Abstract: In some embodiments, techniques for computer security comprise presenting a data field in a spoof-resistant manner, receiving field data, and securing field data. In some embodiments, the integrity of an input device may be verified. In some embodiments, techniques for computer security comprise hashing a credential and a characteristic associated with a data recipient, and performing password-authenticated key agreement using the hashed value. In some embodiments, techniques for computer security comprise monitoring an input, determining that the input is associated with confidential information, and enabling secure data entry.

Abstract: A system for managing license files comprises a memory operable to store a socket module. The system further comprises a processor communicatively coupled to the memory and operable to receive a command to open a license file, wherein the command is associated with a first user identifier. The license file is stored in a first remote node and is associated with a second user identifier. If the second user identifier matches the first user identifier, the processor is further operable to use the socket module to establish a socket connection with the first remote node. The processor is further operable to, using the socket connection, retrieve from the first remote node a file descriptor associated with the license file. The processor is further operable to apply an update to the license file, wherein the update is addressed according to the file descriptor. If the second user identifier does not match the first user identifier, the processor is further operable to prevent the updating of the license file.

Abstract: Methods, apparatuses and storage medium associated with securely provisioning a digital content protection scheme are disclosed. In various embodiments, a method may include forming a trust relationship between a media application within an application execution environment of a device and a security controller of the device. The application execution environment may include an operating system, and the operating system may control resources within the application execution environment. Additionally, the security controller may be outside the application execution environment, enabling components of the security controller to be secured from components of the operating system. Further, the method may include the security controller in enabling a digital content protection scheme for the media application to provide digital content to a digital content protection enabled transmitter within the application execution environment for provision to a digital content protection enabled receiver.

Abstract: A computerized authorization system configured to authorize electronically-made requests to an electronic entity. The computerized authorization system comprises a store configured to store an indication of at least one predetermined electronic authorization device configured to authorize each electronically-made request. The computerized authorization system is further configured such that: in response to receiving an electronically-made request to the electronic entity, an indication of the request is output to the at least one predetermined electronic authorization device configured to authorize the request as indicated in the store; and in response to receiving an indication of authorization from the at least one predetermined electronic authorization device, an indication of authorization of the request is output to the electronic entity.

Abstract: Methods and systems for setting and verifying a password in a password protected device. Setting a password includes receiving a configuration password entered via a keyboard, wherein the configuration password includes position information of at least one key on the keyboard, and symbol information of at least one key on the keyboard, and storing the configuration password. Verifying a password includes receiving an entered password on the keyboard, obtaining a stored configuration password, wherein the configuration password includes position information of at least one key on the keyboard and symbol information of at least one key on the keyboard, and verifying the entered password based on the configuration password. The keyboard may be a randomly arranged keyboard. Even if nearby persons can see the selection of symbols displayed on the keys for a password, they cannot determine the real content of the password, and thus cannot access the password-protected device.

Abstract: A user authentication system is provided with a client apparatus and an authentication server. An application program used for processing the measurement results of the measuring apparatus is installed on the client apparatus. Databases for storing use authority information of the application program are provided on the authentication server. A user inputs authentication information when operating the client apparatus and the application program is started. The client apparatus sends the authentication information to the authentication server, and an authentication process is performed by the authentication server. When authentication is successful, the use authority information of this user is sent from the authentication server to the client apparatus, and the client apparatus sets the application use restrictions according to the use authority information.

Abstract: Method, system and computer program to provide transparent scalability to Online Social Networks and better performance of its back-end databases, by an efficient partitioning of the underlying community structure and replicating of user profiles, ensuring that every user has a master or slave replica of all his neighbors on the same partition where he is located.

Abstract: A method and apparatus for an iterative cryptographic block under the control of a CPU and without a fixed number of stages. In one embodiment, a first cryptographic block descrambles received information using an internal key or a preprogrammed key to form a descrambled key or descrambled data. A data feedback path stores the descrambled data as internal data and provides the internal data or the external data as data input to the first cryptographic block. A key feedback path stores the descrambled key as an internal key and provides the internal key or the preprogrammed key to a key input of the first cryptographic block. A second cryptographic block descrambles received content using a final descrambling key. Other embodiments are described and claimed.

Abstract: Systems and methods for weak authentication data reinforcement are described. In some embodiments, authentication data is received in a request to authenticate a user. In response to detecting weak authentication data, the systems and methods determine whether the user was previously authenticated as a human user. An example embodiment may include initiating an authentication process based on determining that the user was previously authenticated as a human user.

Abstract: A firmware cipher component is provided which can be configured and programmed to efficiently implement a broad range of cryptographic ciphers while accelerating their processing. This firmware cipher component allows an ASIC to support multiple cipher algorithms while accelerating the operations beyond speeds conventionally achieved by software or firmware only solutions. This system combines cryptographic specific custom instructions with hardware based data manipulation accelerators. The cryptographic specific custom instructions and hardware accelerators may support both block and stream ciphers. Thus, the system may be reconfigured, allowing the cipher algorithm to change without halting the system. Further, embedding the Firmware Programmable Cipher within an ASIC may allow future capabilities to be supported in secure applications.

Abstract: Acquiring access to a token controlled system resource, including: receiving, by a token broker, a command that requires access to the token controlled system resource, where the token broker is automated computing machinery for acquiring tokens and distributing the command to the token controlled system resource for execution; identifying, by the token broker, a first need state, the first need state indicating that the token broker requires access to the token controlled system resource to which the token broker does not possess a token; requesting, by the token broker, a configurable number of tokens to gain access to the token controlled system resource, without dispatching an operation handler for executing the command until at least one token is acquired; assigning, by the token broker, an acquired token to the operation handler; and dispatching, by the token broker, the operation handler and its assigned token for executing the command.

Abstract: A system for providing communication between one or more clients (50) and one or more service providers (70) is disclosed. The system comprises an access gateway (10) for maintaining transport-specific connections for one or more connections between the client (50) and the access gateway (10), an application level router (20) for routing messages between clients (50) and service providers (70), an authentication provider (40) for verifying the identity of users of clients (50), and a look-up service (30) for keeping a registry of currently available services. Various methods related to the system are also disclosed.

Abstract: Methods for managing digital certificates, including issuance, validation, and revocation are disclosed. Various embodiments involve querying a directory service with entries that correspond to a particular client identity and have attributes including certificate issuance limits and certificate validity time values. The validity time values are adjustable to revoke selectively the certificates based upon time intervals set forth in validity identifiers included therein.

Abstract: A method, system, and computer program product containing instructions to provide hardware-based human presence detection. Rather than rely upon software to display a CAPTCHA image, hardware in the form of a sprite engine of a graphics device is used to write a random text string directly to the display device, overlaying the user interface provided by software. Because the sprite engine is isolated from a host operating system for the system, the random text string cannot be captured and processed by software robots running under the host operating system.

Abstract: An authentication apparatus includes: a database section that stores a password; an entry section through which a password is entered; a storage section that stores an entered password which is entered through the entry section; an authentication section that authenticates whether the password and the entered password match with each other; and a determining section that determines whether or not a re-entered password is to be subjected to an authentication processing performed by the authentication section when the re-entered password is entered through the entry section after the authentication section determines that the password and the entered password do not match with each other.

Abstract: Systems and methods are provided to manage risk associated with access to information within a given organization. The overall risk tolerance for the organization is determined and allocated among a plurality of subjects within the organization. Allocation is accomplished using either a centralized, request/response or free market mechanism. As requested from subjects within the organization for access to objects, i.e. information and data, are received, the amount of risk or risk level associated with each requested is quantified. Risk quantification can be accomplished using, for example, fuzzy multi-level security. The quantified risk associated with the access request in combination with the identity of the object and the identity of the subject are used to determine whether or not the request should be granted, denied or granted with appropriated mitigation measures.

Abstract: A method and apparatus for managing passwords for accessing data in a storage is provided. The method comprises generating and storing a password, generating and providing to the storage a request to access data in response to receiving a first request to access data in the storage, retrieving and providing the password to the storage in response to the request for a password. The apparatus comprises an initialization module and a storage access module. The initialization module is configured to generate and store a password. The storage access module is configured to generate and provide a request to access data in response to receiving a first request to access data in the storage, receive a request for a password, retrieve the password in response to the request for a password, and provide the password to the storage to obtain access to the data in the storage.

Abstract: A lock code recovery system for selectively sending a lock code to a proximate personal electronic device is provided. A recognizable code is associated with the proximate personal electronic device. The lock code recovery system includes a user input device for receiving feedback and a control module. The control module is in communication with the user input device, and has a memory with an application and at least one recognizable code stored thereon. The application has the lock code associated with the application for at least activating or deactivating the application. The control module includes control logic for monitoring the user input device for feedback indicating the lock code associated with the application should be sent to the proximate personal device.

Abstract: When a first MFP that manages first and second conversion values of user authentication information accesses a second MFP, the first MFP queries about which conversion value is used by the second MFP to execute user authentication processing. The first MFP transmits information based on a conversion value in accordance with the query result to the second MFP. Then, the second MFP executes user authentication processing using information based on a conversion value in accordance with the query result and a conversion value managed by the second MFP.

Abstract: Disclosed herein is an authentication method for an information apparatus. The method includes receiving a first password, generated based on the system time of the information apparatus, from an external device connected to the information apparatus, generating a second password based on the time at which the first password was received, and determining whether the firs and second passwords coincide with each other.

Abstract: A system and method for authenticating a user in a secure computer system. A client computer transmits a request for a sign-on page, the secure computer system responds by transmitting a prompt for a first user identifier, and the client computer transmits a request including a first identifier, a second identifier stored in an object stored at the client computer and a plurality of request header attributes. A server module authenticates the first and second user identifiers, and compares the transmitted plurality of request header attributes with request header attributes stored at the computer system and associated with the first and second user identifiers. If the first and second user identifiers are authenticated, and if a predetermined number of transmitted request header attributes match stored request header attributes, the server software module transmits a success message, and the user is allowed to access the secure computer system.

Abstract: Methods, systems and articles of manufacture consistent with features of the present invention allow the generation and use of derived user accounts, or DUA, in a computer system comprising user accounts. In particular, derivation rules define how a DUA is linked to or created based on an existing original user account, or OUA. Derivation transformations may also update the state of a DUA based on its corresponding OUA or give feedback from the state of a DUA to the state of its corresponding OUA.

Abstract: A tamperproof ClientID system to uniquely identify a client machine is invoked upon connection of a client application to a backend. Upon initial connection, the backend issues a unique ClientID containing a checksum. The client application prepares at least two different scrambled versions of the ClientID and stores them in respective predetermined locations on the client machine. Upon subsequent connection to the backend, the client application retrieves and unscrambles the values at the two locations, verifies the checksums and compares the values. If the checksums are both correct and the values match, the ClientID value is sent to the backend, otherwise the client application sends an error code.

Abstract: A client-server communication protocol permits the server to authenticate the client without requiring the client to authenticate the server. After establishing the half-authenticated connection, the client transmits a request and the server performs or responds accordingly. A network management system and environment where this protocol can be used is also described and claimed.

Abstract: There is provided an information processing apparatus including: a display unit that displays an input interface which includes a plurality of identification information figures corresponding to identification information used to identify an individual, and a reference figure functioning as a reference for arrangement of the identification information figures; a display control unit that hides the identification information figures, which are targets of an operation performed by a user, or changes display positions of the identification information figures with regard to the reference figure, in accordance with the operation performed by the user on the input interface; and an identification information specifying unit that specifies the identification information which is used for a certification process from among a plurality of pieces of identification information in accordance with the operation performed by the user on the input interface.

Abstract: The invention provides the ability to produce long, complex passwords from simple, easy to recall, pictorial selections. The invention features a picture based interface unit, linked to a series of individual process modules. Selecting images contained in the image selection module generates a reference pointer corresponding to coordinates in the reference pointer of the control module which thereby generates a rotor sequence that is passed to the password generator module containing ASCII characters groups. The character groups are processed according to the rotor sequence contents to produce a password that is displayed in a display module for editing and/or use.

Abstract: A method for generating a password for a user account. The method includes selecting a media item from a media library associated with a user; selecting a portion of the media item; generating a password based on the selected portion of the media item, where at least a portion of the password is based on selecting a first letter of a word included in the portion of the media item; and presenting the password as a suggested password to the user.

Abstract: Described is a technology in which a non-administrator computer/web user is allowed to perform an administrative-level task within a certain context and/or scope. An authorization store is queried based on information (e.g., a provider, a username, and a path) provided with an authorization request, e.g., from an application via an API. The information in the authorization store, set up by an administrator, determines the administrative action is allowed. If so, a credential store provides credentials that allow the action to be runs before reverting the user to the prior set of credentials. Also described is a pluggable provider model through which the authorization store and/or delegation store are accessed, whereby the data maintained therein can be any format and/or at any location known to the associated provider.

Abstract: Systems and methods for authenticating a user of a service are disclosed. A host of a service provides a user interface that can be accessed via a display of a terminal. Upon successfully transmitting a first set of credentials, the host requests a random image to be generated by an authentication server. The authentication server transmits the random image to the host, as well as to a mobile device that is associated with the user of the service. The mobile device receives a picture message including the image. The user interface displays a list of images on the display. The user matches the received image with an image among the list of images, wherein a successful match follows in the user being granted access to the service. Consequently, an additional layer of security using a visual identification of a user is provided.

Abstract: A method for generating a changing authentication input or password for a user is provided for accessing a computing device such as a smartphone or computer. Using objects displayed in sequential positions on a graphic display, and input strings of text or alphanumeric characters the user has related to each object, a password can be generated by placing the input strings in an order the same as the sequence. The password can be varied easily for each access attempt by changing the objects displayed and/or the sequence.

Abstract: Information and data stored by a mobile device is protected by comprising applying password-protection to the locally-stored information without persistently storing the corresponding password locally. Rather, the corresponding password is stored by a remote password server. In response to a trigger event on the mobile device, such as an unlocking action by the user, a request is sent by the mobile device to the password server to retrieve the corresponding server, and the corresponding password is returned to the mobile device. The mobile device can then use the password to access the protected information. If the user determines that the mobile device is lost, stolen, or out of the user's physical control, the user may access the password server and disable the sending of the password to the mobile device, thereby thwarting attempts to access the protected data on the mobile device.

Abstract: An information processing device includes a processing unit which performs user authentication. The processing unit includes a setting part that determines setting of operation of a target device using the user authentication. An authentication information setting part determines user authentication information. A password generation part generates a one-time password partially or fully. A transmission part transmits the setting of operation of the target device and the one-time password to the target device.

Abstract: An encryption device and method for controlling download and access operations performed to a mobile terminal are disclosed. A switch circuit (102) is disposed on download channels (107, 108) between the master chip (101) of the mobile terminal and the connector (103) of the mobile terminal, an access software (105) is opened and an encryption chip (106) is accessed by using a dongle (112), the on-off of the switch circuit (102) is controlled by setting states of the encryption chip (106), so as to control the on-off of download channels (107, 108) to control the download and access operations performed to the mobile terminal by a computer (104). According to the device and method, hackers cannot crack the internal procedure of the memory of the mobile terminal using substitute code segments, thereby effectively improving the security and reliability of the download and access operations performed to the mobile terminal.

Abstract: In one embodiment, a picture signature password system may use a picture signature password to determine access to a computing device or service. A display screen 172 may display a personalized digital image 310. A user input device 160 may receive a user drawing set executed by a user over the personalized digital image 310. A processor 120 may authenticate access to the user session if the user drawing set matches a library drawing set associated with the user.

Abstract: Systems and methods are provided to manage risk associated with access to information within a given organization. The overall risk tolerance for the organization is determined and allocated among a plurality of subjects within the organization. Allocation is accomplished using either a centralized, request/response or free market mechanism. As requested from subjects within the organization for access to objects, i.e. information and data, are received, the amount of risk or risk level associated with each requested is quantified. Risk quantification can be accomplished using, for example, fuzzy multi-level security. The quantified risk associated with the access request in combination with the identity of the object and the identity of the subject are used to determine whether or not the request should be granted, denied or granted with appropriated mitigation measures.

Abstract: Methods and apparatus to control privileges of mobile device applications are disclosed. A disclosed example method includes assigning a process identifier to an application on a mobile device, the process identifier generated by an operating system of the mobile device, determining via a digital certificate that the application is authorized to be executed on the mobile device and that the application is authorized to access a network interface of the mobile device, configuring a mandatory access control module of the mobile device to enforce access of the network interface by providing the process identifier to the mandatory access control module, and enabling the application to access the network interface.

Abstract: A process and a system that create and encrypt rich formatted passwords that increase password strength and security in some embodiments are disclosed. The process increases password security by converting a set of password tokens and a set of password appearance alterations into a rich formatted password and then encrypting the rich formatted password. The system of some embodiments includes (i) a data converter for assembling a rich formatted password from a data object comprising a set of password tokens and a set of password appearance alterations received at a password creation user interface (UI) of a computing device and (ii) a data encrypter for encrypting rich formatted passwords and decrypting encrypted rich formatted passwords, and (iii) a database for storing and retrieving encrypted rich formatted passwords.

Abstract: Provided are devices, methods, systems, computer readable storage media and other means for tokenizing data. In some examples, credit card numbers are tokenized using a pre-generated token map and absent the use of a networked database that stores a relatively large quantity of credit card numbers in a central location. The token map may be generated by a token map generator such that the token map can be used by a tokenizer to replace a portion of an account number with a token, and by a detokenizer to replace the token with the original portion of the account number. A pre-parser and parser may also be used to locate an account number and/or token in a message received over a network.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for authenticating and authorizing an external entity. These mechanisms and methods for authenticating and authorizing an external entity can enable improved data security, more efficient data transfer, improved data access channels, etc.

Abstract: The present invention provides a bootstrap system comprising a network system and a mobile handset where the mobile handset can easily receive services of NFC bootstrap application. The handset is effectively authenticated after a bootstrap controller in the network verifies whether a user credential derived in the mobile handset and a user credential separately received from a network server are equal. The application setting is sent to a handset from a bootstrap controller via ad-hoc near field communication (NFC) between the mobile handset and the bootstrap controller. Then the user of the mobile handset can receive various services of the NFC application after the network server delivers the user credential to the service devices with NFC interface.

Abstract: A password protection application is executed on a mobile device and provides an interface by which an authorized user can define and configure a “data protection profile” for the device. This profile defines at least one security event (criteria or condition) associated with the device, and at least one protection action that should occur to protect data on the device upon the triggering of the event. Once defined in a profile, the application monitors for the occurrence of the security event. Upon the occurrence of the specified event, the protection action is enforced on the device to protect the data.

Abstract: Techniques are described for enabling principals to inject context information into a credential (e.g. session credential). Once the credential has been issued, any arbitrary principal is allowed to inject context information into the existing credential. The injected context is scoped to the principal that made the injection. Subsequently, at authentication time, when the credential is used to request access to a particular resource, the system can verify whether the principal that made the injection is trusted and if the principal is deemed trusted, the context information can be applied to a policy that controls access to one or more resources, or can alternatively be translated into some context residing in a different namespace which can then be applied to the policy. In addition, the system enables arbitrary users to insert additional deny statements into an existing credential, which further restrict the scope of permissions granted by the credential.

Abstract: A system and method is described for controlling the password(s) of one or more programs through a universal program. The universal control program allows access to one or more other programs and allows editing of the passwords of the other programs directly through the universal access program.

Abstract: A processor executing a password manager randomly selects a first requirement and a second requirement for creating a password from a set of requirements, wherein the second requirement is selected independently of the first requirement. The processor provides the first requirement for creating the password, receives characters for the password, determines whether the characters satisfy the first requirement, and provides information that indicates whether the characters satisfy the first requirement. Responsive to the characters satisfying the first requirement, the processor provides the second requirement for creating the password.

Abstract: There is provided a method and device for providing personal data of first party to a second party. The personal data is stored in an electronic device comprising a mechanism for locking and unlocking access to the personal data and/or condition data stored therein associated with conditions for accessing said personal data. The second party receives the personal data dependent on whether the personal data is in a locked state and/or whether the conditions associated with the condition data are satisfied.

Abstract: A method is used in managing certificates between software environments. In a Flex operating environment, a certificate store is maintained that is accessible to a Java operating environment. In the Flex operating environment, certificates from the Flex and Java operating environments are caused to be validated and stored in the certificate store.

Abstract: A computer-implemented method can include selecting an information card from a group of identified information cards, selecting a persona from a group of identified personae that are associated with the selected information card, and generating a Request for Security Token (RST) based on the selected information card and the selected persona.

Abstract: An embodiment of the invention provides a method for detecting fraudulent use of a moderator passcode in a conference calling system. The method sets a threshold number of moderator passcodes permitted in a conference call. The total number of moderator passcodes entered into the conference call is determined and compared to the threshold number with a processor. The conference call is allowed to continue if the threshold number exceeds the total number of moderator passcodes entered into the conference call. If, however, the total number of moderator passcodes exceeds the threshold number of moderator passcodes, the processor performs validation actions and/or alert actions.

Abstract: A method of authenticating a user of a computing device is proposed, together with computing device on which the method is implemented. In the method a modified base image is overlaid with a modified overlay image on a display. The modified overlay image comprises a plurality of numbers. At least one of the modified base image and modified overlay image is moved by the user. Positive authentication is indicated in response to the base image reference point on the modified base image being aligned, in sequence, with two or more numbers from the overlay image that equal a pre-selected algebraic result when one or more algebraic operator is apply to the numbers.

Abstract: According to one embodiment, a manufacturing method of a device to be authenticated, wherein the device includes a first memory area which is prohibited from data-reading and data-writing after shipping from a memory vendor; a second memory area which is allowed to data-read from outside after shipping from the memory vendor; and a third memory area which is allowed to data-read and data-write from outside after sipping from the memory vendor.