Abstract: An apparatus and method for securely providing identification information generates one or more obscured identifiers for a recipient, such as one or more identifiers that are generated based on data unique to a recipient or other information as may be appropriate. In one embodiment, the method and apparatus generates a translucent identification member, such as a plastic card, sheet, film or other suitable member that has a translucent area that includes one or more obscured identifiers. When the translucent identification member is overlayed on a screen displaying a visual filtering pattern, one of one or more obscured identifiers is visually revealed for use during the particular transaction. The revealed identifier is entered into a recipient device and sent to an authenticator to be verified as an appropriate identifier for the transaction.

Abstract: In some embodiments, an apparatus includes an authorization module implemented in at least one of a memory or a processing device. The authorization module can receive from an application a request for an access token associated with the application that includes a scope identifier associated with a level of access to a resource module. The authorization module can select based on the scope identifier at least one authentication mode from a set of predefined authentication modes. The authorization module can also receive at least one credential assigned to at least one authentication mode. Additionally, the authorization module can send the access token to the application in response to authenticating a user of the application based on the at least one credential.

Abstract: A method for providing an IP key, for encoding messages between a user terminal MS or a PMIP client and a home agent HA, wherein an authentication server only provides the mobile IP key when the authentication server recognizes, by a correspondingly encoded parameter, that the user terminal MS itself is not using mobile IP (PMIP).

Abstract: Implementing a key and a protection circuit in a configurable device. A soft key associated with a protection circuit is combined with a user's electronic design in generating configuration data for download onto the configurable device. The placement and routing of the soft key is pseudo-randomly arranged with respect to the user's electronic design such that its placement and routing on the configurable device is substantially different for binary configuration data that is generated. Hiding the soft key and its connections to the protection circuit and assisting in protecting user electronic designs is achieved.

Abstract: Techniques for binding multiple authentications for a peer are described. In one design, multiple authentications for the peer may be bound based on a unique identifier for the peer. The unique identifier may be a pseudo-random number and may be exchanged securely between the peer, an authentication server, and an authenticator in order to prevent a man-in-the-middle attack. Data for all authentications bound by the unique identifier may be exchanged securely based on one or more cryptographic keys generated by all or a subset of these authentications. In another design, multiple levels of security may be used for multiple authentications for a peer. The peer may perform a first authentication with a first authentication server and obtain a first cryptographic key and may also perform a second authentication with the first authentication server or a second authentication server and obtain a second cryptographic key. The peer may thereafter securely exchange data using the two keys using nested security.

Abstract: Systems, methods, and machine readable media for repairing data processing systems. In one exemplary embodiment, a computer software utility has the ability to repair a personal computer (PC) using a bootable storage medium (e.g. CD). This utility can connect to the Internet and create an encrypted virtual private network (VPN) tunnel to an automated support server network and to other PCs running a similar version of the utility. This utility, in conjunction with the automated support server network, checks the system files (e.g. DLL and system configuration files, etc.) on a PC being repaired and obtains information to perform the checking from the automated support server network and may obtain replacement system files from the automated support server network or the other PCs.

Abstract: Rather than managing a certificate chain related to a newly issued identity certificate at a terminal to which a wireless device occasionally connects, a certificate server can act to determine the identity certificates in a certificate chain related to the newly issued identity certificate. The certificate server can also act to obtain the identity certificates and transmit the identity certificates towards the device that requested the newly issued identity certificate. A mail server may receive the newly issued identity certificate and the identity certificates in the certificate chain and manage the timing of the transmittal of the identity certificates. By transmitting the identity certificates in the certificate chain before transmitting the newly issued identity certificate, the mail server allows the user device to verify the authenticity of the newly issued identity certificate.

Abstract: An information processing system, an information processing method for use with the system, an information providing system, and information providing method for use with the system, an information processing apparatus, an information processing method for use with the apparatus, a doll, an object, a program storage medium, and a program for authenticating users reliably are provided. A user acquires beforehand a doll called Pochara the Good Friend incorporating an IC chip that stores a user ID for authenticating the user. When the user mounts the doll on a platform 23 connected to a personal computer 22, the user ID is read from the IC chip by a reader housed in the platform 23 and transmitted over the Internet 1 to a Pochara service server 9. The server 9 has a Pochara database 10 holding personal information about users of the service. The transmitted user ID is checked against the personal information in the database for authentication.

Abstract: A method and an apparatus for providing privacy in a network are disclosed. For example, the method receives a request, e.g., an HTTP request, from a user for information, wherein the information includes at least a Uniform Resource Locator (URL) of at least an aggregator. The method identifies all personally identifiable information of the user. The method then masks the personally identifiable information from the browser in the endpoint device of the user, while responding to the request.

Abstract: A signature log storing apparatus includes a signature log list and a certificate list, and registers, in the signature log list, a part of signature information in generated hysteresis signature as a signature record and a part of a user certificate in the certificate list. The signature log storing apparatus further includes a trust point list and validates a signature records registered in the signature log list and registers identification information for identifying a latest signature record out of the validate signature record, evidence information for validating validity of the user certificate for a validated signature record, and a hash value of information derived by connecting the evidence information and the hash value as needed or before the user certificate expires.

Abstract: Methods, systems, and computer-readable media with executable instructions stored thereon for managing access authorization to hardware and data resources. A method includes defining a property of a hardware and/or data resource. This example method further includes defining a role such that each defined role can be applied to different users without modification, defining a security domain for the property of the resource in the context of a user-role assignment and assigning a role to a user in a context of the defined security domain.

Abstract: Entropy obtained from a series of key generation exchanges may be combined with entropy from a strong entropy source to allow the strong entropy to be stretched to generate a larger number of keys for use on a communication network, without requiring additional information from the group members and without requiring the entropy source to be increased in size or in number. In one embodiment, nonces exchanged during an initial key exchange are used to generate additional key material that is then fed, together with a fresh random secret, to another pseudo-random function to generate an additional key stream. The fresh ransom secret may be generated at the GCKS from a physical entropy source or other entropy source, and may be changed at will by the GCKS to further increase the strength of the keys. The methods are particularly useful for group key management where a large number of keys are required to be generated in a short time frame.

Abstract: The variable domain data access control system and method described herein use the same variable domain to describe a data security model and a variable domain data model, such as a product configuration model. A variable domain is a set of resource data that can be described using a logical relationship data structure. The variable domain utilizes logical relationship expressions, such as a Boolean logic language, to define resource data in terms of parts, rules and/or attributes, and any other property that can be accessed for viewing, manipulation, or other purposes. The data security model represents an access control list (ACL) that includes security attributes as resource data and uses the same data structure and logical relationship expressions as an associated variable domain data model. An application, such as a configuration engine, can be used to create controlled access to the variable domain data model using the data security model.

Abstract: An aim of this invention is to eliminate the risks of aggression “DPA of the n order” attacks, for all n values, of cryptography electronic assemblies or systems with a secret or private key. The process according to this invention concerns a securing process for an electronic system using a cryptographic calculation procedure using a secret key. The process consists of masking intermediate results in input or output of at least one critical function for the said procedure.

Abstract: In a first aspect, a first cryptography method is provided. The first method includes the steps of (1) in response to receiving a request to perform a first operation on data in a first memory cacheline, accessing data associated with the first memory cacheline; (2) performing cryptography on data of the first memory cacheline when necessary; and (3) speculatively accessing data associated with a second memory cacheline based on the first memory cacheline before receiving a request to perform an operation on data in the second memory cacheline. Numerous other aspects are provided.

Abstract: A computer-implemented system and method of monitoring data access activity of a user of a system is presented here. The method maintains a respective score for each of a plurality of monitored data access events, resulting in a set of scores for the user. The method continues by monitoring behavior of the user to detect occurrences of the monitored data access events, and updating the set of scores in response to detected occurrences of the monitored data access events. The method initiates an appropriate course of action when the updated set of scores is indicative of unauthorized, suspicious, or illegitimate data access activity.

Abstract: Use of an electronic design in a configurable device is controlled by a secure device. The configurable device includes an authorization code generator having a sequence generator and an encryption core implementing an encryption algorithm. The secure device uses the same sequence generator and encryption core in its own authorization code generator. The sequence generators in the configurable device and secure device generate identical streams of values that are encrypted using the encryption algorithm. The encrypted values are compared in the configurable device by a comparator. When the streams of encrypted values are not identical, the electronic design is prevented from operating. Where the period of the sequence generated by the sequence generators is long, such as 264, the output of the encryption cores will contain that many different encrypted values, a substantial amount of highly randomized output used as authorization code for the protection of the electronic design.

Abstract: Privileged access to managed content is disclosed. In some embodiments, a privileged portion of application code manages user access to managed content at a level of access greater than the user would otherwise be afforded. The privileged code moves a content management session up or down in levels of access as required to allow a user to perform through the application one or more specific actions it is desired to permit the user to do in a particular context (e.g., at a particular time in the lifecycle of an item of content and/or a particular point in a business process or work flow), including to permit the user to perform an action it is not desired to let the user perform in other contexts, such as write a particular value to a content item it is not desired to allow the user to write to otherwise.

Abstract: One disclosed aspect of the present invention includes authentication and user account automation within a compute cluster for each cluster node that requires password or other credential administration. For example, a storage appliance computing system may rely on a plurality of subsystems (such as databases, storage management software, and application servers) that each have internal user accounts with associated passwords and credential keys that need to be changed at frequent intervals. Rather than requiring an administrator to manually manage all of these accounts, the presently described invention includes techniques and an authentication manager component to automatically manage, update, and refresh authentication information as required. Further, the authentication manager component may be used to perform and propagate automatic credential changes such as new sets of SSH keys or updated passwords as required within a computing system, and respond to new nodes or out-of-sync credentialing scenarios.

Abstract: Embodiments of the invention relate to providing a health care provider access to an electronic record of a patient may be provided. A determination is made as to whether the health care provider is logged onto a computer system in a physical area assigned to the patient. Whether the health care provider is logged onto the computer system during working hours of the provider is also ascertained. The health care provider is provided with access to the electronic record of the patient via the computer system if the determining resolves to true and the ascertaining resolves to true.