Abstract: Gait training apparatus and method for use thereof for providing leg swing assistance to a patient. The apparatus comprises a support structure and one or more leg orthoses attached to the support structure, each leg orthosis comprising a thigh member attached to the support structure at a hip joint, and a shank member attached to the thigh member at a knee joint. Both members have respective connectors for securing them to the corresponding body parts of the patient. The hip joint and knee joint are each biased by biasing members. The support structure may comprise a frame defining a patient activity region, including a base, a back support, a pair of support handles, and a weight support member mounted above the activity region. A method of using the device comprises selecting parameters for the biasing members using information about the patient.

Abstract: Video media subscribers attempt to circumvent embedded ads in downloads by modifying the media files to render only the content feature. A media program is defined as an integrated set of media files including the requested content feature and the accompanying promotional materials. Media files associated with a particular content feature are stored as an integrated whole, and security tokens computed on selected random portions of the collection of media files that define the media program (content feature and interspersed ads). A hash engine computes a security token on selected blocks of the media files. The security tokens and corresponding metadata are stored in a secure repository. Before rendering the content feature, the hash values are recomputed on the downloaded media program; and compared to the corresponding locations from the stored hash values and metadata.

Abstract: A computerized device can implement a content player to access a content stream using a network interface, the content stream comprising encrypted content and an embedded license comprising a content key encrypted according to a global key accessible by the content player. The content player determines whether a token meeting an authorization condition is present and uses the global key to decrypt the content key only if such a token is present. The authorization condition may be evaluated at least in part based on data included in the content stream. The authorization condition can include presence of a token having a content ID matching a corresponding ID in the license; presence of a token with a correct device ID; presence of a token signed according to a digital signature identified in the licenses; and/or presence of a token that is unexpired, with expiration evaluated based on a time-to-live indicator in the token.

Abstract: Various embodiments of a system and method for secure password-based authentication are described. The system and method for secure password-based authentication may include an authentication component configured to request and receive authentication from an authenticating system according to a secure password-based authentication protocol. The authentication component may be configured to participate in an attack-resistant password-based authentication protocol such that an attacker who has compromised the authorizing system and/or a communication channel between the authentication component and the authenticating system may not determine a user's password and/or impersonate the user. In one embodiment, the authentication component may be configured to provide its attack-resistant password-based authentication functionality to an application (e.g., through a stand-alone application, plugin, or application extension).

Abstract: Method and apparatus are described wherein, in one example embodiment, a first entity shares a digital file such as a digital image with a second entity, and the first entity and the second entity each use the digital file as a seed to generate identical public/private key pairs using the same key generation procedure, such that both entities hold identical key pairs. The first and second entities may use the key pairs to encrypt, decrypt, or sign and authenticate communications between the entities.

Abstract: A security component may be associated with a network-enabled application. The security component may initiate the display of an embedded region of a window drawn according to display information received from a relying party. The security component may define at least a portion of the appearance of the embedded region; the relying party may not define this portion. The embedded region may include customization information configured by a user, and “Card” information received from an assertion provider, indicating how to authenticate user credentials in order to gain access to relying party restricted content. The security component may request authentication of user credentials from the assertion provider, which may be trusted by the relying party. The security component may receive an assertion token from the assertion provider indicating the credentials are authentic. The security component may forward the assertion token to the relying party to gain access to the restricted content.

Abstract: A server includes a central processing unit and electronic memory communicatively coupled to the central processing unit. The memory stores a dynamically tunable operating system kernel that includes at least one tunable implemented as a plurality of states. Each application managed by the operating system is assigned to one of these states according to a permission level association with the application. Each state defines a range of automated tuning of the tunable that is authorized to applications assigned to the state.

Abstract: Method and apparatus are described wherein, in one example embodiment, a first entity shares a digital file such as a digital image with a second entity, and the first entity and the second entity each use the digital file as a seed to generate identical public/private key pairs using the same key generation procedure, such that both entities hold identical key pairs. The first and second entities may use the key pairs to encrypt, decrypt, or sign and authenticate communications between the entities.

Abstract: In some embodiments, a method includes establishing a secured connection between a client device and a subordinate web service of a single sign-on service for a user, using a shared cryptographic key in a cookie stored on the client device that was transmitted over a different secured connection by a master web service of the single sign-on service, as part of authentication of the user for the single sign-on service.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for document authentication. An electronic document is presented to a user. The electronic document has data representing a signed state and a current state. A disallowed difference between the signed state and the current state is detected, based on one or more rules that are associated with the electronic document. A digital signature associated with the electronic document is invalidated in response to the detecting.

Abstract: Methods, computer-implemented systems, and apparatus provide for a DRM Migrator that extracts embedded first license information that enables licensed access to content according to a first licensing system. The DRM Migrator sends the first license information to a server compatible with a second licensing system. After sending the first license information to the server, the DRM Migrator receives second license information that enables an end user to create a request for a license that provides access to the content according to the second licensing system. Another embodiment of the DRM Migrator also receives the first license information from a source and generates the second license information. After generating the second license information, the DRM Migrator sends the second license information to the source to enable creation of a request for a license that provides access to the content according to the second licensing system.

Abstract: Various embodiments of a system and method for in-band transaction verification are described. The system and method for in-band transaction verification may include a transaction verification component. The transaction verification component may be configured to provide a transaction confirmation request that includes one or more machine readable resistant security media objects to indicate one or more transaction details for a transaction as well as a confirmation code for confirming the transaction. The transaction verification component may also be configured to receive a response to the confirmation request, such as a response from the user that submitted the transaction request. If the response includes a response code that is the same as the confirmation code, the transaction verification component may complete the transaction. If the response includes a response code that is different than the confirmation code, the transaction verification component may abort the transaction.

Abstract: Methods and apparatus provide for an event tracker assigns a unique application identifier to represent a relationship between a media publisher and a client application that receives media content from the media publisher. The media publisher organizes the media content according to a media orchestration descriptor. The media orchestration descriptor identifies each segment of the media content and indicating relationships among the segments to define a presentation of the segments of the media content. The event tracker further associates an audit policy with the media orchestration descriptor where the audit policy is defined by the media publisher and received by the client application. The audit policy is applied to the client application in order to locally track events that occur with respect to the presentation of the media publisher's media content via the client application.

Abstract: Classification of security sensitive information and application of customizable security policies are described, including classifying information as security sensitive information at an application level, the security sensitive information being associated with a security sensitive category, determining a security policy for the security sensitive information, the security policy being configured to secure the security sensitive information, and applying the security policy to the security sensitive information at the application level, the policy being based on the security sensitive category.

Abstract: A security component may be associated with a network-enabled application. The network-enabled application may request access to restricted content from a relying party (e.g., web site). The security component associated with the network-enabled application may receive authentication policy information from the relying party and send a user's authentication credentials to an assertion provider to authenticate the credentials. The relying party may trust the assertion provider to authenticate user credentials. Upon successful authentication, the assertion provider may return an assertion token to the security component and the security component may sign the assertion token as specified in the authentication policy information. Subsequently, the security token may forward the signed assertion token to the relying party and the relying party may grant access to the restricted content.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for document authentication. An electronic document is presented to a user. The electronic document has data representing a signed state and a current state. A disallowed difference between the signed state and the current state is detected, based on one or more rules that are associated with the electronic document. A digital signature associated with the electronic document is invalidated in response to the detecting.

Abstract: A system can comprise a processor and a memory embodying an application. The application can comprise code that causes the processor to identify a client key embedded or hard-coded in the application (i.e., included as part of the code comprising the application). Additional code causes the processor to identify data to be accessed according to an encrypted license accessible through use of a machine key. The application can maintain the machine key in an encrypted state using the client key. The application can include code that causes the processor to determine if an encrypted version of the machine key accessible by the processor can actually be decrypted using the client key. If so, the client key can be used to access the machine key. If not, the processor can request a differently-encrypted version of the machine key from a migration service.

Abstract: A security component may be associated with a network-enabled application. The network-enabled application may request access to restricted content from a relying party (e.g., web site). The security component associated with the network-enabled application may receive authentication policy information from the relying party and send a user's authentication credentials to an assertion provider to authenticate the credentials. The relying party may trust the assertion provider to authenticate user credentials. Upon successful authentication, the assertion provider may return an assertion token to the security component and the security component may sign the assertion token as specified in the authentication policy information. Subsequently, the security token may forward the signed assertion token to the relying party and the relying party may grant access to the restricted content.

Abstract: A security component may be associated with a network-enabled application. The security component may initiate the display of an embedded region of a window drawn according to display information received from a relying party. The security component may define at least a portion of the appearance of the embedded region; the relying party may not define this portion. The embedded region may include customization information configured by a user, and “Card” information received from an assertion provider, indicating how to authenticate user credentials in order to gain access to relying party restricted content. The security component may request authentication of user credentials from the assertion provider, which may be trusted by the relying party. The security component may receive an assertion token from the assertion provider indicating the credentials are authentic. The security component may forward the assertion token to the relying party to gain access to the restricted content.

Abstract: Various embodiments of a system and method for in-band transaction verification are described. The system and method for in-band transaction verification may include a transaction verification component. The transaction verification component may be configured to provide a transaction confirmation request that includes one or more machine readable resistant security media objects to indicate one or more transaction details for a transaction as well as a confirmation code for confirming the transaction. The transaction verification component may also be configured to receive a response to the confirmation request, such as a response from the user that submitted the transaction request. If the response includes a response code that is the same as the confirmation code, the transaction verification component may complete the transaction. If the response includes a response code that is different than the confirmation code, the transaction verification component may abort the transaction.