Abstract: A service usage management method executed by an information processing device, the service usage management method includes receiving, from a terminal device used by a user, a piece of authentication information which authenticates a user's right to use a service provided by a device as an issuing source and includes a number of times of issuing processing for issuing, based on a piece of authentication information, another piece of authentication information and an identifier of the device as the issuing source, generating the authentication information which includes the number of times of addition of adding one to the number of times indicated in the received authentication information and the identifier of the information processing device and authenticates the user's right to use the service provided by the information processing device, and transmitting the generated authentication information to the terminal device.

Abstract: Provided are, among other things, systems, methods, apparatuses and techniques for storing access grants. In one implementation, a blinding factor and access information for accessing a restricted object are obtained; blinded access information is generated for the restricted object based on the access information and the blinding factor; and an anchor node is stored into a data store, with the anchor node being accessible by submission of an identifier, the anchor node at least one of containing or referring to sufficient information to obtain access to the blinding factor and the blinded access information, and the identifier for the anchor node being independent of the blinding factor.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: A cryptography circuit protected by masking, said circuit including means for encrypting binary words using at least one key krc, means for applying linear processing operations and nonlinear processing operations to said words and means for masking said words. The binary words are unmasked upstream of the nonlinear processing operations by using a mask kri and masked downstream of said processing operations by using a mask kr+1i, the masks kri and kr+1i being chosen from a set of masks that is specific to each instance of the circuit.

Abstract: Techniques are disclosed for improving security in virtual private network. In one embodiment, key information is generated for a virtual private network (VPN) connection between a first device and a second device. A plurality of shares is then generated based on the key information. A first set of one or more shares is stored on a dongle that is paired to the first device. A second set of one or more shares is stored on the first device. In response to a request to resume the VPN connection, the first set of shares is retrieved from the dongle. The key information is reconstructed based on the first set of shares and the second set of shares. The reconstructed key information may then be used to resume the VPN connection.

Abstract: A terminal device includes a transmission/reception unit that transmits, to a server device, information necessary for judgment as to whether to permit use of content. The server device includes a judgment unit that judges whether to permit the terminal device to use the content, based on terminal device management information set by a content provider, and the information necessary for the judgment and received from the terminal device. A notification data storage unit stores notifications to be presented to a user of the terminal device; and a transmission/reception unit transmits either information necessary for use of the content or one of the notifications according to a result of the judgment by the judgment unit.

Abstract: A traffic management device (TMD), system, and processor-readable storage medium directed towards re-establishing an encrypted connection of an encrypted session, the encrypted connection having initially been established between a client device and a first server device, causing the encrypted connection to terminate at a second server device. As described, a traffic management device (TMD) is interposed between the client device and the first server device. In some embodiments, the TMD may request that the client device renegotiate the encrypted connection. The TMD may redirect the response to the renegotiation request towards a second server device, such that the renegotiated encrypted connection is established between the client device and the second server device. In this way, a single existing end-to-end encrypted connection can be used to serve content from more than one server device.

Abstract: In a communicator in a communication system, a commission information generator for generating a commission parameter to make a process on a communication between communicators performed by another computer includes a first memory for storing a secret key and an encrypter for generating N number of the commission parameters, where N is a natural number, from a first to an N-th commission parameter. The encrypter regards a j-th shared key, where j is a positive integer equal to or less than N, out of the N number of shared keys as key information, encrypts a bit sequence representation of j-th partial information, associated with the j-th shared key, out of N pieces of partial information, and thereby generates a j-th commissioned parameter.

Abstract: Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected.

Abstract: A system and methods to provide updates of an oblivious database that is based on an original database without compromising privacy guarantees, and without requiring a periodic downtime to re-initialize the database. According to embodiments of the present invention, update caches are provided at the random servers that are not emptied or sent to the oblivious database after every update in a predictable fashion. Instead, updates are made incrementally to the oblivious database in an order that is independent of how the original database is updated. Hence there is no way for the server to learn which record of the oblivious database corresponds to an updated block from the original database.

Abstract: Authentication method of at least one application using resources stored in a security module associated to an equipment connected to a control server via a network. The control server receives via the network, analyzes and verifies identification data comprising at least an identifier of the equipment and an identifier of the security module, generates a cryptogram comprising a digest of the application, the identification data and instructions intended for the security module and transmits the cryptogram, via the network and the equipment, to the security module. The latter verifies the application by comparing the digest extracted from the cryptogram with a calculated digest, wherein, during at least one of initialization and activation of the application, the security module executes the instructions extracted from the cryptogram and either releases or blocks access to certain resources of said security module according to a result of the verification of the application.

Abstract: A mobile device for authenticating a device accessory is disclosed. The mobile device receives a unique identifier from a device accessory, sends the received unique identifier to a server via a communication network, and receives information from the server relating to the unique identifier.

Abstract: An authentication system 1 that uses sound to transmit one-time password(s) may be equipped with portable terminal(s) 10, authentication terminal(s) 30, and authentication server(s) 50. Portable terminal 10 may be equipped with password generating unit(s) 21 which encrypt information including password generation user identifier(s) issued by authentication server(s) 50 and generate one-time password(s), encoding unit(s) 22 which encode one-time password(s) and generate baseband signal(s), carrier wave generating unit(s) 23 which generate carrier wave(s) in audible band(s), modulating unit(s) 25 which use baseband signal(s) to modulate carrier wave(s) and generate modulated signal(s), and speaker(s) 17 which transmit modulated signal(s) in the form of sound wave(s). One-time password(s) may be input as sound wave(s) from portable terminal(s) 10 to authentication terminal(s) 30.

Abstract: A signature verification apparatus including a signature acquisition unit configured to acquire a digital signature including first information generated based on a pair of multi-order multivariate polynomials F=(f1, . . . , fm) defined in a ring K, a signature key s which is an element of a set Kn, and a document M and a plurality of pieces of second information for verifying that the first information is generated using the signature key s based on the data M, the pair of multi-order multivariate polynomials F, and vectors y=(f1(s), . . . , fm(s)), and a signature verification unit configured to verify legitimacy of the document M by confirming whether or not the first information is restorable using the plurality of pieces of second information included in the digital signature. The pair of multivariate polynomials F and the vectors y are public keys.

Abstract: A method for discovery profile based unified credential processing for disparate security domains can include loading a discovery profile specifying types of manageable resources to be discovered during discovery of manageable resources and authentication protocols for use in accessing each type of the resources. The method also can include discovering the resources across disparate security domains and selecting a discovered one of the resources in a particular one of the security domains for a systems management task. The method further can include transforming an authentication credential not specific to the particular one of the security domains to a mapped authentication credential specific to the particular one of the security domains and authenticating into the particular one of the security domains with the mapped authentication credential utilizing an authentication protocol specified by the profile in order to perform the systems management task on the selected discovered one of the resources.

Abstract: Security systems can provide secure and efficient in-VM monitoring. An exemplary security system can be built upon hardware virtualization features and can comprise a virtual machine having a plurality of standard virtual address spaces, as well as a hidden virtual address space. While the standard virtual address spaces can be directly accessible by a kernel in the virtual machine, the hidden virtual address space can be hidden from the kernel, which can be absent a virtual page table corresponding to the hidden virtual address space. A security monitor can reside in the hidden address space, monitoring the kernel without being modifiable by the kernel. A processor can transfer focus from the standard virtual address spaces to the hidden virtual address space only through predetermined entry gates, and the processor can transfer focus from the hidden virtual address space to the standard virtual address spaces only through predetermined exit gates.

Abstract: During a registration procedure by a User Equipment (UE) via a Proxy Call Session Control Function (P-CSCF) node and a Serving Call Session Control Function (S-CSCF) node, the S-CSCF node provides a policy indicator in a response message to a register request message. The policy indicator enables subsequent operation of the node to be controlled according to whether or not a registered UE has an associated policy. As such, delays (such as delays associated with retrieving an associated policy) are only experienced by UEs that have previously been determined as having such an associated policy, rather than all UEs being affected in the same way.

Abstract: Systems and methods are provided for authenticating and authorizing network access requests using directory services in which the directory service authentication and authorization procedures are enhanced using contextual information.

Abstract: A device that uses homomorphic encryption is disclosed. The device obtains a first encrypted polynomial, a second encrypted polynomial, a first encrypted weight, and a second encrypted weight by respectively encrypting a first polynomial, a second polynomial, a first weight, and a second weight by using a homomorphic encryption scheme, and obtains an encrypted secure distance corresponding to encryption of a secure distance.

Abstract: A system and method for preventing an administrator impersonating a user from accessing sensitive resources on a target system is provided. The method comprises receiving a first request from a user to change the user's password on a target system to be changed, sending a “change password” request for the user to the target system, storing the user's new password, receiving a second request from the target system on behalf of the user for access to a sensitive resource, wherein the second request contains information about the user's password, and denying the second request if the information about the user's password is not consistent with the user's stored new password.