Abstract: Systems and methods directed at transforming security claims in a federated authentication system using an intermediate format. The systems and methods described herein are directed at transforming security claims in a federated authentication system using an intermediate format. The federated authentication system includes an identity provider and a resource provider. The identity provider receives a request for information from the resource provider to authenticate an account by an application associated with the resource provider. A security claim associated with the account is retrieved where the security claim is provided by an account store in a format specific to the account store. The security claim is transformed from the account store specific format to an intermediate format. The security claim is then transformed from the intermediate format to a federated format recognized by the resource provider. The transformed security claim is provided in a security token to the resource provider.

Abstract: According to one embodiment, a method for scrambling and descrambling program data comprises the receipt of a mating key generator message including a manufacturer identifier. The mating key generator message is transmitted to a first remote source identified by the manufacturer identifier. In response, a mating key is received from the first remote source. Then, the mating key is supplied to a second remote source, the mating key being subsequently used to encrypt a service key used for scrambling program data.

Abstract: A content recording/reproducing system, which records and reproduces a sub-content relating to a main content, includes a distribution device, first and second recording media, a recording device and a reproducing device. The first recording medium that is non-rewritable prestores key data based on which a public key is derivable, and the main content. The distribution device outputs verification information that includes the sub-content and is generated by applying a digital signature to relative information relating to the sub-content based on a secret key corresponding to the public key. The recording device acquires and records the verification information on the second recording medium that is rewritable.

Abstract: A method of confirming the identity of a user includes processing biometric credentials, generating a user configurable policy including identities of a plurality of authenticating entities, storing the user configurable policy in a device, presenting the device to an authenticating entity at an authentication station, and requesting biometric and personal data of the user from the device data. The biometric data corresponds to at least one biometric feature desired for authenticating the user and the requesting operation is performed by a workstation of the authenticating entity.

Abstract: A system for secure delivery of on-demand content over broadband access networks utilizes a pair of servers and security mechanisms to prevent client processes from accessing and executing content without authorization. A plurality of encrypted titles are stored on a content server coupled to the network. An access server also coupled to the network contains the network addresses of the titles and various keying and authorization data necessary to decrypt and execute a title. A client application executing on a user's local computer system is required to retrieve the address, keying and authorization data from the access server before retrieving a title from the content server and enabling execution of the title on a user's local computer system.

Abstract: In an electronic apparatus control system provided with: a plurality of electronic apparatuses connected to a network covering a predetermined area; and a controller for controlling these electronic apparatuses, the controller (11) is provided with: a generating device for generating a group key peculiar to the network (18) in order to encrypt the information flowing through the network (18); and a wireless unit (21) for transmitting the generated group key to a plurality of the electronic apparatuses. The electronic apparatus is provided with: a memory device for storing the group key transmitted; an encrypting device for encrypting the information flowing through the network (18) using the group key; and a decoding device for decoding the encrypted information using the group key.

Abstract: A method and system are directed towards enabling content security in a distributed environment. The system includes a data store for content associated with an application that may be tagged as exclusively memory resident at a client. The content may also be encrypted and digitally signed. When an authenticated client requests the content, it is provided at a constrained rate that enables a portion of the content to start execution on the client before the application associated with the content is completely downloaded. Additional portions of the content are provided to the client when the additional portions are required for execution by the application.

Abstract: Movement of a living object is measured by a movement sensor carried by one living object at a time for forming one measurement signal per one living object. The measurement signal is compared with a predetermined reference signal which may be measured from a known living object in a similar way. A recognition operation is performed based on the comparison between the measurement signal and the predetermined reference signal, the recognition operation resulting in recognition or non-recognition.

Abstract: A method and a system for access authentication. A shared services resource includes a second factor authentication module. At least one network resource each include a first factor authentication module. A trusted computing base communicates with the shared services and the at least one network resource through a pipe. An assertion may be obtained on a trusted computing base for accessing at least one network resource. At least one of the at least one network resource may be accessed with the trusted computing base when the assertion has been obtained by the trusted computing base and is valid.

Abstract: A method and apparatus for measuring data presentation is measured for authenticity and accuracy using a cryptographic capability. The data may include both presentation data and metadata related to measuring and reporting results of outputting the presentation data. After measurement, the presentation data may be presented to an output device. The output device may be a display, a sound device or other computer output. Related statistics may be collected, for example, user identity, computer identity, time, duration, and interference from other sources. In the case of displayed presentation data, unblocked viewing area, and presentation data area size may also be collected. In an exemplary embodiment, the presence of a user and/or user interaction with the presentation data may be recorded and reported. The recorded data may be securely reported to a participating host or server, by a secure channel and/or by signing and/or encrypting.

Abstract: The invention relates to a SIM-based authentication method capable of supporting inter-AP fast handover, which can decrease the number of authentication procedures without negatively influencing the security of the wireless LAN by establishing an encrypted channel for each mobile node and using method 1: an aggressive key pre-distribution and method 2: probe request triggering passive key pre-query technique, thereby reducing the time of inter-AP handover for the mobile node. Furthermore, a re-authentication procedure is started to update the key after the key is used for a long time so as to ensure that the key is safe, thereby effectively achieving a fast and safe wireless LAN environment.

Abstract: An extensible cryptographically generated network address may be generated by forming at least a portion of the network address as a portion of a first hash value. The first hash value may be formed by generating a plurality of hash values by hashing a concatenation of a public key and a modifier using a second hash function until a stop condition. The stop condition may include computing the plurality of hash values for a period of time specified by a time parameter. A second hash value may be selected from the plurality of hash values, and the modifier used to compute that hash value may be stored. A hash indicator may be generated which indicates the selected second hash value. The first hash value may be generated as a hash of a concatenation of at least the public key and the modifier. At least a portion of the node-selectable portion of the network address may include at least a portion of the first hash value.

Abstract: A system that distributes content access data which provides rights management data indicating a right of a user to reproduce and/or copy the distributed content. The system includes an applications device including a trusted player for receiving, reproducing and/or copying the content, and a smart card access device for accessing a smart card, such as a Subscriber Identity Module (SIM), which is uniquely associated with the user. A trusted server communicates the content access data to the smart card via a communications network by encrypting the content access data using an encryption key pre-stored on the smart card and known to the trusted server. A facility is thus provided for cost effectively distributing content and managing rights in the content using security facilities inherent in the smart card.

Abstract: To prevent an input password from being stolen by an invalid authentication device. An authentication device 10 for authenticating an inputter based on an input password accepted from the inputter is provided with a first input part 110 for allowing a first part of the input password to be inputted; a confirmation information output part 120 for outputting confirmation information known to the valid inputter in advance when the first part 10 is valid, the confirmation information indicating to the user that the authentication device is valid; a second input part 130 for allowing a second part following the first part of the input password to be inputted; and a determination part 140 for determining that the inputter is valid when the first part and the second part are valid.

Abstract: The hash extension technique used to generate an ECGA may be used to increase the strength of one-way hash functions and/or decrease the number of bits in any situation where some external requirement limits the number of hash bits, and that limit is below what is (or may be in the future) considered secure against brute-force attacks. For example, to decrease the length of human entered security codes (and maintain the same security), and/or to increase the strength of a human entered security code (and maintain the length of the security code), the security code may be generated and/or authenticated using an extended hash method.

Abstract: A method for secure loading of a key dedicated to securing a predetermined operation into memory of a microchip of an embedded system includes, as a first step, authenticating a security device by generating a first random number using the microchip, transmitting the first random number to the security device, generating a second random number in the security device, generating a first cryptogram from the first and second random numbers by applying an asymmetric signature algorithm using an asymmetric secret key, transmitting at least the first cryptogram to the microchip, and authenticating the security device by verifying the first cryptogram using the public key.

Abstract: Methods are provided for detecting the processing status of data blocks in systems having intermittent connections. A hash value is used at times in place of a block's data content, thereby reducing processing of the block. Hash values may be maintained locally. Blocks collected locally may be stored locally at least until a connection to a server becomes available again. Systems and configured storage media are also provided.

Abstract: Authentication reference information (SRM) is input into a variety of input paths, thereby increasing the opportunity to update the authentication reference information. Then, the authentication reference information input from each input path is temporarily buffered. After checking the validity or the version of the information, the authentication reference information is used for updating older authentication reference information, thereby preventing unnecessary or unsuitable updating.

Abstract: A system and method for verifying messages. The method may include the steps of receiving an inbound message and characterizing the inbound message by analyzing a latent cryptographic identifier in the inbound message. The identifier is generated by a recognized message system, which may be the receiving system itself, for an outbound message. Characterizing may involve detecting if the latent cryptographic identifier is present and determining if the cryptographic identifier is valid. The step of determining can be performed using symmetric or asymmetric methods of verifying the authenticity of the message.

Abstract: A method and apparatus for performing authentication in a communications system is provided. The method includes receiving a request for authentication from a server, the request for authentication including a first and a second random challenge, and comparing the first random challenge and the second random challenge. The method further includes denying the request for authentication in response to determining that the first random challenge is substantially the same as the second random challenge, and transmitting an encoded value to the server in response to determining that the first random challenge is different from the second random challenge, wherein the encoded value is generated based on the first and second random challenge and a key that is not shared with the server.

Abstract: A method and system for authenticated access to multicast traffic receives a request for a user to join a multicast channel. Access privileges of the user to the multicast channel are authenticated. The request is disallowed in response to at least an unsuccessful authentication.

Abstract: System for reading a document provided with machine-readable holder details and establishing whether a person presented the document has a predetermined right, which document at least contains a chip containing biometric data on a holder as well as data with a predetermined relationship to the holder details, and wherein the system comprises: a reader for reading the chip and the machine-readable holder details; a memory containing details with regard to the right of the holder; a biometric feature scanner; a processing unit connected to reader, memory and scanner and equipped to: establish the authenticity of chip and data using public key encryption technology; receive the biometric data on the holder from the chip; receive the biometric data on the person presenting the document from the scanner and to compare these with the data on the holder to determine whether the person presenting the document is the holder; receive the holder details via the reader, check the relationship between the holder details a

Abstract: Embodiments of the system may utilize a Knowledge Broadcasting System for specifying content metadata and locating Internet documents. In this instance embodiments of the invention comprise an improved manner of specifying the content of an Internet document in such a way that the users of the system are able to retrieve relevant Internet documents. This is accomplished using a three-tiered search engine where the first-tier is denoted as a category search, the second tier is denoted as a context search, and the third-tier is denoted as a keyword search. At each step relevant information is filtered out and the focus of the search is narrowed. In the general search, the user narrows the focus of the search by selecting a hierarchical definition.

Abstract: An aspect of the present invention provides an information communication device for transmitting electronic data encrypted for the purpose of copyright protection, the device includes that an identification information managing unit configured to hold device identification information in connection with other information communication devices acquired through a network, an ID registration processing unit configured to register the device identification information of another connection device when the other communication device satisfies a predetermined distance condition or when common identification information that is held by both information communication devices is received from a portable device, and an authentication and key exchange processing unit configured to, for the purpose of copyright protection, complete authentication and key exchange process (AKE process) only when another information communication device whose device identification information is registered in the identification information

Abstract: A system and method for enforcing digital rights management (DRM) rules in a terminal, even when the requesting rendering application is already operating. Content, which may be encrypted, is received at the terminal and securely stored. On-demand authorization is effected for the rendering application that is requesting access to the content, using secure communications between a DRM engine within the terminal and an operating system within the terminal that is augmented with a security manager adapted to engage in such secure communications. If the rendering application is found to be authorized, the DRM rules are applied to determine whether the rendering application may access the content, and if so, the content is made available to the rendering application.

Abstract: An authentication system for authenticating a mobile information terminal is disclosed.

Abstract: A network publishing authorization protocol, for use in a network connected to a printer, a server and a publisher of network publications. The protocol authorizes the printing of a publication at the printer. It includes the steps of: addressing the publication to a user; signing the publication using a private key; sending the publication to the printer; and confirming that the publication may be printed at the printer, by verifying the private key signature. Confirmation may take place at the printer or at the server.

Abstract: There is provided a server apparatus that realizes a suitable delivery service according to requests by performing a highly secure and easy-to-understand authentication while allowing anonymity to be maintained. During connection to the server apparatus, a communication terminal apparatus transmits an appliance type ID and a user ID to the server apparatus according to depression states of authentication buttons. The server apparatus receives the transmitted appliance type ID and user ID, determines the authentication level based on the received appliance type ID and user ID, selects a service content to be provided according to the determined authentication level, and transmits corresponding delivery data to the communication terminal apparatus. As a result, suitable data for requests from the user side can be delivered.

Abstract: A control signal is provided to a video data acquisition system that generates video data. In response to receiving the control signal, the video data acquisition system modifies at least a portion of the video data to produce an output signal. Authenticity of the output signal from the video data acquisition system is verified by checking that the video data includes modifications according to the control signal. If the video data does not include such modifications, it is known that the video data acquisition system needs to be checked for tampering or system failures.

Abstract: The objective of the present invention is to propose a method to prevent that the decryption of a keys file of a group of data stored in a storing unit (DB) of a decoder (STB), the latter comprising a security module (SM), allows many bad intentioned users to benefit illegally from this product. This method consists in extracting from an encrypted data flux the data to send towards the storing unit (DB) and to re-encrypt the data before transferring them to the storing unit (DB) by at least one specific key (K1, K2).

Abstract: A host securely transmits content to a peripheral thereof. The peripheral has a symmetric key (PK) and a copy of (PK) encrypted according to a public key (PU) of an entity ((PU(PK))). In the method, the host receives (PU(PK)) from the peripheral, and sends (PU(PK)) to the entity. The entity has a private key (PR) corresponding to (PU), applies (PR) to (PU(PK)) to obtain (PK), and sends (PK) back to the host. The host receives (PK) from the entity, encrypts at least a portion of the content according to (PK), and transmits the encrypted content to the peripheral. The peripheral may then decrypt the encrypted content based on (PK). A bind key (BK) encrypted by (PK) ((PK(BK))) may accompany (PU(PK)), where the content is to be encrypted according to (BK). Thus, (PK) is not revealed to the host.

Abstract: To transmit digital data representing a content from a source to a receiver through a digital communication channel, the data being scrambled by at least one control word, the method includes the following steps. The source generates an encryption key which it stores temporarily. It encrypts the control word with the encryption key and transmits to the receiver the scrambled digital data and the encrypted control word, the latter being transmitted through an encrypted communication channel. The receiver then performs an operation of authentication of the source. When the source is authenticated by the receiver, it transmits the encryption key to it. The receiver then decrypts the control word and descrambles the data so as to present them to a user. The encryption key is then erased from the memories of the source and the receiver when the content has been entirely transmitted.

Abstract: Systems and methods of mitigating attacks, such as Denial of Service (DoS) attacks, in a communications network are presented. Source addresses of packets received at network devices are monitored in relation to known reliable addresses stored in a decision engine. If the source address, as stored in a source table, is known as being legitimate the packets are placed in a high priority queue for transmission at the highest rate. Packets with an unknown address are placed in a lower priority queue, the source address stored in a different source table, and the packet is serviced at a lower rate. Packets that become known to be legitimate are moved from the unknown table to the table from which high priority queues are serviced. In this way, an attacker that employs spoofing techniques is prevented from overtaxing network resources.

Abstract: An automatic control and management method for identification by using an identity equipment is proposed. The method includes using a login system to generate an identity certificate code; using a password to encode the identity certificate code and a unique random variable to generate an identity value; and generating an on-line connection verification data by using the identity certificate code and then storing the same into the login system. The process for logging in the login system includes using a portable identity equipment and inputting a password for identification so as to read out the encoded data. If disconnection occurs the login system automatically logs out to protect the confidential data. Thus, the identity equipment used in the present invention can be easily carried away.

Abstract: An online transaction system configured to implement authentication methods that allow for strong multi-factor authentication in online environments. The authentication methods can be combined with strong security methods to further ensure that the authentication process is secure. Further, the strong multi-factor authentication can be implemented with zero adoption dependencies through the implementation of automated enrollment methods.

Abstract: A method for authenticating a requesting entity in a communications environment. In an exemplary embodiment, the method includes determining a client identification of a client node associated with the requesting entity, and determining whether the requesting entity associated with the client node is acting in a supervisor capacity. A key to the requesting entity is returned from a resource provider node upon determining that the client identification of the client node indicates that the client node is permitted to access one or more resources of the provider node, and that the client node is acting in a supervisor capacity.

Abstract: An information recording medium, such as an optical disk or the like, is provided for recording at least copyrighted content information and cipher key information. A part of the content information is scrambled and recorded in the information recording medium, and the scrambled and recorded part of the content information is obtained through scrambling using scramble key information, which is obtained by converting the cipher key information by the use of a non-scrambled part of the content information. The information recording medium has a recording area divided into a plurality of sectors. A plurality of data which the content information is divided into is recorded in the sectors. The non-scrambled part of the content information includes copy control information and a part of the content information that changes sector by sector.

Abstract: An exchange system for intangible goods comprises a first user system, a second user system, a registry system, a clearinghouse system and a hash module coupled for communication with each other. The first and second user systems includes a content module for acting as a repository for intangible goods, a pricing module for setting the price of intangible goods, a transaction generator module for creating transactions between seller and buyer, and a transaction log module for recording any transaction in which the user system participates. These systems are used to consummate transactions with other users for exchanging intangible goods. As part of each transaction, the user and the transaction must be entered or registered in the registry system. The registry system comprises an account module and a transaction log module for maintaining the anonymity of the sellers and buyers.

Abstract: A method of transmitting contents, which are to be received at a reception side where a portion of the contents is previewed while the contents are not accessible for playing other than for a preview purpose, includes the steps of encrypting the contents by a first encryption key, generating information indicative of an elapsed time of the contents that indicates a relationship between positions on a time axis of the contents representing an amount of time that passes as the contents are played and a time count that accrues as a preview time when the contents are previewed, encrypting the first encryption key and the information indicative of an elapsed time of the contents by a second encryption key, thereby generating first encrypted information, encrypting the second encryption key and content-usage control information by a third encryption key, thereby generating second encrypted information, the content-usage control information indicating usage of the contents on the reception side, and transmitting the

Abstract: An information recording apparatus has a content encryption section which encrypts content information with an encryption key and outputs encrypted content information, a control section which identifies an already moved area in the content information and generates a reproduction enable condition containing reproducible area information indicating a movable area, a hash arithmetic device which executes hash calculation for the reproduction enable condition and stores an arithmetic result in a register, and a hard disk drive which records the encrypted content information output from the encryption section and the reproduction enable condition. Even content information that remains after interruption during movement can be moved.

Abstract: The present invention provides a data processing apparatus and method for managing processor configuration data. The data processing apparatus comprises a processor operable in a plurality of modes and a plurality of domains, said plurality of domains comprising a secure domain and a non-secure domain, said plurality of modes including at least one non-secure mode being a mode in the non-secure domain, at least one secure mode being a mode in the secure domain, and a monitor mode. The processor is operable such that when executing a program in a secure mode the program has access to secure data which is not accessible when said processor is operating in a non-secure mode.

Abstract: The present invention discloses a system and methods for biometric security using keystroke scan biometrics in a smartcard-reader system. The biometric security system also includes a keystroke scan sensor that detects biometric samples and a device for verifying biometric samples. In one embodiment, the biometric security system includes a smartcard configured with a keystroke scan sensor. In another embodiment, the system includes a reader configured with a keystroke scan sensor. In yet another embodiment, the present invention discloses methods for proffering and processing keystroke scan samples to facilitate authorization of transactions.

Abstract: A system is provided which compensates a low operational performance of a conventional integrated circuit (IC) card by setting a substitute server computer between the IC card and a business server computer in a system using the IC card. Substitute processing using an authentication result is realized by setting an IC card authentication server computer in addition to the business server computer and sending an authentication result of the authentication server computer to the IC card, substitute server computer, and business server computer. Thus, because the substitute server computer does not directly authenticate the IC card, the quantity of authentication information in the substitute server computer is substantially reduced and authentication processing becomes efficient.

Abstract: An intermediate entity can generate a necessary credential to allow two other entities to bypass the intermediate entity when establishing communications between two other entities in a computing system represented by either a directed or an undirected graph. The intermediate entity receives credentials for communications links between itself and each of the other two entities. The intermediate entity also receives a chaining parameter associated with the intermediate entity. With the two credentials and the chaining parameter, the intermediate entity can compute a necessary credential to allow communication between the other two entities. In addition, the intermediate entity can compute the necessary credential independent of a security manager during the computation operation.

Abstract: A method for transferring at least one data record from an external data source into a processor unit, e.g., and a suitably designed processor unit are described. In such a method for transcribing at least one data record from the external data source to a processor unit, the at least one data record is transmitted from the external data source together with additional information to a buffer memory of the process unit. A check of the admissibility of using the at least one data record is performed on the basis of the additional information. A blocking signal is generated when the check reveals that use of the at least one data record is not allowed. The at least one data record is then deleted from the buffer memory. An enable signal is generated when the use of the at least one data record is allowed. The additional information includes an identifier assigned individually to the processor unit, with the validity check being performed in the processor unit.

Abstract: A technique to transmit data from a sender to a receiver via a network, preferably a LAN and/or the Internet etc., where the sender transmits the data to a base station, and where the sender is verified by a server, in particular a AAA-server etc. In order to prevent the transmission of data from an illegitimate sender at the expense of a legitimate sender to the greatest extent possible, the server transmits verification data from the server to the sender and/or base station.

Abstract: The invention, an electronic book selection and delivery system, is a new way to distribute books and other textual information to bookstores, libraries and consumers. The primary components of the system are a subsystem for placing text in a video signal format and a subsystem for receiving and selecting text that is placed in the video signal format. The system configuration for consumer use contains additional components and optional features that enhance the system, namely: (1) an operation center, (2) a video distribution system, (3) a home subsystem, including reception, selection, viewing, transacting and transmission capabilities, and (4) a billing and collection system. The operation center and/or video distribution points perform the functions of manipulation of text data, security and coding of text, cataloging of books, messaging center, and uplink functions.

Abstract: A wide-area emergency information management system includes a broadcasting entity (10) and delivers content to authorized receiver clients (20), such as PC's, laptops, wireless devices, etc. The specific content (26), which can include voice, text, video or any other information content related to a planned response to a given crisis or emergency such as enemy attack or natural disaster, is prepared in advance (28), tailored to the class of recipient receiver client and/or user (44), securely downloaded (32,36) and stored locally in a secure cache (21). In response to a small control file from a centralized emergency management authority, the receiver client system accesses the cache (21), decrypts the content (26), and delivers it to the end user.

Abstract: A cryptographic system includes: a) a light source for generating an excitation light signal; b) a spatial light modulator for encoding the excitation light signal with data; c) a wavelength dispersive element for transforming the excitation light signal into a spectral encoded light signal characterized by relative peak intensities at specific wavelengths; d) an optical detector for generating an information output signal in response to receiving an optical input signal, wherein the information output signal represents spectral and intensity characteristics of the optical input signal; and e) a processor for validating the information output signal if differences between representations of the optical input signal, and representations of the spectral encoded light signal are within predetermined limits.

Abstract: A hard disk A has is constructed to include: a disk 10 in which copy protection information is written in advance in a surface shape such as slits or corrugations in a pre-recording region 13 over a substrate 11 other than a data storage region 12; a pickup unit 20 for reading the copy protection information on the disk 10; and a copy protect unit 42 made operative, when it copies the encrypted data over the data storage region 12 of the disk 10 in response to the demand of the external device B: to perform an authentication with reference to the copy protection information read by the pickup unit 20; and to output the information on the secret key, as contained in the copy protection information, to the external device B which has been recognized to be correct by that authentication.