Abstract: Methods, apparatus, and computer program products for providing security for an electronic device are described. An example of a method includes monitoring, by the electronic device, a status of the electronic device for one or more threats to a security of the electronic device, detecting, by the electronic device, the one or more threats to the security of the electronic device based on the status of the electronic device and on one or more security policies associated with the electronic device, and self-enforcing, by the electronic device, the one or more security policies by implementing one or more targeted security actions, as indicated by the one or more security policies, to selectively alter the status of the electronic device, based on the detected one or more threats to the security of the electronic device.

Abstract: A cryptographic key is generated using biometric data and a hierarchy of biometric descriptors. The hierarchy of biometric descriptors includes multiple levels, wherein a biometric descriptor at a first level is associated with a subset of the biometric descriptors at the next lower level. To generate a cryptographic key, biometric data is collected and compared to the biometric descriptors at the first level of the hierarchy. One of the biometric descriptors is selected at the first level, and a first key component is generated based on the first selected biometric descriptor. The biometric data is then compared to the subset of biometric descriptors at the second level of the hierarchy associated with the first selected biometric descriptor. This process of selecting a biometric descriptor and generating a key component continues for each level of the hierarchy. The key components are then used to generate a cryptographic key.

Abstract: System, methods, and apparatus are described that facilitate secure identification information entry on a small touchscreen display. In an example, the apparatus receives an account identifier of a user, determines a first starting configuration associated with the account identifier, the first starting configuration being independent of a second starting configuration associated with a different account identifier, and displays one or more data input components for entry of at least a portion of secure identification information on a touchscreen display according to the determined first starting configuration.

Abstract: Aspects of the invention are related to a method for allocating spare resources in a device. The exemplary method comprises: determining spare resources available in a plurality of consecutive time quanta; determining a plurality of candidate operations, wherein each candidate operation is associated with a cost profile with respect to time and a benefit value; and allocating the spare resources for performance of one or more of the candidate operations.

Abstract: A cryptographic key is generated using biometric data and a hierarchy of biometric descriptors. The hierarchy of biometric descriptors includes multiple levels, wherein a biometric descriptor at a first level is associated with a subset of the biometric descriptors at the next lower level. To generate a cryptographic key, biometric data is collected and compared to the biometric descriptors at the first level of the hierarchy. One of the biometric descriptors is selected at the first level, and a first key component is generated based on the first selected biometric descriptor. The biometric data is then compared to the subset of biometric descriptors at the second level of the hierarchy associated with the first selected biometric descriptor. This process of selecting a biometric descriptor and generating a key component continues for each level of the hierarchy. The key components are then used to generate a cryptographic key.

Abstract: Aspects of the invention are related to a method for allocating spare resources in a device. The exemplary method comprises: determining spare resources available in a plurality of consecutive time quanta; determining a plurality of candidate operations, wherein each candidate operation is associated with a cost profile with respect to time and a benefit value; and allocating the spare resources for performance of one or more of the candidate operations.

Abstract: A method for mutual authentication between a client device and authentication server is provided whereby an account identifier is sent from the client device to the authentication server, and the authentication server provides the client device a plurality of starting symbols associated with the account identifier. The plurality of starting symbols are distinct for different account identifiers. Additionally, a sensory feedback profile associated with the account identifier may be sent by the authentication server to the client device. The same starting symbols and/or sensory feedback profile is used every time the account identifier and/or device identifier are used. The plurality of starting symbols and sensory feedback profile is not stored at the client device but instead provided each time by the authentication server upon entry of the account identifier. This prevents an attacker from being able to being able to provide the correct starting symbols and/or sensory feedback profile.

Abstract: Disclosed is a method and apparatus for evaluating actions performed on a client device. For each of the performed actions, a current key is generated from a previous key and an associated action attestation value is generated from the previous key and information about each action (stored in a log file). The previous key is then deleted. A final attestation value is also generated using a publicly non-invertible function and is based at least on the current key. The client device transmits information about the performed actions (stored in a log file), the plurality of action attestation values, and the final attestation value to the server so that the server can authenticate the action attestation values and the final attestation value. If the server cannot authenticate these attestation values, then the server can determine that the log file has been tampered with.

Abstract: Disclosed is a method and apparatus for performing steps to cause encoded information to be stored at a client device during a first network session between a server and the client device. To cause encoded information to be stored at a client device, the server first determines a set of network resource requests that encode the information. These network resource requests may include requests for one or more specific URLs and/or requests for one or more files. The server then causes the client device to initiate the network resource requests. The server may cause this initiation by, for example, redirecting the client device to the network resources. The client device initiating the network resource requests causes data representative of the network resource requests to be stored at the client device.

Abstract: In a communication system having a number of base stations and user devices, a sending user device comprising a processor and a memory is configured to generate a packet or other communication for forwarding to a receiving user device via one or more intermediary user devices of the system. The forwarding path of the communication may involve one or more of the base stations. A payment token is associated with the communication, such that at least one of the intermediary user devices can generate a payment claim based on the payment token. The payment token is independent of the particular identities of the one or more intermediary user devices of the system.

Abstract: Techniques are disclosed for partitioning of cryptographic functionality, such as authentication code verification or generation ability, so as to permit delegation of at least one of a number of distinct portions of the cryptographic functionality from a delegating device to at least one recipient device. The cryptographic functionality is characterizable as a graph comprising a plurality of nodes, and a given set of the nodes is associated with a corresponding one of the distinct portions of the cryptographic functionality. Information representative of one or more of the nodes is transmitted from the delegating device to the recipient device such that the recipient device is thereby configurable for authorized execution of a corresponding one of the distinct portions of the cryptographic functionality. Advantageously, the invention provides a particularly efficient mechanism for the provision of cryptographic functionality in accordance with a subscription model.

Abstract: A method for providing publicly verifiable translation certificates comprising the steps of receiving an input encryption having a first secret key; outputting an output re-encryption of the input encryption, the output re-encryption having a second secret key; and generating a translation certificate that proves the input encryption and the output re-encryption are encryptions of an identical message, wherein the first secret key and the second secret key do not need to be, but are allowed to be, equal. This method and system for generating translation certificates in quorum controlled asymmetric proxy encryptions has uses, including but not limited to, Internet applications and specifically to E-mail systems.

Abstract: A method of forwarding an encrypted message sent to a primary recipient having a secret key to at least one secondary recipient comprising the steps of sharing portions of the secret key among a predetermined threshold number of proxy servers greater than one, upon receipt of an encrypted message by the predetermined threshold number of proxy servers, each of the predetermined threshold number of proxy servers modifying the message by applying the key portion to the encrypted message, the result of the modification comprising a message secret to the predetermined threshold number of proxy servers but decryptable by at least one secondary recipient, and forwarding the resultant message to at least one secondary recipient. This method and system for quorum controlled asymmetric proxy encryption has uses ranging from efficient key distribution for pay-tv, to methods for distributively maintaining databases.