Abstract: The present invention provides a data management program for performing monitoring so that user data provided to the client cannot be copied and utilized for a purpose other than the intended purpose. When a storage device (8) storing user data (3) is connected to a client computer (12), a management program (4) prohibits writing to all of the external storage devices. The management program (8) makes settings prohibiting usage of a network (7). The management program (4) performs control by acquiring the file name, folder name, and attribute data of the execution file as well as the process name and process ID of the process being executed. The management program (4) has built-in driverware (50) which runs in the kernel mode (15) of an operating system (21) and serves to provide a common interface for the communication of device drivers (35, 36, 42 to 44) and an application program (20).

Abstract: A token or other storage device uses Internet identities to set file access attribute rights. Subsequently, requests to access a file can be controlled by confirming the Internet identity of the requestor by either validating the request with a known public key or retrieving the public key from an Internet identity provider. Files may be stored encrypted and may be re-encrypted with the public key associated with Internet identity making the request.

Abstract: A method and system for password recovery in computer applications is disclosed. Passwords in the same computer application may be recovered according to different criteria. Criteria for password recovery vary according to the sensitivity of the password-protected material. Criteria for recovery of a password protecting sensitive information have more stringent criteria than criteria for recovery of passwords protecting less sensitive information. In certain embodiments, passwords may be recovered through the use of third party agents. Recovered passwords are associated with unique identifiers, such as email addresses and phone numbers that facilitate communication with a user. Recovered passwords may be transmitted to users via email, phone, and text message or by any other means associated with the unique identifier.

Abstract: An authentication server and method are provided for generating tokens for use by a mobile electronic device for accessing a service. Communications between the device and the authentication server are through a relay. A memory stores a secret shared with a service server from which the service is provided. A processor is configured to generate the token using the shared secret and based on a reliance on the relay to ensure that the device has authorization to access the service. One or more computer readable medium having computer readable instructions stored thereon that cause the device to obtain proof of authorization to access the service is also provided. The instructions implement a method comprising: outputting via a wireless connection to a relay a request addressed to an authentication server for a token and receiving the token from the authentication server via the relay.

Abstract: A system that includes a memory to store registration information for a particular application hosted by a particular user device, where the registration information includes context information regarding the particular user device and an integrity code based on credentials associated with the particular application.

Abstract: A method for creating a password on an electronic computing device is disclosed. On the electronic computing device, a first password is obtained. The first password comprises a string of one or more characters. A first character is appended to the first password to form a second password. A hash function is applied to the second password to generate a first hashed password. The first hashed password comprises a first bit string. A determination is made as to whether the first hashed password includes a predefined sequence of bits. When it is determined that the first hashed password includes the predefined sequence of bits, the second password is designated as an auditable password.

Abstract: Systems, apparatus and methods for privacy-protecting integrity attestation of a computing platform. An example method for privacy-protecting integrity attestation of a computing platform (P) has a trusted platform module (TPM}, and comprises the following steps. First, the computing platform (P) receives configuration values (PCRI . . . PCRn). Then, by means of the trusted platform module (TPM}, a configuration value (PCRp) is determined which depends on the configuration of the computing platform (P). In a further step the configuration value (PCRp) is signed by means of the trusted platform module. Finally, in the event that the configuration value (PCRp) is one of the received configuration values (PCRI . . . PCRn), the computing platform (P) proves to a verifier (V) that it knows the signature (sign(PCRp}} on one of the received configuration values (PCRI . . . PCRn).

Abstract: An end device may include a camera configured to capture an image of an object, a touch screen configured to receive a touch input and a processor configured to determine to unlock the end device based, at least in part, on a relation between the image of the object and the touch input.

Abstract: A POD module system includes a housing, a coaxial cable connector formed on the housing and connectable to a first device to receive a cable signal, a port formed on the housing to receive a wire or wireless signal from a second device, a module unit to process at least one of the cable signal and the at least one of the wireless signal to generate at least one of a copy protection signal and one of video and audio signals, respectively, and a connector formed on the housing and connectable to a third device to transmit the at least one of the copy protection signal and the one of video and audio signals to the third device such that the third device generates at least one of an image and a sound to correspond to the at least one of the copy protection signal and the one of video and audio signals.

Abstract: Discussed is a method of operating a CPNS (converged personal network service) gateway apparatus. The method includes transmitting a registration request message including user information to a server; transmitting an installation request message including the user information to a terminal; generating first authentication data on the basis of authentication information received by a user input; transmitting a trigger message including the first authentication data to the terminal; receiving a key assignment request message including second authentication data from the terminal in response to the trigger message; transmitting the received key assignment request message to the server; receiving a key assignment response message including a user key for the terminal in response to the key assignment request message; and transmitting the received key assignment response message to the terminal.

Abstract: There is provided an electronic device capable of safely obtaining password information even when a password of an external storage device of any type is forgotten. An electronic device 100 includes an external memory card connection unit 108 connecting a memory card 200 capable of being locked by a card password, a password retention unit 101 retaining the password information including the card password, a device password retention unit 112 retaining a device password of the electronic device 100, an input unit 102 for inputting data, a device setting cancellation unit 111 determining whether or not the device password inputted by the input unit 102 and the device password retained in the device password retention unit 112 match with each other, and a control unit 109 outputting the password information or changing the card password of the external storage device set in the external storage device when the device passwords match with each other as a result of the determination.

Abstract: One embodiment of the present invention provides a system for automatically authenticating a user. During operation, the system receives a user's request for authentication. The system then extracts information associated with the user from user-specific information stored in an enterprise computer. The extracted user information does not explicitly relate to a password. The system further generates one or more challenges based on the extracted user information, and receives the user's response to the challenges. Subsequently, the system compares the user's response to the extracted user information, and authenticates the user.

Abstract: An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy.

Abstract: Embodiments described herein provide a technique for securely responding to an enumeration request of a data container stored at a location referenced by a junction or mount point within a share served by a storage system. To that end, the technique applies access permissions of the data container at the referenced location instead of permissions that may reside at the junction or mount point. Upon determining that the permissions are insufficient to allow access to the data container, the technique ensures that a descriptor of the junction or mount point is not included in a response to the enumeration request.

Abstract: This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.

Abstract: A host controller associates each virtual machine with at least one label from a hierarchy of labels, where each label represents a distinct virtual machine parameter. The host controller also associates a user with one or more roles and with one or more labels from the hierarchy of labels, where each role defines at least one action permitted to be performed with respect to virtual machines. The host controller further facilitates control over user actions pertaining to virtual machines based on the roles and the labels associated with the user.

Abstract: Methods, systems and articles of manufacture consistent with features of the present invention allow the generation and use of derived user accounts, or DUA, in a computer system comprising user accounts. In particular, derivation rules define how a DUA is linked to or created based on an existing original user account, or OUA. Derivation transformations may also update the state of a DUA based on its corresponding OUA or give feedback from the state of a DUA to the state of its corresponding OUA.

Abstract: The invention relates to a method for the communication of a terminal (10) with a server (14), the terminal including an application and computer software capable of communicating with the server (14). The method comprises: the step of sending (42) a request (RLoc) by the application (26) to the software (34), and the step of obtaining (44) by the software (34) and from the application (26) data (DAutor) necessary for the software (34) to communicate with the server (14) so that the request can be executed. This method enables access to GPS assistance servers to be limited only to users who have paid the localization service to the owner operator of the localization assistance server.

Abstract: A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.

Abstract: A security system and method for authenticating a user's access to a system is disclosed. The security system receives an authentication request from the user and responds by generating a security matrix based on a previously stored user keyword and user preference data, the security matrix being different for each authentication request. The security system sends the security matrix to the user and awaits a one-time code in response to the security matrix. The user forms the one-time code based on the user keyword, the user preferences, and the security matrix. The security system validates the one-time code against the security matrix, the keyword, and the user preferences, and responds by sending an authentication result to the user that either permits or denies access to the system. Additionally, the security system sends a success or fail message to the system to be accessed.

Abstract: A method of downloading trusted content. The method comprises sending by a mobile device a request for a trusted content to a server, wherein the mobile device comprises a first mobile device trusted security zone and builds the request while executing in the first mobile device trusted security zone and wherein the server comprises a server trusted security zone and wherein the server handles the request for the trusted content at least partly in the server trusted security zone. The method comprises receiving the trusted content by the first mobile device trusted security zone, storing the trusted content in a second mobile device trusted security zone of the mobile device, inspecting the trusted content in the second mobile device trusted security zone, and when the trusted content passes inspection, at least one of executing or presenting a portion of the trusted content by the first mobile device trusted security zone.

Abstract: An approach is provided for increasing the functionality of a user device when the device is in an, at least in part, locked state. The approach involves presentation of a first user interface and rendering of at least a portion of a second user interface associated with the first user interface while the user device is in an, at least in part, locked state wherein the second user interface is associated with one or more applications and/or one or more services. Further, one or more interactions with the first user interface and/or with the at least a portion of the second user interface are detected and processed for at least changing the device to an, at least in part, unlocked state.

Abstract: A server apparatus includes an analyzer unit which analyzes log-in information for a server received from a client, determines an authentication scheme of the server, and extracts, from the log-in information, provisional authentication information in a form representative of variable information. The analyzer unit stores, in the storage device, information representative of the authentication scheme and the provisional authentication information as the variable information. The analyzer unit also stores, in the storage device, as the variable information, authentication information of a user for the server that is associated with representative authentication information of the user.

Abstract: A biometric-information processing apparatus and method including storing sample biometric information of a user each time biometric authentication processing for verifying sample biometric information of a user against enrolled biometric information registered in a first storage unit succeeds, where the user's sample biometric information is stored in a second storage unit, and selecting an update-candidate biometric information for updating the user's enrolled biometric information from the user's sample biometric information stored in the second storage unit, based on a result of verification of multiple pieces of the user's sample biometric information stored in the second storage unit against enrolled biometric information of other users.

Abstract: Systems and methods are described herein for authenticating a user device that uses a wireless local area network. The user device may generate an encrypted authentication block and/or digitally signed block that includes a variety of information associated with the user device. The user device may attach the encrypted authentication block to periodic messages that are being monitored by the network. The messages may include an unencrypted portion in addition to the encrypted authentication block. A network server may extract the authentication block and decrypt the user device information to verify the identity or the digital signature of the user device. If the network server verifies the identity of the user device, the network server may continue to communicate and provide services with the user device. If the user device identity is not verified, the network server may cease communicating with or providing the user device.

Abstract: A mechanism is provided for automatically logging into a cloud based system that does not accept token log-on credentials generated by a single sign-on service. In an embodiment, a one-time password is automatically generated and persisted. The generated password is used to log in automatically to a cloud based system that does not accept tokens generated by the web-ID providers and for connecting to other services. Examples of such systems may include Windows, Linux, and iOS.

Abstract: A system and method for managing and analyzing security requirements in reusable models. At least one functional model, at least one security implementation model, at least one requirement model, and meta models of the models are read by a reader. A correspondence between the functional model, security implementation model, and the requirements model is analyzed, whereby the correspondence indicates that compliance/security/accreditation requirements defined in the requirement model match with security objectives implemented by controls defined by the security implementation model. Next, it is determined whether correspondence is or is not given based on the analysis of the correspondence and then evidence is generated based on the analysis of the correspondence and the determination and the impact of changes is analyzed.

Abstract: A method for a portable electronic device for enhancing the security of the portable electronic device while charged wirelessly by a power transmission device includes sending a first packet including a security code of the portable electronic device to the power transmission device for starting wireless charging; being charged wirelessly by the power transmission device; and reporting a second packet including the security code to the power transmission device according to a triggering event.

Abstract: According to one embodiment, a storage device that has a nonvolatile semiconductor memory includes an authentication information storage unit that previously stores first apparatus authentication information to authenticate an authorized host device and first user authentication information to authenticate an authorized user. The storage device executes apparatus authentication on the basis of second apparatus authentication information received from a newly connected host device and the first apparatus authentication information in the authentication information storage unit and executes an invalidation process of user data stored in the nonvolatile semiconductor memory, when the apparatus authentication is failed.

Abstract: When output data is created, image data for preview image is generated based on the output data. Based on the image data, a preview image corresponding to the output data is displayed.

Abstract: Methods and computing devices enable code and/or data software on computer devices to be verified using methods and signatures which can be updated by a signing server after distribution. Updated verification methods and signatures may be provided in a second signature file. When a computing device unpacks an application for execution it may check whether a second signature file is associated with the application file. If not it may connect to a signing server to request a second signature file for the software. The signing server then may request information related to the software sufficient to determine if the software is trustworthy. If determined to be trustworthy, the signing server can send a second signature file to the computer device for use in verifying the software henceforth. The second signature file may include new or modified verification methods and a new signature.

Abstract: Example embodiments provide various techniques for securing communications within a group of entities. In one example method, a request from an entity to join the group is received and a signed, digital certificate associated with the entity is accessed. Here, the signed, digital certificate is signed with a group private key that is associated with a certification authority for the group. The signed, digital certificate is added to a group roster, and this addition is to admit the entity into the group. The group roster with the signed, digital certificate is itself signed with the group private key and distributed to the group, which includes the entity that transmitted the request. Communication to the entity is then encrypted using the signed, digital certificate included in the group roster.

Abstract: Techniques for multi-level authentication for medical data access are supported. A system may include a central medical information management system that provides restricted access to medical data. An accessing device supports multiple different authentication levels. For example, the accessing device may use a combination of device identifiers, passwords, and quick access codes to ensure access only by authorized users.

Abstract: An application program of the portable device receives a command of an owner when the portable device is powered on. The application program notifies a basic input/output system to set a protection variable, and notifies the owner to set a password in a setup menu of the basic input/output system after the application program receives the command of the owner. A keyboard controller turns off the portable device to enable the protection variable after the basic input/output system sets the protection variable and the setup menu of the basic input/output system stores the password. After the protection variable is enabled, whenever the portable device is powered on, the basic input/output system checks a password inputted to the portable device at least once and the basic input/output system executes a corresponding operation according to a check result.

Abstract: A method and apparatus for automatic user authentication are described. The method includes receiving information at a device, the device including a credential container; storing the information at the credential container and performing cryptographic calculations on the received information and providing the encrypted information upon request.

Abstract: Certain aspects of a method and system for allowing system-on-chip individual I/O control to be disabled and enabled by programmable non-volatile memory are disclosed. Aspects of one method may include mapping at least one bit of a control vector within a security processor comprising a non-volatile memory to each of a plurality of on-chip I/O physical buses. At least one of the plurality of on-chip I/O physical buses may be enabled or disabled by modifying the mapped bit or bits of the control vector.

Abstract: Computer-implemented methods and systems for using tiered signing certificates to manage the behavior of executables are disclosed. In one example, a method for performing such a task may include: 1) identifying an executable file, 2) identifying a signing certificate associated with the executable file, 3) identifying, within the signing certificate, a privilege level associated with the executable file, and then 4) managing behavior of the executable file in accordance with the privilege level associated with the executable file. Corresponding methods and systems for generating tiered signing certificates for executable files are also disclosed.

Abstract: Described are a system and method for presenting security information about a current site or communications session. Briefly stated, a browsing software is configured to receive a certificate during a negotiation of a secure session between a local device and a remote device. The certificate includes security information about a site maintained at the remote device. The security information is displayed to a user of the browsing software in a meaningful fashion to allow the user to make a trust determination about the site. Displaying the security information may include presenting a certificate summary that includes the most relevant information about the certificate, such as the name of the owner of the site and the name of the certificating authority of the certificate.

Abstract: Tenants in a multi-tenant shared deployment are provided their own distinct key spaces over which they control a key management system. In this manner, virtual key management domains are created on a per-tenant (per-customer) basis so that, whenever a particular customer's data is co-tenanted, stored, transmitted or virtualized in the IT infrastructure of the provider's datacenter(s), it is secured using key management materials specific to that customer. This assures that the entirety of a tenant's data remains secure by cryptographically isolating it from other tenants' applications. The virtual key management domains are established using a broadcast encryption (BE) protocol and, in particular, a multiple management key variant scheme of that protocol.

Abstract: A method for composing an authentication password associated with an electronic device is implemented by a password composing system including a display, a receiving unit, and a processing unit. In the method, the display is configured to display a start point, and a plurality of displayed paths. The receiving unit is configured to detect a set of user-input movements of a contact point at the display. The processing unit is configured to determine whether the user-input movements conform with a predefined valid user-input gesture, store a plurality of codes corresponding to the valid user-input gestures, and to compose the authentication password according to valid ones of the series of the user-input movements.

Abstract: A system and method for unified password processing is provided. According to an aspect, a device can receive a unified passcode. The unified passcode can be a passcode for unlocking access to the device, or can be the basis for generating additional passwords or both. The unified passcode can also be used for generating additional passcodes for unlocking additional features of the device. The generated passcodes can also be used for unlocking modules that are connected to a device such as a universal integrated circuit card (UICC). In cases where a generated passcode can be used to unlock a UICC, the generated passcode is converted to a personal identification number (PIN). The mobile interface to the UICC can be extended to include alphanumeric passwords, in addition to PINs.

Abstract: Centralized systems execute one or more applications for monitoring and operating a plurality of network enabled medical devices. An indication to start a selected application at the centralized system or at a network enabled medical device is received at the centralized system/network enabled medical device. The selected application may require a license to operate and, at the time the indication is received, may have a first license available. Instead of using the first license, the centralized system/network enabled medical device may determine to inherit at least a portion of a second license to operate the selected application. The centralized system/network enabled medical device may inherit at least the portion of the second license to form an inherited license, where the inherited license enables features of the selected application. Using the inherited license, the selected application is started with the enabled features. Related apparatus, systems, techniques and articles are also described.

Abstract: A security token access device, a user device such as a computing device or communications device, and a method for managing multiple connections between multiple user devices and the access device. The access device maintains connection information, including security information, for each user device securely paired with the access device. Each time a new user device is paired with the access device, the access device transmits a notification to the user devices already paired to the user device. A user may provide instructions to the access device to terminate a pairing with one of the user devices by overwriting at least a portion of the connection information associated with the designated user device. A user device may further request a listing of all user devices currently paired with the access device.

Abstract: Systems and techniques for mediating user communications. A user persona manager maintains one or more user profiles and manages user interactions with other parties and with service providers based on user preferences associated with the user profile or profiles selected for a particular interaction. The persona manager receives a single set of user authentication information to establish the user identity, and provides previously stored information to other parties and service providers as appropriate, and otherwise conducts user interactions involving communications initiated by or on behalf of the user. The persona manager also examines interactions initiated by others, selects user profiles appropriate to the interactions, and routes and responds to the interactions based on information stored in the user profiles.

Abstract: The subject matter of this specification can be embodied in, among other things, a method that includes receiving at a computing device that is in a locked state, one or more user inputs to unlock the device and to execute at least one command that is different from a command for unlocking the device. The method further includes executing in response to the user inputs to unlock the device an unlocking operation by the device to convert the device from a locked state to an unlocked state. The method further includes executing the at least one command in response to receiving the user inputs to execute the at least one command. The at least one command executes so that results of executing the at least one command are first displayed on the device to a user automatically after the device changes from the locked state to the unlocked state.

Abstract: To interwork between a first authentication domain and a second authentication domain, a bridge module performs a first authentication procedure in the first authentication domain for a mobile station, wherein the first authentication domain is part of a wireless access network. Based on information collected in the first authentication procedure, the bridge module performs a second authentication procedure is performed, on behalf of the mobile station, in the second authentication domain.

Abstract: A method and apparatus which ensures that static data entered into a communications device or apparatus is accurate, or at least consistent with data provided to an authentication service. In some embodiments of the invention, the authentication service may maintain a database of static data associated with each communications apparatus and/or verify the validity of at least a portion of the static data.

Abstract: Identity-independent authentication tokens enable issuance of a single strong credential that can be mapped to an individual at each of multiple accounts within the online world. An issuer generates one or more authentication tokens for issuance to individuals or other entities. In some instances, each of these authentication tokens comprises a unique serial number. The individual or other entity may then request an authentication token from the issuer. The issuer may then issue the token to the individual without the need to ask or require the individual to identify his or herself. The individual may then map this issued authentication token to the individual's password at each of the individual's online accounts.

Abstract: Methods of configuring a different authority for a plurality of users to use at least one application in an electronic device. User inputs are received to set passwords for respective user levels, where each user level is associated with a different authority to access applications. The passwords are registered for the respective user levels. At least one application is associated with one of the user levels.

Abstract: A new identification (ID) technology comprising unified and standardized object identification within Cyber Space is disclosed based upon intrinsic properties of the entity to be identified. This Cyber Gene ID (or Cyber ID) technology extracts intrinsic information from either the physical users or their cyberspace counterparts, and such information is categorized into client parameters, dynamic parameters, static parameters, cloud parameters, connection parameters and user parameters.