Abstract: Techniques to explain authorization origins for protected objects in an object domain are disclosed. In one embodiment, for example, an apparatus may comprise a processor circuit, a request processor component operative on the processor circuit to receive and process a request for an authorization origin of a resource object, the authorization origin comprising an access control with a permission arranged to control access to the resource object based on an identity, and a resource origin component operative on the processor circuit to identify the authorization origin of the resource object from a set of interrelated resource objects and associated access controls, retrieve authorization origin information for the authorization origin, and present the authorization origin information in a user interface view. Other embodiments are described and claimed.

Abstract: In the field of computer enabled cryptography, such as a keyed block cipher having a plurality of sequenced rounds, the cipher is hardened against attack by a protection process. The protection process uses block lengths that are larger or smaller than and not an integer multiple of those of an associated standard cipher, and without using message padding. This is operative in conjunction with standard block ciphers such as the AES, DES or triple DES ciphers, and also with various block cipher cryptographic modes such as CBC or EBC.

Abstract: A method for protecting content on a medium including a token which implements at least a portion of a keyed function, providing a first encryption method and a first encryption key, inputting each one of a plurality of token inputs to the token and converting an output of the token to a function output, and storing a plurality of ordered pairs each including a function input and the corresponding function output, encrypting the plurality of ordered pairs using the first encryption method and the first encryption key, and storing the encrypted plurality of ordered pairs on the medium. Related apparatus and methods are also described.

Abstract: In a firewall device protecting a specific network against an attack from an external network, a filtering object identifying portion identifies whether or not received data includes filtering object data, a filtering execution/inexecution selector transmits to a source device of the received data, when the received data includes the filtering object data, a selection request of a desire for a filtering execution or inexecution of the received data, does not select the filtering execution of the received data from the source device on a condition that a selection response indicates a desire for the filtering inexecution and the source device is authenticated, but selects the filtering execution under other conditions, and a filtering processor filters the selected received data.

Abstract: The present invention provides a method and an apparatus for automating authentication of a user. In one embodiment, a method calls for detecting an authentication event at a wireless communication device to gain access to a first wireless network through an access point associated with the first wireless network, automatically obtaining a credential from a second wireless network in response to the authentication event, and authenticating the user based on the credential to establish a connection between the wireless communication device and the first wireless network. A client-server based communication system includes a client module at a wireless communication device for user authentication of a Wi-Fi device to a Wi-Fi network through an access point associated therewith. For the purposes of authentication, the client-server based communication system further includes a server module with which the client module may automatically exchange short message service messages over a wide area network.

Abstract: An information processing apparatus, includes: a registration unit that refers to a use limit information memory which stores use limit information indicating a policy of a use limit of a document corresponding to a set of a mark image indicating that use of the document is limited and user associated information relating to a user associated to the document, extracts the mark image and person in charge information from document image information obtained by reading a paper document including the mark image and the person in charge information indicating a person in charge with respect to contents of the paper document, acquires the use limit information corresponding to a set of the extracted mark image and the user associated information corresponding to the extracted person in charge information from the use limit information memory, and registers the acquired use limit information associated with a document including the document image information in a document memory.

Abstract: A signature generating device includes a receiving unit that receives a sequence of data; a summary data generating unit that generates summary data of the data upon reception of each of the data by the receiving unit; an obtaining unit that obtains, when the number of data included in a sequence of the generated summary data reaches a given number, the sequence of the summary data as a block; a setting unit that sets, as a signature subject, a current block constituted by the sequence of the summary data, and the summary data selected from at least one block contiguous to the current block; a digital signature generating unit that generates a digital signature concerning data summarized for the current block; and a sending unit that sends the generated digital signature, the signature subject associated with the digital signature, and the data summarized for the current block.

Abstract: A secure system-on-chip for processing data, the system-on-chip comprising at least a central processing unit (CPU), an input and an output channel, an encryption/decryption engine and a memory, wherein, said input channel comprises an input encryption module to encrypt all incoming data, said output channel comprising an output decryption module to decrypt all outgoing data, said CPU receiving the encrypted data from the input encryption module and storing them in the memory, and while processing the stored data, said CPU reading the stored data from the memory, requesting decryption of same in the encryption/decryption engine, processing the data and requesting encryption of the result by the encryption/decryption engine and storing the encrypted result, outputting the result to the output decryption module for decryption purpose and exiting the decrypted result via the output channel.

Abstract: A projection display device that operates, in case that the second authentication information which is input does not match the first authentication information which is stored, operates in the second operation mode in which the projection display device projects in a state that an operation to change the environmental setting information is disabled to be received.

Abstract: A biometric authentication device includes: a biometric information obtain portion obtaining biometric information of a user; a biometric condition determine portion determining good and bad of biometric condition of the user according to the biometric information of the user; a biometric matching portion performing a matching of registered biometric information registered in advance based on the biometric information; an alternate authentication portion performing an authentication based on information that is different from the biometric information; and an alternate authentication control portion switching validation and invalidation of the authentication by the alternate authentication portion according to a determination result of the biometric condition determine portion.

Abstract: A method and system for securely logging onto a banking system authentication server so that a user credential never appears in the clear during interaction with the system in which a user's credential is DES encrypted, and the DES key is PKI encrypted with the public key of an application server by an encryption applet before being transmitted to the application server. Within the HSM of the application server, the HSM decrypts and re-encrypts the credential under a new DES key known to the authentication server, the re-encrypted credential is forwarded to the authentication server, decrypted with the new DES key known to the authentication server, and verified by the authentication server.

Abstract: An automated method is provided for mutual discovery between a network entity and a client entity that cooperate for providing a service in a machine-to-machine environment. In an embodiment, the network entity receives an identifier in a communication from a server on behalf of the client entity. At some point in time, the network entity receives a communication containing the identifier from the client entity. Before or after receiving the client entity communication, the network entity discovers itself to the client entity. Some time after receiving the client entity communication, the network entity authenticates the client entity, establishes a permanent security association with the client entity, and initiates the service.

Abstract: A method includes analyzing execution of a software program, the software program having sources returning values, sinks that perform security-sensitive operations on those returned values or modified versions of the returned values, and flows of the returned values to the sinks, the analyzing determining a first set of methods having access to a value returned from a selected one of the sources. A static analysis is performed on the software program, the static analysis using the first set of methods to determine a second set of methods having calling relationships with the selected source, the static analysis determining whether the returned value from the selected source can flow through a flow to a sink that performs a security-sensitive operation without the flow to the sink being endorsed, and in response, indicating a security violation. Apparatus and computer program products are also disclosed.

Abstract: The current application is directed to computationally efficient attribute-based access control that can be used to secure access to stored information in a variety of different types of computational systems. Many of the currently disclosed computationally efficient implementations of attribute-based access control employ hybrid encryption methodologies in which both an attribute-based encryption or a similar, newly-disclosed policy-encryption method as well as a hierarchical-key-derivation method are used to encrypt payload keys that are employed, in turn, to encrypt data that is stored into, and retrieved from, various different types of computational data-storage systems.

Abstract: A packet filter (2500) for incoming communications packets includes extractor circuitry (2510) operable to extract data from a packet, and packet processor circuitry (2520) operable to concurrently mask (3010) the packet data from the extractor circuitry (2510), perform an arithmetic/logic operation (3020) on the packet to supply a packet drop signal (DROP), and perform a conditional limit operation and a conditional jump operation (3030).

Abstract: An apparatus and method for restricting the functions of a device are provided. A restriction monitoring system includes a communication system that provides a location-limited communication channel that detects whether a device entering a perimeter is in an area for device inspection, a server that provides a credential and a security policy to the device and receives a report on whether the device violates the security policy through the location-limited communication channel, and an alarm system which triggers a security alarm when the device violates the security policy.

Abstract: A method includes receiving, at a client device, an authentication seed from a first network. The method also includes receiving a shared secret. The method further includes, in response to receiving the authentication seed, determining a network address of the client device. The method further includes computing a result of a one-way hash function of a combination of the network address, the authentication seed, and the shared secret. The method further includes transmitting the network address and the result of the one-way hash function to a server that provides access control of a second network coupled to the first network. The method further includes receiving permission from the server to access the second network.

Abstract: A method of handling cryptographic information in a communication comprising body elements and attachment elements to a mobile device includes the steps of determining if the communication includes an attachment element comprising cryptographic information and converting the attachment element into a body element upon determining that the communication includes an attachment element comprising cryptographic information.

Abstract: Certain embodiments of this disclosure include methods and devices for adjusting the precision of location information. According to one embodiment, a method is provided. The method may include: obtaining a request for location information from an application; determining that the location information needs to be adjusted; obtaining the location information; adjusting the location information, wherein the adjusting includes: (i) adding noise to the location information to obtain noisy location information, (ii) discretizing the noisy location information to obtain discretized location information, and (iii) hysteresizing the discretized location information to obtain adjusted location information. The adjusted location information may then be provided to the requesting application.

Abstract: There is provided a computer system, having a host and at least one storage system. The at least one storage system provides storage area includes at least one of an encrypted storage area and a plaintext storage area The at least one storage system is configured to: receive an instruction about what type of storage area is available to the host computer; present the encrypted storage area to the host as an available storage area separate from unavailable storage areas in the case of the type of storage area being available according to the instruction indicating “encrypted”; and present, in the case of the type of storage area being available according to the instruction indicating other than “encrypted”, one of both the encrypted storage area and the plaintext storage area to the host computer as available storage areas, and only the plaintext storage area as an available storage area.