Abstract: A networked computer device can be customized to contain provisioning and/or authorization logic in its firmware or the firmware of one of its subcomponents. The computer device is thus configured to provision itself from a provisioning server that is identified within the firmware, and to periodically query an operations authority for continued authorization to operate with the received provisioning. Upon failure to receive authorization, the firmware may implement various security measures, such as storage protection, boot protection, communications protection, and so forth. The firmware may also implement remote reporting, to assist an investigator when a device has been lost or stolen.

Abstract: The present invention relates to communications, and in particular though not exclusively to forming a secure connection between two untrusted devices. The present invention provides a method of securely connecting a first device (A) to a second device (B) using a third party authentication server (AS) coupled to the second device, the first device and the authentication server both having first device shared secret data (SSDa) and the second device and the authentication server both having second device shared secret data (SSDb).

Abstract: Examples of embodiments provide systems and methods for varying the functions of an electronic device according to a physical relationship (e.g. the distance) between the electronic device and the primary user (e.g., owner) of the electronic device. The device may measure the distance using a wireless signal from a secondary device carried by or associated with the primary user. In some embodiments, the electronic device may change its functions based on its environment, in combination with the distance between the electronic device and the primary user. Environmental factors may include the device's location, the device's velocity, and the date and time of day.

Abstract: Secure access to a wireless network access can be provided in a system where wireless devices access a wireless network through a wireless access point (WAP). For example, a plurality of pre-shared keys (PSKs) may be generated and distributed to the WAP and the wireless device. The wireless device may automatically rotate an active one of the plurality of PSKs, while the WAP receives one or more rotation signals identifying the active one of the plurality of PSKs. The wireless device and the WAP may encrypt information relating to the active one of the PSKs within communications between them, thus securing the communications.

Abstract: An authentication apparatus includes: a database section that stores a password; an entry section through which a password is entered; a storage section that stores an entered password which is entered through the entry section; an authentication section that authenticates whether the password and the entered password match with each other; and a determining section that determines whether or not a re-entered password is to be subjected to an authentication processing performed by the authentication section when the re-entered password is entered through the entry section after the authentication section determines that the password and the entered password do not match with each other.

Abstract: One embodiment of the present invention provides a system that associates a digital certificate with an enterprise profile. During operation, an identity store receives a digital certificate from a client. Next, the identity store searches for a mapping rule which determines if an enterprise profile is associated with the digital certificate, wherein the enterprise profile facilitates in identifying user capabilities. If a mapping rule is found, the identity store executes the mapping rule to determine if an enterprise profile is associated with the digital certificate. If so, the enterprise profile, which is associated with the digital certificate, is returned to the client.

Abstract: An image forming apparatus includes: an authentication unit that can execute a login process and a logout process; an operation unit that receives an instruction for the logout process from the user; a user attribute storage unit that stores the identification information of a non-logged-out user; a determination unit that determines whether a logged-in user, who is a user for whom the login process is executed by the authentication unit, is the non-logged-out user, based on the identification information stored in the user attribute storage unit; and a forced logout processing unit that, in a case in which the logged-in user is determined to be the non-logged-out user by the determination unit, instructs the authentication unit to execute the logout process when a predefined particular process among the plurality of processes is executed and completed by the processing unit.

Abstract: Techniques for identity-based Peer-to-Peer (P2P) Virtual Private Networks (VPN's) are provided. First and second principals authenticate to a trusted third party. The first principal subsequently requests a P2P VPN with the second principal. The second principal is contacted on behalf of the first principal and permission is acquired. The first and second principals are then sent commands to directly establish a P2P VPN communication session with one another.

Abstract: A method of supporting location privacy of a mobile station includes receiving, from a base station, a message including a temporary station identifier (TSTID) during an initial ranging procedure, wherein the TSTID is temporarily used to protect the location privacy of the mobile station; performing, with the base station, a basic capabilities negotiation procedure after the initial ranging procedure; performing, with the base station, an authentication procedure after the basic capabilities negotiation procedure; performing, with the base station, a registration procedure after the authentication procedure; and releasing the TSTID after receiving a station identifier (STID) which is assigned during the registration procedure, wherein the STID uniquely identifies the mobile station in the base station.

Abstract: A method and system is provided to analyse receiver indicia of location for a set of at least one receivers to determine whether a receiver has an erroneous indicator of location. The embodiment may take further steps to confirm whether or not inappropriate usage has occurred. The method and system includes identifying a first indicia of location for a set of one or more receivers, identifying a second indicia of location for one or more receivers from the set, and determining if the first and second indicia of location are mutually inconsistent. Indicia of location include indicators of receiver location, inventory state, communication path and definition on systems. The method and system may optionally include action to report or correct the location error.

Abstract: A method of supporting location privacy of a mobile station includes receiving, from a base station, a temporary station identifier (TSTID) during an initial ranging procedure; transmitting a registration request (REG-REQ) message requesting a registration to the base station, the REG-REQ message including a real medium access control (MAC) address of the mobile station; and receiving, from the base station, a registration response (REG-RSP) message including a station identifier (STID) assigned to the mobile station. The TSTID is temporarily used to protect a mapping between the real MAC address of the mobile station and the STID, and the TSTID is used until the STID is assigned to the mobile station.

Abstract: The contemplated embodiments of the invention provide a method for implementing a mandatory integrity control (MIC) system that provides access control for each and every object and subject that need access control, but in a way that allows legacy operating systems to continue with little modification. The invention provides a novel method that selects an integrity level designator for a subject, when the subject logs onto the computer system. The selected integrity level designator is then added to an existing data structure in the computer system. The existing data structure may be a part of a security descriptor stored in a system access control list of an object. The existing data structure may be a part of a list of security permissions that constitute an access token for a process executing as a subject.

Abstract: A technique for improving authentication speed when a client roams from a first authentication domain to a second authentication domain involves coupling authenticators associated with the first and second authentication domains to an authentication server. A system according to the technique may include, for example, a first authenticator using an encryption key to ensure secure network communication, a second authenticator using the same encryption key to ensure secure network communication, and a server coupled to the first authenticator and the second authenticator wherein the server distributes, to the first authenticator and the second authenticator, information to extract the encryption key from messages that a client sends to the first authenticator and the second authenticator.

Abstract: A computer system includes a computer, a fingerprint reader, and a security apparatus to apply complete security for the benefit of an authorized user. The computer includes a first interface, a second interface, an account storage unit, and a fingerprint storage unit. The fingerprint reader can connect with the computer through the first interface for inputting fingerprint information. The security apparatus can connect with the computer through the second interface, and includes a password storage module, a first use module, a password modification module, and a normal use module.

Abstract: A system includes a remote authentication dial in user service (RADIUS) server in communication with a network access server. The network access server provides an authentication request to the RADIUS server. The authentication request includes at least a user identifier and a device identifier. The RADIUS server determines an authentication format utilized by the network access server based on the received authentication request. The system may also determine an authorization level to provide with an authentication response.

Abstract: Data storage and management systems can be interconnected as clustered systems to distribute data and operational loading. Further, independent clustered storage systems can be associated to form peered clusters. As provided herein, methods and systems for creating and managing intercluster relationships between independent clustered storage systems, allowing the respective independent clustered storage systems to exchange data and distribute management operations between each other while mitigating administrator involvement. Cluster introduction information is provided on a network interface of one or more nodes in a cluster, and intercluster relationships are created between peer clusters. A relationship can be created by initiating contact with a peer using a logical interface, and respective peers retrieving the introduction information provided on the network interface.

Abstract: A first terminal subscribes to at least one service using a service guide in which information necessary for reception of each service is stored, and sends the service guide and an identifier (ID) of the subscribed service to a smartcard. The smartcard stores the service guide and the ID of the subscribed service, and sends the service guide and the ID of the subscribed service to a second terminal through a response message to a request message used for acquiring TBK information, received from the second terminal. The second terminal receives the response message by sending the request message to the smartcard, acquires TBK information corresponding to a service that the second terminal intends to play back, from the service guide depending on the subscribed service's ID included in the response message, and acquires the TBK by performing an authentication process using the TBK information.

Abstract: Utilizing the AAA infrastructure to dynamically allocate the various parameters needed to establish the security association between the Foreign Agent and the Home Agent. The present invention uses the AAA server as a central entity to dynamically generate and distribute the chosen security association parameters needed to support the Foreign Agent and Home Agent security association based on a request from the Foreign Agent. The AAA server can also dynamically assigns a unique SPI value to the Foreign Agent and Home Agent pairs. The various parameters that can be allocated in the present invention include a FA-HA shared secret key or a public/private key pair, an authentication algorithm and mode, a FA-HA secret key lifetime, and security parameter index or security index values. The present invention also can assist in making sure that the Foreign Agent and the Home Agent stay synchronized with respect to their security association.

Abstract: A method and apparatus for providing a secure authentication process is described. In one embodiment, a method for a method for providing a secure authentication process includes monitoring login activity of at least one authentication process associated with a computer resource and analyzing the login activity to identify suspicious login activity associated with user credentials.

Abstract: The present invention relates to a far-end control method with a security mechanism including a host transmitting an identification code through the PSTN (Public switched telephone network) to the I/O control device of the far-end. The I/O control device has a CPU to receive the identification code and judge whether the identification code matches with the predetermined value stored therein; if the identification code matches with the predetermined value, the mobile internet connection between the host and the I/O control device is activated to enable the host to mutually transmit information or signals with a far-end control device from the I/O control device through the mobile internet, and the connection will be disabled after the information or signal transmission is completed.

Abstract: A method for preventing abuse of an Authentication Vector (AV) and a system and apparatus for implementing the method are provided. Access network information of a non-3rd Generation Partnership Project (3GPP) access network where a user resides is bound to an AV of the user, so that when the user accesses an Evolved Packet System (EPS) through the non-3GPP access network, even if an entity in the non-3GPP access network is breached, or an Evolved Packet Data Gateway (ePDG) connected to an untrusted non-3GPP access network is breached, the stolen AV cannot be applied to other non-3GPP access networks by an attacker.

Abstract: A multi-user computer system and a remote control method for the multi-user computer system includes a remote controller, with an input unit that receives a remote-control password to remotely operate the computer, information on an OS booted when the remote-control password is input, a key input setting the computer in a mode wherein the remote-control password and the OS information are set, and a key input operating the computer, a microprocessor, a wireless transmitter, and a computer, with a wireless receiver, a microprocessor, and a BIOS that automatically loads an OS corresponding to the remote-control password stored in the memory when the received remote-control password stored in the wireless receiver and the remote-control password in the memory are the same.

Abstract: A method of and system for digital rights management, in which access to a piece of content is granted in accordance with a license owned by a license owner to a client who is a member of a domain. This requires successfully verifying that a membership relation exists between the client and the domain as reflected in a first state variable, and that an association relation exists between the license owner and the domain as reflected in a second state variable. Both relationships are revoked by executing an online protocol between the parties in the relationship after which both remove the corresponding state variable. The domain controller propagates the state administration relating to the domain is propagated to the client so that the client can update its state administration.

Abstract: Techniques and tools are described which provide control access mechanisms for contents made available by a service provider to a user. The user, after a registration process, uses a mobile application on a mobile device to generate a one-time content key. The content key is input into a set-top box which validates the key and provides access to the protected content. The mobile application allows for password protection for the user, as well as a recharging ability when its one-time content keys are exhausted.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for providing contextual data aided security protection. In one aspect, a method includes automatically parsing an electronic message associated with a user that includes location information, and extracting the location information from the electronic message. The location information can be added to a database (e.g., white list) associated with the user. The location information in the database can be used to authenticate the user's request for access to electronic mail.

Abstract: Methods, systems and apparatus are provided for recovering registration information at a home network when the home network determines that it has experienced a loss of the registration information. The home network communicates a triggering message to at least one visited network to initiate registration information recovery, and the visited network responds to the triggering message by communicating registration information for objects that are located at the visited network and that are associated with the home network. These objects may include, for example, subscriber units and/or talk groups that are associated with the home network and have roamed to the visited network.

Abstract: A method of authenticating a client to two or more servers coupled together via a communications network, wherein the client and a first server possess a shared secret. The method comprises authenticating the client to a first server using said shared secret, signalling associated with this authentication process being sent between the client and said first server via a second server, generating a session key at the client and at the first server, and providing the session key to said second server, and using the session key to authenticate the client to the second server.

Abstract: Methods and systems for efficient deployment of communication filters are presented. In an exemplary embodiment, a wireless communication device (WCD) attempts to register with a foreign agent and a home agent by using mobile IP. During this process, an authentication, authorization, and accounting (AAA) server receives a first message from the foreign agent, where the first message seeks to authenticate the WCD. The AAA server responds to the first message with a second message containing a filter to be applied to the WCD's communication. The AAA server than receives a third message containing the filter, and the AAA server responsively transmits a fourth message to the home agent, seeking to have the home agent apply the filter to the WCD's communication. In this way, communications between the home agent and the AAA server can be reduced because the home agent only communicates with the AAA server if the WCD is subject to a filter.

Abstract: Techniques for non-repudiation of storage in cloud or shared storage environments are provided. A unique signature is generated within a cloud or shared storage environment for each file of the storage tenant that accesses the cloud or shared storage environment. Each signature is stored as part of the file system and every time a file is accessed that signature is verified. When a file is updated, the signature is updated as well to reflect the file update.

Abstract: When transmitting position/time information calculated by means of a GPS function to a server apparatus, authentication is carried out with the server apparatus. The position/time information may be certified as legitimate measured by a portable apparatus with a GPS reception function employed by a user. When transmitting information related to the position and the time acquired from a portable phone terminal having the GPS function and a network function by means of the GPS function to the server apparatus, authentication is carried out between the portable phone terminal and the server apparatus. The position/time information is transmitted to the server apparatus, only if the server apparatus is authenticated as a legitimate counterpart for connection. A secret key holding section is provided for holding different secret keys for different apparatuses.

Abstract: The present invention provides a method of wireless communication with at least one mobile unit and at least one authentication center in a wireless telecommunications network. The method includes generating at least one access request based upon at least one first sequence number associated with the mobile unit and receiving at least one message formed based upon the access request, the message including at least one second sequence number associated with the authentication center, the second sequence number selected to be acceptable to the mobile unit.

Abstract: A network component comprising at least one processor configured to implement a method comprising deriving a Master Session Key (MSK) using a secret key and at least one parameter obtained from an Extensible Authentication Protocol (EAP) sequence, deriving a first Pairwise Master Key (PMK) and a second PMK from the MSK, authenticating with a home gateway (HG) using the first PMK, and authenticating with an end point using the second PMK. Included is an apparatus comprising a node comprising an access controller (AC) and a protocol for carrying authentication for network access (PANA) Authentication Agent (PAA), wherein the AC is configured to manage authentication for a UE, and wherein the PAA is configured to implement a PANA to forward authentication information related to the UE.

Abstract: Embodiments of the invention provide systems and methods for providing service level, policy-based QoS enforcement on a network or networks. According to one embodiment, a system can comprise at least one communications network, a first endpoint communicatively coupled with the communications network, and a second endpoint communicatively coupled with the communications network and can monitor traffic on the communications network between the first endpoint and the second endpoint. A policy enforcer can be communicatively coupled with the network monitor. The policy enforcer can apply one or more policies based the traffic between the first endpoint and the second endpoint. The one or more policies can define a Quality of Service (QoS) for the traffic between the first endpoint and the second endpoint and can apply the policies to affect the traffic between the endpoints to maintain the QoS defined by the one or more policies.

Abstract: Disclosed are a cellular phone terminal, a cellular phone system and a privacy protection method therefor that enable to prevent leakage of private information from the communication data when conducting a search for wireless LAN base stations. The cellular phone terminal comprises, in addition to the cellular phone function section, a cellular phone network transmitter/receiver section, a wireless LAN transmitter/receiver section and a wireless LAN connection control section, an SSID•MAC address management section connected to the wireless LAN connection control section and the cellular phone network transmitter/receiver section. The SSID•MAC address management section is allocated by a MAC address management server one or more temporary MAC addresses together with their time limit by way of the cellular phone network transmitter/receiver section and a cellular phone base station and the temporary MAC addresses are used when conducting a search for wireless LAN base stations.

Abstract: When transmitting position/time information calculated by means of a GPS function to a server apparatus, authentication is carried out with the server apparatus. The position/time information may be certified as legitimate measured by a portable apparatus with a GPS reception function employed by a user. When transmitting information related to the position and the time acquired from a portable phone terminal having the GPS function and a network function by means of the GPS function to the server apparatus, authentication is carried out between the portable phone terminal and the server apparatus. The position/time information is transmitted to the server apparatus, only if the server apparatus is authenticated as a legitimate counterpart for connection. A secret key holding section is provided for holding different secret keys for different apparatuses.

Abstract: When transmitting position/time information calculated by means of a GPS function to a server apparatus, authentication is carried out with the server apparatus. The position/time information may be certified as legitimate measured by a portable apparatus with a GPS reception function employed by a user. When transmitting information related to the position and the time acquired from a portable phone terminal having the GPS function and a network function by means of the GPS function to the server apparatus, authentication is carried out between the portable phone terminal and the server apparatus. The position/time information is transmitted to the server apparatus, only if the server apparatus is authenticated as a legitimate counterpart for connection. A secret key holding section is provided for holding different secret keys for different apparatuses.

Abstract: A computer implemented method for accessing materials for a meeting may include receiving a call from a meeting participant by a system, wherein the meeting participant calls a prearranged teleconference number to participate in the meeting. The method may also include validating participation of the meeting participant in the meeting by the system. The method may further include providing access to an appropriate set of materials to the meeting participant based on a predetermined attribute associated with the meeting participant.

Abstract: A process for testing an integrated circuit includes collecting a set of points of a physical property while the integrated circuit is executing a multiplication, dividing the set of points into a plurality subsets of lateral points, calculating an estimation of the value of the physical property for each subset, and applying to the subset of lateral points a step of horizontal transversal statistical processing by using the estimations of the value of the physical property, to verify a hypothesis about the variables manipulated by the integrated circuit.

Abstract: According to an embodiment, a programmable logic device includes a plurality of logic blocks, memory and a logic unit. The logic blocks are grouped into one or more partitions. The memory stores authentication and partition information uploaded to the programmable logic device prior to partition programming. The logic unit authenticates programming access to the one or more partitions based on the authentication information and controls programming of the one or more partitions based on the partition information.

Abstract: A computer-implemented method for diverting children from restricted computing activities. The method may include maintaining a list of safe computing activities, maintaining a list of restricted computing activities, and detecting a child's attempt to perform a restricted computing activity identified in the list of restricted computing activities. The method may also include selecting a safe computing activity from the list of safe computing activities. The method may further include, in response to the child's attempt to perform the restricted computing activity, blocking the restricted computing activity and initializing the safe computing activity selected from the list of safe computing activities. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods and devices for allowing a wireless communication device (1301) initially unauthorized for communication with a network to obtain persistent soft network subscription credential information (1303) from a wireless communication device (1401) initially authorized for communication with the network are disclosed. In performing the persistent transfer of the soft network subscription credential information (1303), one of a token management module (1312), a session initiation protocol communication module (1408), or a electronic rights manager (1406) may be used to ensure that only one communication device is capable of communicating with a network at any one time.

Abstract: The disclosure discloses a method for communication based on pseudo-contact information, which including: when a call is received, acquiring contact information of a calling party, and encrypting the contact information by using a preset encryption algorithm to acquire pseudo-contact information; when the pseudo-contact information does not match locally stored pseudo-contact information, displaying real contact information of the calling party, wherein the locally stored pseudo-contact information represents the pseudo-contact information generated by encrypting the contact information to be stored according to the preset encryption algorithm and locally stored; and when the pseudo-contact information matches the locally stored pseudo-contact information, displaying a substituted contact information generated by substituting a plurality of bits of the real contact information of the calling party with an identifier.

Abstract: Systems and methods for activating a mobile device for use with a service provider are described. In one exemplary method, a mobile device having a currently inserted SIM card may be prepared for activation using a signing process in which an activation server generates a signed activation ticket that uniquely corresponds to the combination of the device and SIM card, and that is securely stored on the mobile device. In another exemplary method the mobile device may be activated in an activation process in which the device verifies an activation ticket against information specific to the device and SIM card, and initiates activation when the verification of the activation ticket is successful.

Abstract: An authentication control apparatus is disclosed that includes plural authentication units that perform authentication for an operator with different authentication methods; a corresponding information management unit that manages corresponding information between the mode of an authentication request and the authentication unit to be used; and an authentication control unit that determines the authentication unit corresponding to the mode of the authentication request based on the corresponding information in response to the authentication request from the operator and causes the determined authentication unit to execute the authentication for the operator.

Abstract: A tamper resistant servicing Agent for providing various services (e.g., data delete, firewall protection, data encryption, location tracking, message notification, and updating software) comprises multiple functional modules, including a loader module (CLM) that loads and gains control during POST, independent of the OS, an Adaptive Installer Module (AIM), and a Communications Driver Agent (CDA). Once control is handed to the CLM, it loads the AIM, which in turn locates, validates, decompresses and adapts the CDA for the detected OS environment. The CDA exists in two forms, a mini CDA that determines whether a full or current CDA is located somewhere on the device, and if not, to load the full-function CDA from a network; and a full-function CDA that is responsible for all communications between the device and the monitoring server. The servicing functions can be controlled by a remote server.

Abstract: The present invention utilizes the AAA infrastructure to dynamically allocate the various parameters needed to establish the security association between the Foreign Agent and the Home Agent. The present invention uses the AAA server as a central entity to dynamically generate and distribute the chosen security association parameters needed to support the Foreign Agent and Home Agent security association based on a request from the Foreign Agent. The AAA server can also dynamically assigns a unique SPI value to the Foreign Agent and Home Agent pairs. The various parameters that can be allocated in the present invention include a FA-HA shared secret key or a public/private key pair, an authentication algorithm and mode, a FA-HA secret key lifetime, and security parameter index or security index values. The present invention also can assist in making sure that the Foreign Agent and the Home Agent stay synchronized with respect to their security association.

Abstract: A system and method for dynamically and automatically updating the appropriate fields on the message application screen of an electronic message to show which of the appropriate service book, security encoding or security properties are acceptable or allowed for the message being composed. This updating occurs automatically based on the contents of the fields that are modified during composition of the message, such as, for example, modifications to classification of the message, recipients, keywords, or the like. Thus, the properties in place for a given message is reflected in a dynamic options list provided to the user based on the contents of various fields of the electronic message and the system policies resident on the system. The dynamic updating may provide an updated list of options to the user, or may optionally automatically apply minimum level settings based on security policy and contents of the message.

Abstract: Methods, devices, and systems for creating and using a trusted host list for Transport Layer Security (TLS) sessions are provided. The proposed solutions described herein provide a mechanism of specifying authorization policy for TLS sessions where such authorization was traditionally implied by the possession of a certificate issued by a mutually trusted third party. The proposed solutions also provide for wildcard use and regular expression matching to simplify administration of the trusted host list.

Abstract: A transaction processing service operates as an intermediary between acquirers of financial transaction requests and issuing institutions that process the financial transaction requests. The intermediary service enables a customer to selectively change the status of an account's associated with a payment instrument by activating or deactivating the account. The intermediary service may manage account status locally using a rules module. Alternatively, the issuing institution may manage account status, while the intermediary service provides an interface for customers. A customer communicates with the intermediary service to direct the service to change the account status. The intermediary service determines the account's issuing institution and provides an indication to the issuing institution of the current status of the account (or of the change in status).

Abstract: The present invention relates to a method or system of generating a surrogate key using cryptographic hashing. One embodiment of the method of the present invention may have steps such as selecting a field or group of fields that is or are unique among all records in the database, for each record, extracting the data from the fields, concatenating the extracted data into an input message, running the input message through a hash generator, either in batches or one at a time, for testing purposes perhaps, and outputting a surrogate key.