Abstract: In order to further develop a circuit arrangement for as well as a method of performing an inversion operation in a cryptographic calculation, wherein only inversion modulo an odd number is allowed, it is proposed that the inversion operation is performed modulo at least one even number.

Abstract: Prior to the execution of a program contained in a second chip card inserted in a terminal such as a mobile radio telephone terminal, in addition to a first chip card containing data and connected to a telecommunication network to which the terminal is linked, one of the cards is authenticated by the other, or the two cards are authenticated mutually. This double authentication ensures the authenticity of the program for its overall execution in the terminal and the origin of the second card, distributed through conventional channels, for the network operator.

Abstract: A method and system for securely enrolling personal identity credentials into personal identification devices. The system of the invention comprises the manufacturer of the device and an enrollment authority. The manufacturer is responsible for recording serial numbers or another unique identifier for each device that it produces, along with a self-generated public key for each device. The enrollment authority is recognized by the manufacturer or another suitable institution as capable of validating an individual before enrolling him into the device. The enrollment authority maintains and operates the appropriate equipment for enrollment, and provides its approval of the enrollment. The methods described herein discuss post-manufacturing, enrollment, backup, and recovery processes for the device.

Abstract: Delegating resource management to customers in a technology outsourcing environment includes providing the customer with a secured user interface (e.g., HTML pages) for selecting one or more parameters (e.g., User Ids, application name and version, etc.) associated with a resource management task (e.g., password management). The parameters are used to automatically perform the task using a centralized identity management system and repository for storing and updating data, such as data associated with customers, User Ids, environments, applications and application versions. Such a system and method enables the delegation of resource management tasks across multiple environments hosting disparate hardware and software platforms, including multiple versions of applications.

Abstract: A system for automatic security authentication in a wireless network includes a server and a terminal. The terminal includes a processor, a first communications unit, and a second communications unit. The server includes a database, a control unit, and a third communications unit. The processor receives an identification code of an access point through the first communications unit, and sends a message to the control unit through the second communications unit. The message includes the identification code of the access point, a user account and a user password. The control unit sends an authentication code corresponding to the identification code according to data stored in the database to the processor through the third communications unit. After receipt of the authentication code, the processor automatically logs in to the access point through the first communications unit to activate a wireless network access function.

Abstract: An image forming apparatus of the invention includes a key generating unit to change an encryption key and to generate an encryption key different from the previous encryption key at each time of change, an encryption unit to encrypt image data using the encryption key generated by the key generating unit, a first storage unit to store the encrypted image data, a second storage unit to store the encryption key and a table to correlate the image data encrypted by the encryption key with the encryption key, and a decryption unit to decrypt the data stored in the first storage unit by using the encryption key correlated in the table. According to the image forming apparatus of the invention, the read data can be stored with high security into a storage apparatus such as an HDD, while an operation burden is not imposed on a user.

Abstract: Methods and apparatuses for determining scrambling codes for minimizing co-channel interference in a communication system. A method in accordance with the present invention comprises defining at least one initial default sequence, generating a scrambling code, scrambling a signal using the generated scrambling code, comparing the scrambled signal with all other scrambled signals meeting a specified criterion, and saving the scrambling code word if the comparison determines that the signal scrambled with the scrambling code also meets the specified criterion. The scrambling codes can be compared with each other for cross-correlation purposes to determine whether they meet the specified criterion based on laboratory testing.

Abstract: The present invention relates generally to access control. One claim recites a method of determining whether to allow access to a location, including: receiving optical data from an optical sensor, the optical data being associated with an object presented to the optical sensor, wherein the object comprises optically-detectable, machine-readable indicia encoded in a predetermined symbology thereon, the indicia including at least an orientation component; determining an orientation of the orientation component; obtaining from a data store a predetermined orientation; and comparing the predetermined orientation with the determined orientation to decide whether to allow access to the location. Of course, other claims are provided as well.

Abstract: The present invention discloses a system and method of leveraging mobile telephone provider assets and distribution network to securely deliver security tokens, such as PKI certificates. The invention is not limited to using a mobile telephony infrastructure and other pre-existing distributions can also be used. In the invention, a user requested security token can be delivered to a storefront associated with a mobile telephone provider. The storefront can be one proximate to a requesting user. An optional activation key can also be conveyed to the requesting user. The requesting user can be required to physically travel to the storefront to receive the security token. At the storefront, an identity of the requesting user can be verified, such as through photo identification. The security token can be provided when the requesting user has been successfully verified. Use of the security token can still require activation involving the activation key.

Abstract: A portable storage device including a microprocessor and a secure user data area, the microprocessor operable to perform on-the-fly encryption/decryption of secure data stored on the storage device under a user password, the microprocessor also operable to exclude access to the secure user data area unless the user password is provided.

Abstract: A method, computer readable media, and system for providing a first network resource with secure but limited access to a second network resource. A method embodiment of the invention includes associating a check with data identifying an expected source of a future request to access the second resource. Later, the first resource requests access to the second resource. Included in the request is a check signed with data identifying the first resource. The request is received and the check is authenticated. The request is granted only if the check is authentic and the data used to sign the check matches the expected source associated with the check.

Abstract: The invention provides a network communication security processor and its data processing method, the security processor comprising: a data communication interface for transferring a communication data packet between the network communication security processor and an external network; a secure connection database for storing the security policy and secure connection parameters relevant to the data packet; a secure connection database operating engine for operating and maintaining the secure connection database; a multi-channel security processing engine for performing security processing on the data packet by invoking an encryption operation module; and the encryption operation module for performing encryption/decryption operations on the data packet.

Abstract: Systems and methods for processing data and communicating encrypted data are provided. A method of processing data and communicating encrypted data may include receiving input traffic data at a first interface of a channel service unit/data service unit (CSU/DSU). The method may also include encrypting management data associated with the input traffic data at the CSU/DSU to produce encrypted management data. The method may further include sending the encrypted management data via a second interface of the CSU/DSU to a remote terminal of a local area network via a data router coupled to the CSU/DSU.

Abstract: Authenticating an identity of a user claiming to be a genuine-user includes receiving from the user biometric data pertaining to a plurality of biometric parameters. The received biometric data are compared with corresponding authentic biometric data which have previously been obtained from the genuine-user. The user's identity is authenticated if the received biometric data meet qualification criteria when compared with the corresponding authentic biometric data.

Abstract: An authentication protocol can be used to establish a secure method of communication between two devices on a network. Once established, the secure communication can be used to authenticate a client through various authentication methods, providing security in environments where intermediate devices cannot be trusted, such as wireless networks, or foreign network access points. Additionally, the caching of session keys and other relevant information can enable the two securely communicating endpoints to quickly resume their communication despite interruptions, such as when one endpoint changes the access point through which it is connected to the network. Also, the secure communication between the two devices can enable users to roam off of their home network, providing a mechanism by which access through foreign networks can be granted, while allowing the foreign network to monitor and control the use of its bandwidth.

Abstract: Provided are methods, apparatus and computer programs for applying access controls to control operations on hierarchically organized data processing system resources. A number of different scopes of applicability can be set in association with an access control, such as an ACL, and this will determine the inheritability, non-inheritability or limited inheritability of the access control for resources in the hierarchy. When a request is received to perform an operation, the access controls for the relevant branch of the hierarchy are processed to determine an applicable access control—taking account of inheritance attributes which have been set for individual access controls. The invention is useful for controlling the application of ACLs to topics in a topic tree within a publish/subscribe message broker.

Abstract: An imaging system is provided with an authentication data storage that stores a plurality of pieces of authentication data in relationship to user IDs respectively representing owners of the plurality of communication devices. Further included is a reading system that reads out one of the plurality of pieces of the authentication data corresponding to a user ID if the user ID is transmitted from the external device in relationship to the image data, and a searching system searches for a communication device with which a connection authentication is established using the authentication data read out by the reading system within a predetermined communication area with respect to the imaging system. An imaging system forms an image represented by the image data transmitted in relationship to the user ID from the external device when the communication device is detected by the searching system.

Abstract: Key confirmed (KC) authenticated key exchange (AKE) with derived ephemeral keys protocol using a mathematical group is described. In one aspect, a first party, using the mathematical group, determines whether a second party has received information to compute an agreed session key value for exchanging information securely with the first party. At least a subset of the received information is computed using derived ephemeral keys of the first and second parties. The first party generates the agreed session key value only when the second party has demonstrated receipt of the information.

Abstract: In a storage area network (SAN), a SAN management application provides a security audit log of security sensitive user actions performed across the storage area network. In a SAN, multiple services operate to perform requested user actions. Configurations herein substantially overcome the shortcomings of conventional SAN security event logging by providing a comprehensive security audit mechanism operable to identify and record user actions. An event normalizer disposed in each of the services identifies requested user actions, creates a uniform user action object, and sends the user action object to a coalescer operable to receive user action objects from the plurality of services in the SAN. The user action object provides a generic template responsive to each of the event normalizers in the services. The event normalizers normalize event properties and attributes concerning a user action into the generic user action object, and employs preexisting conduits for gathering and recording events.

Abstract: A key production system to determine a cryptographic key for a selected cryptoperiod being later than or equal to a cryptoperiod-A, and earlier than or equal to a different cryptoperiod-B, the system including a first receiver to receive a first key-component, associated with cryptoperiod-A, forming part of a first hash-chain progressing via a first one-way function, progressive key-components corresponding to later cryptoperiods, a second receiver to receive a second key-component, associated with cryptoperiod-B, forming part of a second hash-chain progressing via a second one-way function, progressive key-components corresponding to earlier cryptoperiods, first and second key-component determination modules to determine key-components in the first hash-chain and the second hash-chain, respectively, for the selected cryptoperiod, and a key determination module to determine the cryptographic key based on the key-components in the first and second hash chain for the selected cryptoperiod.