Abstract: According to one embodiment, an apparatus may store: a hard token representing identification information of the device, a network token representing the status of a network, and a resource token representing information associated with a resource. The apparatus may further store secured copies of the hard token, network token, and resource token. The apparatus may receive a suspect token indicating a risk that at least one of the device, the network, and the resource has been tampered, and in response, determine to inspect at least one of the hard token, network token, and resource token. The apparatus may then compare the at least one of the hard token, network token, and resource token with its corresponding secured copy. If at least one of those tokens does not match its corresponding secured copy, the apparatus may communicate a revalidation token indicating at least one token has been tampered.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens indicating a user is requesting access to a resource over a network. The apparatus may determine a condition associated with accessing the resource based on the plurality of tokens. The condition may be determined in addition to a determination to grant or deny access to the resource. The condition may include an obligation to be fulfilled and a message providing instruction regarding how to fulfill the obligation. The apparatus may generate a decision token representing the condition, and communicate the decision token to a resource provider to facilitate enforcement of the condition.

Abstract: According to one embodiment, an apparatus may monitor a session that facilitates a user's access to a resource. The user may be granted a privilege associated with accessing the resource. The apparatus may detect a change associated with the privilege granted to the user in at least one token of a plurality of tokens. The apparatus may then communicate a token that represents the change, and receive a risk token associated with the token. The apparatus may then determine to revoke the privilege based on the risk token, and generate a second token that represents the determination to revoke the privilege. The apparatus may then communicate the second token to facilitate the revoking of the privilege.

Abstract: According to one embodiment, an apparatus may store a first and second subject token that indicate a first authentication method performed by the user and a second authentication method performed by the user respectively. The apparatus may detect at least one new subject token indicating at least one different authentication method performed by the user. The apparatus may then determine that a particular combination of subject tokens in the first subject token, second subject token, and the at least one new subject token indicates a privilege should be granted to the user, and facilitate the granting of the privilege to the user.

Abstract: According to one embodiment, an apparatus may store a plurality of token-based rules that facilitate access to a risk-sensitive resource. The apparatus may further store a first token that may indicate that a user is accessing a non-risk-sensitive resource. The apparatus may receive a second token that may indicate that the user is attempting to access the risk-sensitive resource. In response to receiving the second token, the apparatus may apply the token-based rule to make an access decision whereby the user's access to the non-risk-sensitive resource will be terminated. The apparatus may then communicate at least one token representing the access decision.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens indicating that a user is attempting to access a resource. The apparatus may determine an authorization level for the user based at least in part upon the plurality of tokens. The authorization level may indicate whether the user is authorized to access the resource. The apparatus may then determine a related resource that shares a relationship with the resource, and determine that the authorization level indicates that the user is authorized to access the related resource. The apparatus may then communicate a decision token indicating that the user is authorized to access the resource and the related resource.

Abstract: According to one embodiment, an apparatus may receive a token that indicates a change that occurs during a session. The session may facilitate access to a resource. The token may indicate a risk token should be computed. The apparatus may determine, from the token, a first set of attributes. The first set of attributes may include attributes required to compute the risk token. The apparatus may determine that a cache contains a set of cached attributes. The apparatus may examine an attribute in the set of cached attributes, and determine the attribute in the set of cached attributes is not in the first set of attributes. The apparatus may then remove the attribute in the set of cached attributes from the cache.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens indicating a user is accessing a resource over a network. The plurality of tokens may include a risk token indicating a risk associated with access by the user to the resource. The apparatus may detect a token indicating a change associated with accessing the resource, and determine that the change triggers a risk update. The apparatus may then generate a dataset token that represents the risk token and the token indicating the change, and communicate the dataset token to a token provider to perform the risk update. The apparatus may then receive a recomputed risk token representing an updated risk. The updated risk may indicate the risk associated with continuing access to the resource with the change.

Abstract: Described are a method and a system for using XML in a real-time message for transmission of data from a source to a destination over a network. The real-time XML message includes a header element and a body element. The header element includes one or more destination elements and one source element, each having a unique identifier and a set of pre-defined and user-defined real-time properties. The body element of the message includes the data to be carried to the destination in plain or encoded XML content. XML addresses are proposed as the identifier of the source and destination, and an XML naming service can look up an XML address from the canonical name of the source and destination. Advantageously, the real-time message can be transported through the network using XML addresses included in the destination and source elements of the message.

Abstract: A confusion data generator for the generation of non-linear confusion data utilizes a plurality of arrays acting as non-linear state machines to generate a stream of confusion data of a certain width. Each non-linear state machine contributes equally to the overall width of the confusion data. The output bit stream from the confusion data generator is then used with a combiner such as an XOR combiner to generate secure text from plaintext. The confusion data generator can be used to securely store data on a storage medium or transmit data over a communication medium. The confusion data generator is computationally inexpensive, scalable and provides good security when used with a combiner, such as an XOR combiner, to generate secure text.

Abstract: A method and apparatus for the initialization of a class of non-linear confusion data generators is especially useful to enhance the security of non-linear confusion data generators that are restricted to short size secret keys or seeds. The initializer utilizes a user seed and a displacement distance to single or multiple secret key and cipher arrays to randomize confusion data generators such that their security is enhanced. The initializer provides the ability to design confusion data generators that are capable of securing large size data files as a collection of smaller size segments that can be independently decrypted for fast access and review. The initializer can be used to securely store data on a storage medium or transmit data over a communication medium.