Abstract: A password manager may receive a password, and a false password generator may generate at least one false password, based on the password. A false password selector may store the at least one false password together with the password. A password handler may receive a login attempt that includes the at least one false password, and an attack detector may determine that the login attempt is potentially unauthorized, based on the receipt of the at least one false password.

Abstract: Aspects include a mechanism of entitling users to transacted-for digital content access, indicating download authorization with discrete authentication URLs, and validating download attempts using each such URL. The authentication mechanism comprises producing an encrypted string included in a URL provided to a user. The encrypted string comprises transaction identifier information, and information about the transacted-for entitlement. When a user wishes to exercise the transacted-for entitlement, the user activates the URL, which is resolved to a location that has/can obtain access to the key(s) used in producing the encrypted string, decrypt the string, and use the information in it to validate the URL and the entitlement. The validation can use data retrieved from a database, using the transaction identifier as a key. The entitlement information included in the now-decrypted string can be compared with the prior download information.

Abstract: Methods and systems are provided for hardware-based pattern matching. In an embodiment, an intrusion-prevention system (IPS) identifies a full match between a subject data word comprising subject-data blocks and a signature data pattern comprising signature-data blocks. The IPS receives the subject data word via a network interface, and thereafter makes a partial-match determination that two or more but less than all of the subject-data blocks respectively match the same number of the signature-data blocks stored in partial-match hardware with respect to both value and position. Thereafter, the IPS makes a full-match determination that all of the subject-data blocks respectively match all of the signature-data blocks stored in the IPS's full-match hardware with respect to both value and position. The IPS then stores an indicator that the full-match determination has been made, and may carry out one or more additional intrusion-prevention responses as well.

Abstract: There are disclosed systems and methods for creating a self-signed implicit certificate. In one embodiment, the self-signed implicit certificate is generated and operated upon using transformations of a nature similar to the transformations used in the ECQV protocol. In such a system, a root CA or other computing device avoids having to generate an explicit self-signed certificate by instead generating a self-signed implicit certificate.

Abstract: A system that facilitates enhancing security for a computer device by obtaining a link layer address of an IPv6 IPsec address. The system including a computer device having a software module, which performs the following steps: capturing multicast addresses and solicited multicast addresses for one or more IPv6 IPsec addresses; calculating the computer device identifier from the one or more multicast addresses and solicited multicast addresses; storing the computer device identifier for the one or more multicast addresses and solicited multicast addresses; sending a neighbor solicitation to one or more of the IPv6 IPsec addresses as a tentative target address simulating double address detection; capturing the neighbor advertisement response from the one or more IPv6 IPsec addresses and calculating a link-layer identifier; generating a neighbor cache with the link-layer identifier; and enabling IPv6 IPsec communication with the one or more IPv6 IPsec addresses using the link-layer identifier.

Abstract: A method for identity verification includes receiving a request for proof of identity from a service provider and receiving biometric information associated with a user of a communication device. The method also includes determining that the received biometric information matches a biometric profile that contains biometric information associated with a registered user of the communication device. The method also includes unlocking a private key associated with the registered user in response to determining that the received biometric information matches a biometric profile and sending a request for a digital certificate that is signed with the private key associated with the registered user. The method further includes receiving the digital certificate that includes a public key associated with the registered user and satisfies the request for proof of identity. The method also includes with forwarding the digital certificate to the service provider.

Abstract: A system includes a source including a memory storing: at least two encrypted files making up an installation image, each file encrypted with a key; a metadata file including an index to each key and a hash value for each encrypted file; a signature file providing a digital signature for the metadata file, the metadata file digitally signed with a private certificate; and a public certificate associated with the private certificate.

Abstract: Among others, techniques and systems are disclosed for analyzing security threats associated with software and computer vulnerabilities. Stakeholder values relevant for a software system are identified. The identified stakeholder values are quantified using a quantitative decision making approach to prioritize vulnerabilities of the software system. A structured attack graph is generated to include the quantified stakeholder values to define a scalable framework to evaluate attack scenarios. The structured attack graph includes two or more nodes. Based on the generated structured attack graph, structured attack paths are identified with each attack path representing each attack scenario.

Abstract: It is facilitated to execute a workflow requiring user authentication. When an IC card reading/writing apparatus reads information recorded in an IC card owned by a user, an image forming apparatus transmits user credential information included in the read information to an authentication server. The authentication server performs authentication of the user based on the user credential information transmitted from the image forming apparatus. The image forming apparatus transmits workflow program information included in the information recorded in an authentication token and parameter information for the workflow program to an application server. The application server controls the image forming apparatus based on the workflow program information.

Abstract: A chip mountable on a replaceable unit used in an image forming job is disclosed. The chip includes a central processing unit (CPU) to perform at least one of authentication and cryptographic data communication with a main body of the image forming apparatus using an operating system (OS) of the CPU which operates separately from an OS of the image forming apparatus. With the use of such a configuration, security for a unit in which the chip is mounted can thereby be reinforced.

Abstract: According to one embodiment, a semiconductor integrated device which stores secret data and is capable of operating in a test mode in which a scan test with respect to an internal circuit is executed, the semiconductor integrated device comprises a mode signal receiving module configured to receive a scan mode signal designating the test mode, a mask module configured to mask the secret data when the mode signal receiving module receives the scan mode signal, and an error detection module configured to detect presence or absence of error in the secret data and to store detection result in a first flip-flop.

Abstract: A Trusted Platform Module (TPM) can be utilized to provide hardware-based protection of cryptographic information utilized within a virtual computing environment. A virtualized cryptographic service can interface with the virtual environment and enumerate a set of keys that encryption mechanisms within the virtual environment can utilize to protect their keys. The keys provided by the virtualized cryptographic service can be further protected by the TPM-specific keys of the TPM on the computing device hosting the virtual environment. Access to the protected data within the virtual environment can, thereby, only be granted if the virtualized cryptographic service's keys have been protected by the TPM-specific keys of the TPM on the computing device that is currently hosting the virtual environment. The virtualized cryptographic service's keys can be protected by TPM-specific keys of TPMs on selected computing devices to enable the virtual environment to be hosted by other computing devices.

Abstract: A system for providing services to subscribers of a network supports the provision of a plurality of different services to multiple subscribers. Multiple processing units are provided, each providing a respective execution environment for a respective set of software applications. A data structure is provided containing data identifying the sets of software applications or software application components of the sets of software applications, and different developers are provided with different access rights to the data in the data structure. Different software applications or software application components are associated with different access right levels. This provides a software development environment in which a common services repository is provided with different access rights implemented for accessing the repository.

Abstract: Device, system, and method of executing secure-processing (SEP) applications. Some demonstrative embodiments include a secure-processing (SEP) hardware module including a processor capable of executing at least one SEP application, wherein the SEP hardware module is configured to perform at least one of encrypting and decrypting data handled by the SEP application using an application-specific application-key corresponding to the SEP application, only if the processor begins execution of the SEP application at an approved entry point of the SEP application, and wherein the application-key corresponding to the SEP application is based at least on an internal key internally stored by the SEP hardware module and on application-specific information corresponding to the SEP application. Other embodiments are described and claimed.

Abstract: An administrator controls viewer access to restricted multimedia programs using electronic permission slips. In response to a viewer's request to view a restricted multimedia program, the viewer may initiate the generation of an electronic permission slip that is sent to an electronic device associated with the administrator. The electronic permission slip may include text-based information, graphical information, audio information, and the like. The electronic permission slip may enable input of permission data regarding whether the viewer is allowed to receive the blocked program. In response to the administrator granting permission, a service provider network allows the viewer to access the restricted multimedia program.

Abstract: A device controller is connected with multiple terminals and with at least one input-output device via a network. The device controller has: a reception controller configured to perform first authentication according to data input from a first terminal and to cause the first terminal to obtain information on a specified series of processing based on a result of the first authentication; and an input-output controller configured to perform second authentication according to data input from a second terminal and to cause a specific input-output device selected out of the at least one input-output device to perform the specified series of processing, based on a result of the second authentication. The input-output controller allows the specific input-output device to perform the specified series of processing when the second terminal is selected in advance for the specific input-output device.

Abstract: A method may include sending personal network connection information from a mobile device to a guest device; sending authentication credentials from the mobile device to the guest device; receiving the authentication credentials in the personal network from the guest device; authenticating the guest device based on the authentication credentials; and granting access to the guest device to content stored in the personal network for a guest session.

Abstract: A configurable timer may be used for seamless authentication administration. A network administrator may set the timer value. Then the network administrator may begin to update the authentication configuration or key and the timer may begin to count down. While the timer counts down, the network device may still send outgoing packets using the old authentication configuration or key and may begin to authenticate incoming packets using both the old authentication configuration or key and the new authentication configuration or key. Once it expires, the network device may begin to send outgoing packets using just the new authentication configuration or key. The counter may then be reset and counted down again. Once the counter expires a second time, the new authentication configuration or key may be used for both incoming and outgoing packets. Two-timer implementations are also possible.

Abstract: An authorization system in a home wireless network comprises a communication interface and a processing system, wherein a wireless communication device associated with the home wireless network transfers a request to a visited wireless network for access to an internet. The communication interface is configured to receive an authorization request for the wireless communication device transmitted from the visited wireless network. The processing system is configured to select a visited internet connection for the wireless communication device and determine whether a lawful intercept is required. The processing system is further configured to include an intercept attribute in an authorization response indicating a destination for collecting intercepted information pursuant to the lawful intercept.

Abstract: A password management system and method for securing networked client terminals and mobile devices is provided. More specifically, the present invention provides a system and method for encrypting randomly generated administrator-level passwords and providing a means for decrypting the randomly generated passwords for single-use unrestricted access to a designated terminal or mobile device. When unrestricted access to the terminal or mobile device is required, the encrypted administrator-level password is decrypted using a shared symmetric key, which is generated during encryption of the administrator password, to reveal the administrator-level password for the terminal or mobile device. The administrator-level password is a single-use password, wherein upon use of the administrator-level password a new administrator-level password may be automatically generated for the corresponding terminal or mobile device.