Abstract: The claimed subject matter provides systems and/or methods that effectuate a simple protocol for tangible security on mobile devices. The system can include devices that generate sets of keys and associated secret identifiers, employs the one or more keys to encrypt a secret and utilizes the identifiers and encryptions of the secret to populate a table associated with a security token device that is used in conjunction with a mobile device to release sensitive information persisted on the mobile device for user selected purposes.

Abstract: The claimed subject matter relates to architectures that can construct a hierarchical set of decryption keys for facilitating user-controlled encrypted data storage with diverse accessibility and hosting of that encrypted data. In particular, a root key can be employed to derive a hierarchical set of decryption keys and a corresponding hierarchical set of encryption keys. Each key derived can conform to a hierarchy associated with encrypted data of the user, and the decryption capabilities of the decryption keys can be configured based upon a location or assignment of the decryption key within the hierarchy. The cryptographic methods can be joined with a policy language that specifies sets of keys for capturing preferences about patterns of sharing. These policies about sharing can themselves require keys for access and the policies can provide additional keys for other aspects of policy and or base-level accesses.

Abstract: This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.

Abstract: In an example, one or more cryptographic keys may be associated with a group. Any member of the group may use the key to encrypt and decrypt information, thereby allowing members of the group to share encrypted information. Domain controllers (DCs) maintain copies of the group's keys. The DCs may synchronize with each other, so that each DC may have a copy of the group's keys. Keys may have expiration dates, and any client connected to a DC may generate a new key when a key is nearing expiration. The various clients may create new keys at differing amounts of time before expiration on various DCs. DCs that store keys early thus may have time to propagate the newly-created keys through synchronization before other DCs are requested to store keys created by other clients. In this way, the creation of an excessive number of new keys may be avoided.

Abstract: Single-use character combinations are a secure mechanism for user authentication. Such “one-time passwords” (OTPs) can be generated by a mobile device to which the user otherwise maintains easy access. A key exchange, such as in accordance with the Diffie-Hellman algorithm, can provide both the mobile device and a server with a shared secret from which the OTPs can be generated. The shared secret can be derived from parameters posted on the server and updated periodically, and the mobile device can obtain such parameters from the server before generating an OTP. Such parameters can also specify the type of OTP mechanism to be utilized. A second site can, independently, establish an OTP mechanism with the mobile device. For efficiency, the first server can provide an identity token which provides the mobile device's public key in a trusted manner, enabling more efficient generation of the shared secret with the second server.

Abstract: A security-enhanced login technique that provides a convenient and easy-to-use two factor technique to enhance the security of passwords without requiring any changes on the server side of a client-server network. The technique employs a convenient and easy-to-use two-factor technique to generate strong passwords for Web and other applications. In this technique, a convenient or personal device such as a mouse is used as the other factor besides a user password. A secret stored in the mouse or other personal device is hashed together with the password entered by a user and the server ID, to generate a strong, server-specific password which is used to authenticate the user to the server. This password enhancement operation is carried out inside the personal device.

Abstract: A forwarding signature comprises a modified digital signature, modified using a predetermined parameter between a sender and an intended recipient. An intended recipient of the forwarding signature can verify that the forwarding signature corresponds to the message, but, can neither derive the original digital signature nor generate a new forwarding signature for a different parameter. Generation and verification of the forwarding signature is accomplished with access to the public key of a public/private cryptographic key pair, the original signed message, and the predetermined parameter. Access to the private key is not needed.

Abstract: In various embodiments, a server may be provided. The server may respond to a request for a service, from a processing device, with a challenge. The challenge may include a partial key for a memory-intensive operation, a number of iterations of the memory-intensive operation to perform, and a result of performing the number of iterations of the memory-intensive operation. Upon receiving the challenge, the processing device may choose a complete key consistent with the partial key and may produce a proposed result by performing the memory-intensive operation for the number of iterations. When the proposed result matches the result included in the challenge, the processing device may send a challenge answer, including the chosen complete key, to the server. Upon receiving a correct challenge answer from the processing device, the server may access the requested service and may return a result of the access to the processing device.

Abstract: Disclosed are systems and methods that facilitate securing communication channels used in a challenge-response system to mitigate spammer intrusion or deception. The systems and methods make use of unique IDs that can be added to outbound messages originating from a sender, a recipient, and a third-party server. The IDs can be correlated according to the relevant parties. Thus, for example, a sender can add a signed ID to an outgoing message. A challenge sent back to the sender for that particular message can echo the same ID or a new ID derived from the original ID to allow a sender to verify that the challenge corresponds to an actual message. The IDs can include cookies as well to facilitate correlation of messages and to facilitate the retrieval of messages once a sender is determined to be legitimate.

Abstract: Single-use character combinations are a secure mechanism for user authentication. Such “one-time passwords” (OTPs) can be generated by a mobile device to which the user otherwise maintains easy access. A key exchange, such as in accordance with the Diffie-Hellman algorithm, can provide both the mobile device and a server with a shared secret from which the OTPs can be generated. The shared secret can be derived from parameters posted on the server and updated periodically, and the mobile device can obtain such parameters from the server before generating an OTP. Such parameters can also specify the type of OTP mechanism to be utilized. A second site can, independently, establish an OTP mechanism with the mobile device. For efficiency, the first server can provide an identity token which provides the mobile device's public key in a trusted manner, enabling more efficient generation of the shared secret with the second server.

Abstract: The claimed subject matter relates to architectures that can construct a hierarchical set of decryption keys for facilitating user-controlled encrypted data storage with diverse accessibility and hosting of that encrypted data. In particular, a root key can be employed to derive a hierarchical set of decryption keys and a corresponding hierarchical set of encryption keys. Each key derived can conform to a hierarchy associated with encrypted data of the user, and the decryption capabilities of the decryption keys can be configured based upon a location or assignment of the decryption key within the hierarchy. The cryptographic methods can be joined with a policy language that specifies sets of keys for capturing preferences about patterns of sharing. These policies about sharing can themselves require keys for access and the policies can provide additional keys for other aspects of policy and or base-level accesses.

Abstract: This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.

Abstract: In an example, one or more cryptographic keys may be associated with a group. Any member of the group may use the key to encrypt and decrypt information, thereby allowing members of the group to share encrypted information. Domain controllers (DCs) maintain copies of the group's keys. The DCs may synchronize with each other, so that each DC may have a copy of the group's keys. Keys may have expiration dates, and any client connected to a DC may generate a new key when a key is nearing expiration. The various clients may create new keys at differing amounts of time before expiration on various DCs. DCs that store keys early thus may have time to propagate the newly-created keys through synchronization before other DCs are requested to store keys created by other clients. In this way, the creation of an excessive number of new keys may be avoided.

Abstract: The claimed subject matter provides systems and/or methods that effectuate a simple protocol for tangible security on mobile devices. The system can include devices that generate sets of keys and associated secret identifiers, employs the one or more keys to encrypt a secret and utilizes the identifiers and encryptions of the secret to populate a table associated with a security token device that is used in conjunction with a mobile device to release sensitive information persisted on the mobile device for user selected purposes.

Abstract: Methods for preventing unauthorized scripting. The invention generates a human interactive proof to distinguish a human from a machine by generating a random set of characters and altering each of the characters individually to inhibit computerized character recognition. The invention also includes concatenating the altered characters into a character string to be rendered to a user as a test. The character string may be altered to further inhibit computerized character recognition. Other aspects of the invention are directed to computer-readable media for use with the methods.

Abstract: Methods and system of preventing unauthorized scripting. The invention includes providing one or more tests to a user for distinguishing the user from a machine when the user requests access to the server. By storing information on a correct solution to the test in a block of data and sending the block of data together with the test, the invention provides stateless operation. Moreover, maintaining a database of previously used correct responses prevents replay attacks. The invention also includes providing combinations of alternative tests, such as visually altered textual character strings, audible character strings, and computational puzzles. Other aspects of the invention are directed to computer-readable media for use with the methods and system.

Abstract: A security-enhanced login technique that provides a convenient and easy-to-use two factor technique to enhance the security of passwords without requiring any changes on the server side of a client-server network. The technique employs a convenient and easy-to-use two-factor technique to generate strong passwords for Web and other applications. In this technique, a convenient or personal device such as a mouse is used as the other factor besides a user password. A secret stored in the mouse or other personal device is hashed together with the password entered by a user and the server ID, to generate a strong, server-specific password which is used to authenticate the user to the server. This password enhancement operation is carried out inside the personal device.

Abstract: Software is licensed for use on a particular computing device, such as a gaming console or a multimedia console. An unlocking code is provided from a distribution service to the computing device (either directly or via a user), which in turn, unlocks the appropriate software or portion of software for use with the associated computing device. The software may reside on a computer-readable medium, such as a CD-ROM or DVD disk, that is being used in conjunction with the computing device. The unlocking code may be provided directly to the user in private (e.g., via email or a mobile phone) or in public (e.g., published on a website). Portions of the software that may be unlocked include a particular level of a game or other features (such as additional characters or weapons), or a working or more advanced version of an application that was otherwise provided as a demo or older version.

Abstract: The subject invention provides a unique system and method that facilitates an interactive game-powered search engine that serve the purposes of both users who may be looking for information as well as game participants who may desire to earn some reward or level of enjoyment by playing the game. More specifically, the system and method provides feedback to a user based on the user's input string or a string derived therefrom. The feedback can be a response or answer to the user's input in the form of text, an image, audio or sound, video, and/or a URL that is provided by one or more game participants when there is some degree of consistency or agreement between the responses or when individual players have demonstrated good reliability in their responses.

Abstract: In various embodiments, a server may be provided. The server may respond to a request for a service, from a processing device, with a challenge. The challenge may include a partial key for a memory-intensive operation, a number of iterations of the memory-intensive operation to perform, and a result of performing the number of iterations of the memory-intensive operation. Upon receiving the challenge, the processing device may choose a complete key consistent with the partial key and may produce a proposed result by performing the memory-intensive operation for the number of iterations. When the proposed result matches the result included in the challenge, the processing device may send a challenge answer, including the chosen complete key, to the server. Upon receiving a correct challenge answer from the processing device, the server may access the requested service and may return a result of the access to the processing device.