Abstract: A smart card, system, and method for securely authorizing a user or user device using the smart card is provided. The smart card is configured to provide, upon initialization or a request for authentication, a public key to the user input device such that the PIN or password entered by the user is encrypted before transmission to the smart card via a smart card reader. The smart card then decrypts the PIN or password to authorize the user. Preferably, the smart card is configured to provide both a public key and a nonce to the user input device, which then encrypts a concatenation or other combination of the nonce and the user-input PIN or password before transmission to the smart card. The smart card reader thus never receives a copy of the PIN or password in the clear, allowing the smart card to be used with untrusted smart card readers.

Abstract: (EN) The invention relates to an authentication device (TK) set to identify itself to a computer (PC) as a native human interface device. It also relates to a system comprising an authentication device (TK) and a computer (PC), as well as to a method to have a computer (PC) recognize an authentication device (TK).

Abstract: A function performing apparatus includes a function performing unit performing a specific function, a processor, and memory storing computer-readable instructions therein, the computer-readable instructions, when executed by the processor, causing the function performing apparatus to perform, in response to receiving a user authentication information when the user authentication information has been registered in an authentication memory, transitioning a state of the apparatus from a non-permission state to a permission state, registering, in the authentication memory, a device authentication information in association with the user authentication information upon establishing a first connection with a portable device, and transitioning the state of the apparatus from the non-permission state to the permission state when a second connection with the portable device is established and the device authentication information is obtained from the portable device.

Abstract: A function performing apparatus includes a function performing unit, an operation unit, a processor and memory. The function performing apparatus receives a first instruction from a portable device, determines whether first authentication information is to be registered in an authentication memory, registers the first authentication information in authentication the memory, transmits the first authentication information, receives a second instruction including the first authentication information from the portable device, changes a state of the function performing apparatus from a non-permission state to a permission state if the second instruction is received while the first authentication information is registered in the authentication memory and changes the state from the non-permission state to the permission state if second authentication information is input to the function performing apparatus by the operation unit while the second authentication information is registered in the authentication memory.

Abstract: A processing apparatus includes a process performing unit, an operation unit, a processor and memory. The processing apparatus receives first identification information from a communication device, acquires second identification information input by the operation unit, determines whether registration of the first and second identification information is permitted, registers registration information in which the first and second identification information are associated, when the first identification information is received after registering the registration information, performs authentication based on the first identification information, and, when the second identification information is acquired after registering the registration information, performs authentication based on the second identification information.

Abstract: In order to create and access a secure storage account in a non-volatile memory device, an account identification value is calculated. A memory identification value is read from a first non-volatile memory device. The memory identification value and the account identification value are transmitted to a second non-volatile memory device, and a calculated credential is received. A command is transmitted to create a secure storage account in the first non-volatile memory device, where the command contains the credential and the account identification value. To access the account, a sequence is transmitted, containing the account identification value and a value based on the credential. A secure storage system contains a first non-volatile memory device that stores a memory identification value and contains a secure partition accessible using a credential, a second non-volatile memory device that can compute the credential, and a host adapted to create and access the secure partition.

Abstract: A memory device includes a plurality of memory chips, including one or more memory chips that store authentication information, and a controller including a first register that stores information indicating a representative memory chip, from among the one or more memory chips that store the authentication information, that stores valid authentication information.

Abstract: A communication system detects particular application protocols in response to their message traffic patterns, which might be responsive to packet size, average packet rate, burstiness of packet transmissions, or other message pattern features. Selected message pattern features include average packet rate, maximum packet burst, maximum future accumulation, minimum packet size, and maximum packet size. The system maintains a counter of packet tokens, each arriving at a constant rate, and maintains a queue of real packets. Each real packet is released from the queue when there is a corresponding packet token also available for release. Packet tokens overfilling the counter, and real packets overfilling the queue, are discarded. Users might add or alter application protocol descriptions to account for profiles thereof.

Abstract: A method and apparatus are provided for mediating access to a shared object in a naive computer system having a shared-nothing operating system layered on a shared file system. At least one primary token is utilized as a tool to mediate ownership of one or more shared objects in the naive system. A secondary token is created and utilized to mediate ownership of one or more shared objects. The secondary token created and utilized in limited circumstances, such as when the owner of the primary token ceases communicating with one or more requesters of the primary token.

Abstract: A system and method for managing communication. The system and method applying to but not limited to settop boxes (STBs) and other devices used to interface services. The management including any number of features and processes associated with achieving Quality of Service (QoS) across different domains and according to network limitations associated with the same.

Abstract: A method of providing a user with an option to access a protected system by satisfying a reduced security measure is disclosed. An attempt by the user to access the protected system is detected. It is detected that a first security token system is within a first proximity to the protected system. Based on the detecting of the attempt by the user to access the protected system and the detecting that the first security token system is within the first proximity, the user is provided with the option to access the protected system by satisfying the reduced security measure.

Abstract: Method for monitoring an online identity of a user on a network is described. In one example, data exchanged between a browser client on a device associated with the user and the network is monitored. Creation or use of an online identity by the user is detected within the data. The online identity is associated with a host site. The host site may be any of a plurality of point of presence sites. A notification of the online identity is generated for presentation to a custodian of the user. The notification may then be sent to the custodian.

Abstract: An embodiment generally relates to a method of managing tokens. The method includes detecting a presence of a token at a client and determining a status of the token. The method also includes formatting the token at the client in response to the status of the token being unformatted.

Abstract: A biometrics authentication device utilizes biometrics information and performs individual authentication enables secure modification of authorization details for an authorized agent other than the principal. A verification device verifies biometrics information registered on an IC card against biometrics information detected by a detection unit. When results in satisfactory biometrics authentication, modification of authorization details of an authorized agent, registered on the IC card, is permitted. Authorization details for an authorized agent can be securely modified on a card on which biometrics information for the principal and the authorized agent is registered.

Abstract: Provided is a license management system comprising: a license check device that independently operates on a platform; and an information processing device that is connected to the license check device, in which the license check device includes: a license check unit that checks for presence or absence of a license of the information processing device; a first start unit that starts the license check unit in response to a call instructed by the platform; and a calling unit that calls, when the license check unit determines that the license is present, the information processing device, and in which the information processing device includes: an information processing unit that performs a specific information processing; and a second start unit that starts the information processing unit only in response to the call from the license check device.

Abstract: A method is provided for transferring data linked to an application installed on a security module associated with a mobile terminal, the data being stored in a first secure memory area of the security module, suitable for receiving a request to access the data, to read the data, and to transmit or store the data after encryption. A method is also provided for accessing these data suitable for transmitting a request to access, to receive and to decrypt the encrypted data. A security module, a management server, and a system implementing the transfer and access methods are also provided.

Abstract: A method and apparatus are provided to allow a user of a communications device to utilize one-time password generators for two-way authentication of users and servers, i.e., proving to users that servers are genuine and proving to servers that users are genuine. The present invention removes the need for a user to have a separate physical device, e.g., token, per company or service, reduces the cost burden on the companies and allows for two-way authentication via multiple access methods, e.g., telephone, web interfaces, automatic teller machines (ATMs), etc. Also, the present invention may be utilized in consumer and enterprise applications.

Abstract: The pureness of a connection between an external device and a host computer can be inspected or monitored to determine the status: connected or disconnected. When it is determined that a disconnection state is entered, an indication can be sent to the host and, in parallel, the data transportation from and/or to the external device may be manipulated. In some embodiments an exemplary connection protector device (CPD) may be added to the connection in between the external device and the host. The CPD can have two connectors one for the host and one for the cable of the external device. The CPD can be adapted to identify any disconnection in the connection with the host and/or the connection with the external device on the other side of the CPD.

Abstract: A first server is configured to receive a first token from a user device, determine whether the first token is valid, request the user device to provide a set of credentials to a second server, based on determining that the first token is invalid, and receive a first response from the user device. The first response may include information identifying whether the user device is authenticated to communicate with the first server. The first server is further configured to send the first response to a third server. The third server may generate a second response to indicate authentication of the user device to communicate with the first server. The first server is further configured to receive the second response from the third server, generate a second token, based on receiving the second response, and send the second token to the user device.

Abstract: A data storage system comprises a removable drive with memory for storing data, and an identifier for identifying the removable data cartridge. A host computer can be coupled in data communication with the removable data cartridge, with a driver for performing data operations thereon. The driver is configured to perform the data operations with encryption, in the presence of the identifier, and to perform the data operations without the encryption, in the absence of the identifier.

Abstract: Systems, methods, and apparatus are disclosed for electronically sharing data using authentication variables, such as biometrics and contextual data. Example contextual data includes machine identifications (IDs) and data collected from sensors of computing devices.

Abstract: A device may receive a request for analytics information associated with a user device. The device may retrieve application programming interface (API) information associated with the request for analytics information. The API information may include information associated with providing an authorization token and with providing user device information. The device may determine demographic information based on the request for analytics information. The demographic information may be associated with a user of the user device. The device may determine the analytics information based on an analysis of the API information and the demographic information. The device may provide the analytics information.

Abstract: A method to identify a child process to a parent process in an operating system includes obtaining a token and login identifier from the operating system. The parent process creates a remote procedure call communications endpoint to communicate with the child process. Thereafter, a child process is spawned by the parent process. A child-initiated request to communicate with the parent process is then received by the parent process. In order to verify the identity of the child-initiated request, the parent process impersonates the child process and receives as identifier that identifies the requestor child process. The requestor process identifier and the spawned child identifier are compared. Based on the comparison, the parent process responds to the child-initiated request. In another embodiment, process identifiers are used by the parent process to verify the identity of a child process the requests communication with the parent process.

Abstract: A hand-held token can be operated to generate an acoustic signal representing the digital signature generated by a private key of a public key/private key pair. Verifiers that might be located at, e.g., buildings, in vehicles, at bank ATMs, etc. receive the signal and retrieve the corresponding public key to selectively grant access authorization to components served by the verifiers. Methods and systems permit adding and removing a token from the access list of a verifier. Other methods and systems enable the token to be used with several verifiers that are nearby each other, such as might be the case with multiple vehicles owned by the same user and parked nearby each other, without more than one verifier being operated to grant access.

Abstract: An information processing system includes a management unit that manages information of an object that determines at least one of a parent and a child of the object, a receiving unit that receives specification of an authority object that is an object with which authority information is associated and a request of processing that is to be executed by using the authority object, and a determining unit that determines whether to accept the request or not on the basis of results of a comparison between information of an owner object that is an object that approves the authority information and information of an object that is a parent of the authority object.

Abstract: Instances executing within a programmable execution service (“PES”) that are engaged in undesirable computing activity can be identified by comparing activity performed by instances executing within the PES to data describing known undesirable computing activity. Once compromised instances have been identified, other previously unknown undesirable computing activity performed by the compromised instances can be identified by determining whether activity is performed by the compromised instances significantly more often than other instances executing within the PES. New undesirable computing activity discovered using this process could then be utilized to discover other compromised instances.

Abstract: Techniques for a computing device operating in access-states are provided. One example method includes receiving, by the computing device operating in a first access state, an indication of first input and responsive to determining that at least one value of a characteristic of the first input exceeds a predetermined characteristic threshold, transitioning the computing device to operate in a second access state. While the computing device is operating in the second access state, the method further includes outputting instructions for transitioning the computing device from operating in the second access state. The method further includes receiving, by the computing device operating in the second access state, an indication of a second input and responsive to determining that the indication of the second input satisfies a threshold of compliance with the instructions, transitioning the computing device from operating in the second access state to operating in the first access state.

Abstract: There is a verification application arranged to interact with other applications on an electronic device, the electronic device having a processor, a memory and an operating system controlling operation of the verification application and the other applications on the processor using arbitrary memory locations, where the other applications are enabled to call the verification application to securely determine authenticity of a user of the electronic device. The verification application is arranged to receive verification data for secure determination of authenticity of the user; and provide, upon a call from any of the other applications and a match between the verification data and a verification reference, a trust token to the calling application. A method, electronic device and computer program are also disclosed.

Abstract: A computing system includes a first security central processing unit (SCPU) of a system-on-a-chip (SOC), the first SCPU configured to execute functions of a first security level. The computing system also includes a second SCPU of the SOC coupled with the first SCPU and coupled with a host processor, the second SCPU configured to execute functions of a second security level less secure than the first security level, and the second SCPU executing functions not executed by the first SCPU.

Abstract: Machines, systems and methods for data security on a computing device are provided. In one embodiment, the method comprises a method for securing data stored on a data storage medium, the method comprising: activating a first module to remove a layer of security applied to target data stored on a data storage medium associated with a computing device, in response to detecting presence of a security key within a first range of the computing device, wherein the layer of security prevents access to the target data when the first module is inactive, and deactivating the first module, in response to detecting that the security key is no longer within the first range of the computing device, wherein the layer of security is applied to the target data when the first module is deactivated.

Abstract: A method for preventing password theft through unauthorized keylogging includes detecting, from a host application, a request for a password input by a user of an input keyboard device; activating a randomly generated keyboard map uniquely associated with the host application such that a first set of keystroke values inputted by the user results in a second, converted set of keystroke values transmitted to the host application, in accordance with the randomly generated keyboard map uniquely associated therewith; and upon completion of a password entry process by the user, deactivating the randomly generated keyboard map such that subsequent keystroke values inputted by the user are no longer converted to the values according to the keyboard map.

Abstract: Methods and systems for third party client authentication of a client. A method includes displaying a user interface on a display of the client, the user interface including an option to select a supported credential type of a third party authentication server, receiving a command selecting the supported credential type, and sending credential information and the selected supported credential type to an authentication server for third party authentication by the third party authentication server. The third party authentication server may support a token-based authentication protocol for implementing single sign on (SSO).

Abstract: A chip including a processor for performing a predetermined operation, a provider for providing a clock signal, with which the processor is clocked, a counter for decrementing or incrementing a count based on the clock signal, a monitor for signaling the predetermined operation to be prevented, depending on the count, and a non-volatile storage for non-volatily storing the count.

Abstract: A system and method for establishing a chain of trust from a registrant to a registry. A registrant request to a registrar to change a domain name record includes at least one registrant factor, such as a one time password. The registrar can formulate an extended EPP command that includes the factor to effectuate the change and send it to a registry. The registry can verify the at least one factor using at least one validation server. If the factor is successfully verified, the EPP can be processed by the registry. If the factor is not verified, the EPP command may not be processed and an error message may be generated and sent to the registrar.

Abstract: In general, one innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of receiving an input method editor (IME) server request, the IME server request including one or more tokens and requesting that an IME server be instantiated, the IME server executing one or more IME functions based on a key event sent from an IME client, wherein the IME server is a stateful server that stores both requests and responses of a communication session between the IME server and the IME client, determining that the IME server can be instantiated in a restrictive environment based on the one or more tokens, and instantiating the IME server in the restrictive environment. Other embodiments of this aspect include corresponding systems, apparatus, and computer programs, configured to perform the actions of the methods, encoded on computer storage devices.

Abstract: A token or other storage device uses Internet identities to set file access attribute rights. Subsequently, requests to access a file can be controlled by confirming the Internet identity of the requestor by either validating the request with a known public key or retrieving the public key from an Internet identity provider. Files may be stored encrypted and may be re-encrypted with the public key associated with Internet identity making the request.

Abstract: A system, computer-readable storage medium storing at least one program, and a computer-implemented method for controlling a local utility are disclosed. A first request originating from an application and including a first token is received at a local utility. The application received a web page, including a plurality of links and the first token, from a first server. The plurality of links are received by the application from a second server. The first token is authenticated. Authentication includes sending the first token to a third server. In response to authenticating the first token, a second token is generated at the local utility. The second token is sent to the application for inclusion in subsequent requests from the application.

Abstract: A method for propagating session management events between a plurality of machines forming a machine cluster includes generating, with a session management user interface, a session management event on a first machine of the machine cluster; detecting, with an installment of the interface, the generated event; sending, from the installment to a first security service related to the first machine, a set of specific information that is related to the detected event; determining, with the first security service, a set of target machines; sending the specific information from the first security service to target security services that are related to the target machines; and processing the specific information at each target security service of the target machines so as to execute, on each target machine that has received the specific information, the session management event generated on the first machine.

Abstract: A method and system for extending an authentication of a wireless device are disclosed. For example, the method includes authenticating access to the wireless device via a first authentication. The method detects a bonded authentication device as a second authentication. The method permits access to the wireless device when the bonded authentication device is detected.

Abstract: A method begins by a processing module receiving data segments of a data stream to produce received data segments. The method continues with the processing module encrypting a data segment of the received data segments to produce an encrypted data segment and dispersed storage error encoding the encrypted data segment to produce a set of encoded data slices in order of receiving the data segments. The method continues with the processing module buffering encoded data slices of sets of the encoded data slices unit to produce buffered encoded data slices and comparing a number of buffered encoded data slices to a threshold. The method continues with the processing module outputting the encoded data slices of the buffered encoded data slices based on a pseudo-random sequencing order when the number of buffered encoded data slices compares favorably to the threshold.

Abstract: A method and system for validating a form, that includes providing, to a client, the form comprising a primary token, receiving, in response to the client loading the page form, a request for a secondary token, providing the secondary token in response to receiving the request, and receiving the form comprising the primary token and a secondary token from a client. The method further includes validating the form, where validating the form includes obtaining a first primary token hash from the secondary token, applying a first hash function to the primary token to obtain a second primary token hash, and determining that the first primary token hash and the second primary token hash match. The method further includes accepting the form upon validating the form.

Abstract: An embodiment of a system for managing delivery of content to end users includes a semantics generator configured to generate name/value pair semantics for name/value pairs that can be included in flexible tokens, a semantics publisher configured to publish the name/value pair semantics in a menu, wherein the name/value pair semantics are selectable, a flexible token interpreter configured to interpret name/value pairs included in flexible tokens according to the name/value pair semantics, the flexible token interpreter further configured to determine responses to content requests based on the name/value pairs included in flexible tokens, and an edge server configured to generate token-dependent responses to content requests based on determined responses from the flexible token interpreter.

Abstract: A smart storage device can have a smart-card portion with access control circuitry and integrated memory, a controller in selective communication with the smart-card portion, and a memory device in communication with the controller. The memory device can be separate from the smart-card portion and can store one or more smart-card applications.

Abstract: A method of securing a computing device is disclosed. The computing device is configured to store an access key in a storage location in order for the computing device to operate in an operational mode. The method comprises removing the access key from the storage location in response to an event indicative of the end of the operational mode.

Abstract: A method for controlling the execution of an applet for an IC Card including a java card platform, includes a phase for downloading the applet inside the IC Card, a phase for executing the applet through the java card platform and a phase for storing an identification platform number inside a memory portion of the IC Card. The phase for executing the applet has a first step for detecting the identification platform number to perform the phase for executing the applet with or without restrictions, respectively if the identification platform number is not or is detected by the step for detecting. The applet is a java card applet or a SIM toolkit applet.

Abstract: Aspects relate to determining whether a security token has previously been used in order to gain access to premium content. When a security token is received, the token is evaluated to determine whether the token has been previously received, which indicates an attempt to reuse the token. If the token was previously received, the token is rejected and access to the premium content is denied. If the token was not previously received, the token is analyzed by a third party verification process. If the third party verification process authenticates the token, access to the premium content is granted. With the disclosed aspects, a security vulnerability related to reuse of a security token can be mitigated.

Abstract: A method is performed by a computing device. The method includes, (a) at the computing device, wirelessly receiving an authentication code from an authentication card via near-field communications (NFC), (b) providing the authentication code received wirelessly via NFC to an authentication service configured to authenticate the user of the computing device based on the authentication code, and (c) in response to the authentication service authenticating the user based on the authentication code received wirelessly via NFC, providing the user with access to a resource via the computing device. Analogous computer program products and apparatuses are also provided described.

Abstract: The invention relates to a portable token (SC) comprising a capability query mechanism (CQM). The capability query mechanism (CQM) is set to inform entities (PC, MW) willing to communicate with the portable token (SC) of at least a subset of the command(s) (C) available in the portable token (SC). The portable token (SC) is arranged to set a flag when the capability query mechanism (CQM) is invoked. When a command (C) is called, the portable token (SC) enforces first access conditions (AC1) for the command (C) if the flag is set, or second access conditions (AC2) if the flag is cleared.

Abstract: A method for conditionally allowing fruition of broadcast contents, broadcast by a contents broadcaster and received by a user by means of a receiving equipment, includes: performing, locally at the receiving equipment of the user, a first fruition entitlement check based on first fruition entitlement data available locally at the receiving equipment; having the receiving equipment provide to the contents broadcaster the first fruition entitlement data exploiting a return communications channel of the receiving equipment; having the contents broadcaster perform a second fruition entitlement check based on a comparison between the received first fruition entitlement data and second fruition entitlement data available locally to the contents broadcaster; and conditioned on a result of the second check, having the contents broadcaster provide to the receiving equipment, exploiting the return communications channel, a fruition entitlement confirmation notification; at the receiving equipment, conditioning the fru

Abstract: A system is provided. The system comprises a processor, a memory, and an authorization application stored in the memory that, when executed by the processor, receives a first message from a first client device associated with a first domain, the first message containing a request to emulate a second client device associated with a second domain. The system also determines authorization for the first device to emulate the second device in the second domain. The system also associates an electronic cookie with a browser session initiated by the first device, the electronic cookie associated with access to the second domain. The system also provides the first device authorization to emulate the second device in the second domain using a generic login account wherein the second domain provides the first device limited cross-domain access based on the electronic cookie to targeted information associated with the second device.