Abstract: Biometric authentication and touch differentiation embodiments are described which use a handheld mobile computing device having a signal injection site that injects a signal into a user's hand for a prescribed period of time, and at least one signal sensing site each of which captures a signal emanating from a finger of either of the user's hands that is touching the signal sensing site during at least the period of time the signal is injected. The captured signal or signals are analyzed to determine whether they match, to a prescribed degree, a pre-established signal model that is indicative of a signal or signals expected to be captured. The signal matching determination can be employed to authenticate a user, or identify which finger of a user's hand is touching the computing device.

Abstract: An approach provides detection of unauthorized use of data services. A determination is made as to whether connections supporting remote access to a data network are completed. The number of completed connections associated with a selected attribute is tracked over a time period. It is then determined whether the number of completed connections satisfies a connection frequency threshold. A fraud alert is generated if the connection frequency threshold is satisfied.

Abstract: A data processing apparatus for processing and protecting data stored in a removable storage medium, including a medium monitoring unit configured to monitor the state of the removable storage medium, an information storage unit configured to store information, and a controller configured to move the data from the removable storage medium to the information storage unit in accordance with the monitoring result of the medium monitoring unit.

Abstract: Presently disclosed herein are a method, system, and computer-readable medium for managing a user-defined genre-based password. In one embodiment, the method includes steps for creating a genre-based tree that can be used to prompt a user in remembering a user-created password.

Abstract: A system and method for automatically altering device functionality based on the occurrence of certain predetermined conditions. A link may be established between a device and a trusted server to provide an association between various conditions that may be detected at the device and actions that are to be taken on the device. In particular, software traps can be set up and linked to device functionality such that execution of the trap may automatically disable or enable certain device capabilities. Some aspects of the invention are directed to a system and method for remotely setting software traps for detecting software viruses and, upon execution of the traps, several methods for establishing a quarantine on infected devices.

Abstract: A communications scheme enables a central communications station to assist two communications systems located behind firewalls that prevent communication initiated from an external data network to establish direct communication with each other. In one embodiment, the systems separately establish communications with the central communications station and obtain from it the connection information (e.g., IP address, port, etc.) of the other. The systems then directly communicate with each other using the obtained connection information while pretending to be the central communications station. In another embodiment in which the firewalls include NAT devices that implement network address translation, the systems exchange connection information for establishing a new connection through the central communications station and then complete a three-way handshake with the assistance of the central communications station, thereby allowing the central communications station to remove itself from the communication.

Abstract: Aspects of the present invention may be seen in a method and system for the ingestion of update package containers (or other types of containers, in general) into a distribution network. In an embodiment of the present invention, update package containers (UPC) from several different sources may be transferred into a distribution network such as a carrier network via a standardized SOAP interface. A logical repository may be assumed to exist in the distribution network. A standardized interface to such a logical repository may facilitate the integration of ingestion methods from several software originators into such a distribution network.

Abstract: When an SIP interface unit of a server apparatus receives an SIP message for call connection from a client apparatus and an SIP message analyzing unit can confirm that the SIP message is normal, a call controller recognizes that an RTP communication is carried out between the client apparatus and another client apparatus and instructs an encrypting capability management unit to determine RTP encrypting information which is used between the client apparatuses. The encrypting capability management unit determines the RTP encrypting information between these client apparatuses based on the instruction. With this arrangement, there can be provided a client-server distributed system that can realize an encrypting security function without requiring a certificate authentification function at a low cost in order to deliver an encrypting key as well as without necessity of holding or managing a certificate and preparing an authenticating server in a system.

Abstract: A computer-implemented method of assisting in establishing a secure communication is disclosed. The method includes obtaining an encryption key that is shared with a credentialing device, receiving from a client device an encrypted session identifier that encodes a password, decrypting the session identifier with the key to extract the password, and authenticating a communication session for the device using a challenge-response protocol.

Abstract: An authentication system includes: a first information processor; a second information processor; an authentication-service-providing device; and an authentication device, wherein the authentication-service-providing device has: an unit that receives second authentication information for authenticating a user from the second information processor and executes a second authentication based on the second authentication information; and an unit that issues third authentication information to the second information processor when the second authentication is successful; and the authentication device has: an unit that receives first authentication information for authenticating the user from the first information processor and executes a first authentication based on the first authentication information; and an unit that receives, from the first information processor, third authentication information obtained by the second information processor and input to the first information processor and cooperates with the a

Abstract: Secure password entry is facilitated by displaying a password prompt comprising a changing stream of random characters, where a particular character within the stream of random characters is displayed at a visibly detectable higher frequency. A user selects a password character by entering input to increment or decrement the particular high frequency character to reach the password character, such that any unauthorized keystroke logging to detect said password is ineffective. Once the user reaches the password character, the user provides another input indicating a selection of the current high frequency character as the password character. Once the user has selected all the characters of the password, the user enters an input indicating the password is complete and the password entry controller then passes the password to the calling layer.

Abstract: Techniques are described to enable two or more layer two (L2) firewall devices to be configured as a high availability (HA) cluster in an active-active configuration. A first layer two (L2) firewall and a second L2 firewall are positioned within the same L2 network. The first L2 firewall and the second L2 firewall are concurrently configured with active virtual security devices (VSDs) within the L2 network, and concurrently apply L2 firewall services to packets within the L2 network. A VSD of one of the L2 firewalls automatically switches to an active VSD status for a VSD group in place of a VSD of another L2 firewall when the other L2 firewall fails.

Abstract: At startup, divided data blocks are received from other authentication devices and are assembled together with the local divided data block to reconstitute first authentication data. After a prescribed time interval, divided data blocks are again received from other authentication devices and are assembled together with the local divided data block to reconstitute second authentication data.

Abstract: One embodiment of the present invention provides a system for managing keys. During operation, the system authenticates a client at a key manager. Next, the system receives a token from the client at the key manager, wherein the token is associated with a customer key, and includes a token authenticator. This token authenticator comprises one-half of an authenticator pair which is used to determine if the client is the owner of the customer key. Next, the system decrypts the token using a master key. The system then verifies a client authenticator, which comprises the other half of the authenticator pair which is used to determine if the client is the owner of the customer key. If the client is the owner of the customer key, the system sends the customer key to the client, which enables the client to encrypt/decrypt data. Finally, the client deletes the customer key.

Abstract: Disclosed is a method and system to discourage a MITM attacker in a data communications system that includes client and a server. The method includes, in a Digest Authentication and Key Agreement (AKA) challenge sent to the client from the server, setting an “algorithm” field to ‘algorithm=“AKAv1-HMAC-MD5”’ for directing the client to use the HMAC-MD5 keyed hash function when producing Digest credentials; and using at least one of an AKA Integrity Key (IK) or an AKA Cipher Key (CK) in the keyed hash function.

Abstract: A technique is disclosed that allows different computers in a network to create an identifier that uniquely identifies the network. The technique allows the unique identifier to be consistently created over time, regardless of the particular make up of the computing devices in the network at any particular point time. In some implementation, a computer within the network hosts the identification creation tool. In order to create a unique identifier for the network, the tool identifies each network adapter used by the host computer. Using this information, the tool identifies a gateway device used by the network adapter or adapters, and then determines the physical network address of that gateway device. For example, if the network is an Ethernet network, the tool will determine the medial access control (MAC) address for the gateway device. The tool then creates a unique identifier for the network based upon the physical address.

Abstract: A system, a method and computer-readable media for supporting multiple security tiers in a network. A system is provided that includes an access terminal. The access terminal includes multiple virtual machines, which are each associated with a different security profile. The system further includes an access network that validates the virtual machines. The access network also assigns security procedures for use with the various virtual machines by referencing their associated security profiles. The system further includes a core network. The core network also enforces the various security profiles, and references the profiles in the selection of services used in the handling of communications from the virtual machines.

Abstract: A computer implemented method, computer program product, and system for managing objects. Responsive to receiving a find-rule method, and a path-rule table, wherein the path-rule table contains a set of paths, wherein each path references an object, wherein a file system locates the object using the path, and wherein the object has at least one attribute not known to the file system, a path-rule table identifier is created. The path-rule table is associated with the path-rule table identifier to form an associated path-rule table. The find-rule method is associated with the path-rule table identifier to form an associated find-rule method. The path-rule table identifier, the associated path-rule table, and the associated find-rule method are stored. The path-rule table identifier is returned.

Abstract: A unified broadcast encryption system divides a media key tree into S subtrees, divides digital content into segments, and converts some of the segments into variations; the number of segments and variations is q. The system subdivides each of the subtrees into q/|S| subdivided subtrees, assigns a key media variant to each of the subdivided subtrees, and generates a unified media key block (MKBu). The system decrypts digital content by obtaining required key media variants from the MKBu, using the key media variant to find an entry in a variant key table, decrypt a title key, and locate a variant number from the variant key table. The system uses the variant number to identify which of the variations may be decrypted by the title key and uses the title key to decrypt segments and variations.

Abstract: A network configuration device or entity has control of defined management and security functions in the network, or in many embodiments, in a Fiber Channel fabric. The network configuration device may control many functions. Foremost, it may control the recognition, operation and succession procedure for network configuration entities. It may also control user configurable options for the network, rules for interaction between other entities in the network, rules governing management-level access to the network, and rules governing management-level access to individual devices in the network. In addition, the network configuration entity may exploit policy sets to implement its control.