manner to the UICC of the user equipment using the security keys.

The present invention discloses a construction for key management module functionality which provides for secure encoding and decoding of messages which are up to two blocks long. A method for generating an encoded value having a first encoded value part and a second encoded value part from an unencoded value having a first unencoded value part and a second unencoded value part, comprising the steps of: obtaining an initialization vector; and generating the first and second encoded value parts. The first encoded value part is generated by: generating a first result by encrypting the first unencoded value part; generating a second result by performing an exclusive or operation on the first result and the second unencoded value part; generating a third result by performing an exclusive or operation on the second result and the initialization vector; generating a fourth result by encrypting the third result; generating a fifth result by performing an exclusive or operation on the fourth result and the first unencoded value part; and encrypting the fifth result. The second encoded value part is generated by encrypting the second result.

Methods and systems to support XML-based security and key management services in a pre-boot execution environment. During pre-boot, XML console in and console out interfaces are loaded, and corresponding API's are published to enable use of the interfaces by various firmware and software components. A network stack is set up to enable XML content received at the network interface to be forwarded to the XML console in interface and XML content provided at the XML content out interface to be sent out via the network interface. Security operations may then be performed to authenticate a client system hosting the XML interfaces, to authenticate remote servers to which the client system may communicate with, and to validate boot images provided to the computer system. Key management services are also supported.

To provide a secure service to an application virtual machine running in a first domain of a virtualized computing platform, a second domain is arranged to run a corresponding service driver exclusively for the application virtual machine. As part of the secure service, the service driver effects a key-based cryptographic operation; to do so, the service driver has to obtain the appropriate key from a key manager. The key manager is arranged to store the key and to release it to the service driver only upon receiving evidence of its identity and being satisfied of compliance with release policies associated with the key. These policies include receipt of valid integrity metrics, signed by trusted-device functionality of the virtualized computing platform, for the service driver and the code on which it depends.

A key management of cryptographic keys has a data package including one or more cryptographic keys that are transferred to a personal device 100 from a secure processing point 150 of a device assembly line in order to store device specific cryptographic keys in the personal device 100. In response to the transferred data package, a backup data package is received by the secure processing point 150 from the personal device 100, which backup data package is the data package encrypted with a unique secret chip key stored in a tamper-resistant secret storage 125 of a chip 110 included in the personal device 100. The secure processing point 150 is arranged to store the backup data package, together with an associated unique chip identifier read from the personal device 100, in a permanent, public database 170.

A method and a system are presented in which computing environments of different enterprises interact within a federated computing environment. Federated operations can be initiated at the computing environments of federation partners on behalf of a user at a different federated computing environment. A point-of-contact service relies upon a trust service to manage trust relationships between a computing environment and computing environments of federation partners. The trust service employs a key management service, an identity/attribute service, and a security token service. A federated user lifecycle management service implements federated user lifecycle functions and interacts with the point-of-contact service and the trust service.

A system for automated cryptographic key management comprises a key control system, a key management agent system, and a key system application program interface. A method for automated cryptographic key management is also disclosed. The method comprises the automatic generation of cryptographic keys by the key control system and distribution of such keys by the key control system to the key management agent system.

The invention relates to a method for implementing a safe storage system in a cloud storage environment and belongs to the technical field of storage safety. The method is characterized in that a trust domain is established in a server according to the requirements of a user; in the trust domain, identity authentication is performed by using an public key infrastructure (PKI); the independence between the storage system and a bottom layer system is realized by utilizing a filesystem in user space (FUSE); a hash value of a file is calculated by utilizing a secure hash algorithm (SHA1) and taking a block as a unit, a file block is encrypted by utilizing a key and an advanced encryption standard (AES) algorithm of a symmetric encipherment algorithm and taking a block as a unit, and a file cipher text is uploaded to a file server in a cloud storage area so as to guarantee the confidentiality and integrity of the file; a filer owner postpones encrypting the file again when permission is revoked by designating a user with the permission of accessing the file and the permissions thereof in an access control list; and only when the user modifies the content of the file, the user encrypts the file block in which the modified content is positioned again and the system implements three layers of key management, namely a file block key, a safe metadata file key and a trust domain server key so that not only the safety of the file is guaranteed when the permission is revoked, but also the management load of the system is not increased.

A method is provided for performing application-transparent key management in a storage library associated with an encrypting removable storage device. Encryption and decryption is performed by a key manager and the removable storage device, and is transparent to the application. Data is encrypted using keys that are managed by the storage key manager. An administrative interface allows an administrator to specify and manage encryption keys. A key identifier is associated with each key, and the key identifier is written to the tape along with the encrypted data. When reading encrypted data, the removable storage device reads the key identifier from the tape and requests the corresponding encryption key from the key manager. The removable storage device then provides the decrypted data to the application. The encryption key may be exported from the key manager or library in an encrypted XML format. Encrypted tapes can therefore be decrypted in different libraries by exporting the keys from one library to another.

A security system for managing security key assignment in a mobile communications terminal, the security system comprising a key generating mechanism for generating a unique security key for a mobile device, in response to a request received by the security system from the mobile device; a transmission mechanism for transmitting the unique security key to the mobile device; and a data storage mechanism for storing the unique security key for the mobile device in association with an identifier identifying the mobile device, wherein the unique security key is transmitted to a service provider, in response to a request submitted by the service provider to the security system.

A method, system, computer program product, and devices for enterprise network access control and management for Government and Corporate entities, including interagency identity management; connectors and controls; an interagency directory services transformation service; a user/duty position resolving service; role-based encryption key management; role-based business process modeling; and proximity-based access control enabled by user-role-track association.

A trust system and method is disclosed for use in computing devices, particularly portable devices, in which a central Authority shares secrets and sensitive data with users of the respective devices. The central Authority maintains control over how and when shared secrets and data are used. In one embodiment, the secrets and data are protected by hardware-rooted encryption and cryptographic hashing, and can be stored securely in untrusted storage. The problem of transient trust and revocation of data is reduced to that of secure key management and keeping a runtime check of the integrity of the secure storage areas containing these keys (and other secrets). These hardware-protected keys and other secrets can further protect the confidentiality and/or integrity of any amount of other information of arbitrary size (e.g., files, programs, data) by the use of strong encryption and/or keyed-hashing, respectively. In addition to secrets the Authority owns, the system provides access to third party secrets from the computing devices. In one embodiment, the hardware-rooted encryption and hashing each use a single hardware register fabricated as part of the computing device's processor or System-on-Chip (SoC) and protected from external probing. The secret data is protected while in the device even during operating system malfunctions and becomes non-accessible from storage according to various rules, one of the rules being the passage of a certain time period. The use of the keys (or other secrets) can be bound to security policies that cannot be separated from the keys (or other secrets). The Authority is also able to establish remote trust and secure communications to the devices after deployment in the field using a special tamper-resistant hardware register in the device, to enable, disable or update the keys or secrets stored securely by the device.

This invention uses a cloud-based key management system to store, retrieve, generate, and perform other key operations. The cloud-based system ensures security of the keys while preventing their loss or destruction. Using this invention, a company can now manage, audit, and maintain control and security around their keys. Security event auditing permits evaluation of the operations to ensure that each step is completely securely.

An apparatus and a receiver, which is in a broadband communication system, includes the logic necessary for protecting keys used for encrypting content that is received by the receiver. The apparatus validates the keys and denies the receiver the use of the keys if they become invalid.