Abstract: Mechanisms for controlling access to credentials are disclosed. A computing device receives, at a first time, a request associated with a user to initiate a plurality of actions against a computing resource of a plurality of computing resources, the request including a credential identifier that identifies a credential. A memory is accessed, based on the credential identifier, to retrieve the credential identified by the credential identifier that was stored in the memory at a time prior to the first time, the credential comprising authentication information configured to authenticate the plurality of actions to the computing resource. The computing device communicates the request and the authentication information to an orchestration engine for execution of the plurality of actions against the computing resource.

Abstract: A resource owner or administrator submits a request to a permissions management service to create a permissions grant which may include a listing of actions a user may perform on a resource. Accordingly, the permissions management service may create the permissions grant and use a private cryptographic key to digitally sign the created permissions grant. The permissions management service may transmit this digitally signed permissions grant, as well as a digital certificate comprising a public cryptographic key for validating the permissions grant, to a target resource. The target resource may use the public cryptographic key to validate the digital signature of the permissions grant and determine whether a user is authorized to perform one or more actions based at least in part on a request from the user to perform these one or more actions on the resource.

Abstract: A terminal identification method, a machine identification code registration method and related system and apparatus are disclosed. After receiving a first request for which signature or certificate verification is to be performed from a terminal, a service network obtains a signature or certificate of a trusted party for a machine identification code identifier of the terminal from the first request, wherein the machine identification code identifier being an identifier allocated by the trusted party to the machine identification code of the terminal. The service network verifies the obtained signature or certificate, and if a verification result indicates legitimacy, identifies the terminal using the machine identification code identifier obtained from the signature or certificate. The present disclosure further provides a trusted party and a method of registering a machine identification code by the trusted party.

Abstract: Embodiments provide a method and system for enabling access to a storage device. Specifically, a node may request admittance to a cluster that has read and write access to a storage device. The node seeking access to the storage device must be first be approved by other nodes in the cluster. As part of the request, the node seeking access to the storage device sends a registration key to a storage device. Upon expiration of a registration timer, the node seeking access to the storage device receives a registration table from the storage device and determines whether its registration key is stored in the registration table. If the registration key is stored in the registration table the node has been accepted in the cluster and as a result, has been granted read and write access to the storage device.

Abstract: Disclosed are various embodiments for provisioning account credentials via a trusted channel. An identification of an account is received. A security credential reset corresponding to the account is requested. The account is linked to a trusted channel of communication for reset purposes. A security credential communication corresponding to the account is received via the trusted channel of communication. The security credential communication may be parsed to obtain a token.

Abstract: Techniques are disclosed for rapidly securing a server in response to request for a high-assurance digital certificate. As described, a CA may issue a basic tier certificate after performing a verification process to confirm that a party requesting a certificate for a given network domain, in fact, has control of that domain. Once issued and provisioned on the server, the server can establish secure connections with clients. At the same time, the CA continues to perform progressive identity verification processes for progressively higher tiers of certificates. Once the identity verification process at each tier is complete, the CA issues a new certificate for the corresponding tier, which may then be provisioned on the server. After performing all of the identity verification processes, the server can issue the requested high-assurance certificate.

Abstract: A first device with a changing identity establishes a secure connection with a second device in a network by acting as its own certificate authority. The first device issues itself a self-signed root certificate that binds an identity of the first device to a long-term public key of the first device. The root certificate is digitally signed using a long-term private key, where the long-term public key and the long-term private key form a public/private key pair. The first device provides its root certificate to the second device in any trusted manner. The first device can then create a certificate for one or more short-term identities acquired by the first device and sign the newly-created certificate using the long-term private key. The first device can authenticate itself to the second device by sending the newly-created certificate to the second device.

Abstract: An information processing system includes a common service providing unit configured to manage a user with organization identification information, user identification information, and unique identification information, and to provide a common service; and an application service providing unit configured to manage a user with user identification information, and to provide an application service by using the common service.

Abstract: Procedure for a multiple digital signature It comprises: i) generating, by a Trusted Third Party (T), a private key for each signer or member (F1, F2, . . . , Ft) of a group of signers (G); ii) generating, each of said signers (F1, F2, . . . , Ft), a partial signature of a document (M) using their private keys; iii) generating a multiple signature from said partial signatures; and iv) verifying said multiple signature. It further comprises generating, by the Trusted Third Party (T), a common public key for all of said signers (F1, F2, . . . , Ft) and using said common public key for performing said multiple signature verification of iv).

Abstract: An apparatus, system and method is provided for bridging (i) a certificate registration apparatus that communicates with a certificate deployment target based on a specific certificate deployment protocol and (ii) a target deployment device that is not configured to conform to the specific certificate deployment protocol, within a public key infrastructure (PKI).

Abstract: According to one embodiment of the present invention, a method for protecting authenticated communication in dynamic federated environments is provided. The method includes distributing shares of a private signature key to a group of users. When switching from an existing to a new group of users, the method includes producing a plurality of sub-shares from each of the distributed shares of existing users, with each sub-share being accompanied by a corresponding validity proof. The sub-shares from multiple existing users are combined to generate a set of shares for new users, with each new share being derived from sub-shares from multiple existing users.

Abstract: According to one general aspect, a computer-implemented method for implementing default security features for web applications and browser extensions includes receiving a request to include a web application or a web browser extension in a digital marketplace. A determination is made if the web application or the web browser extension conforms to default security features, wherein the default security features include a prohibition against running in-line script on web pages. The web application or the browser extension is included in the digital marketplace if the web application or the browser extension conforms to the default security features.

Abstract: Systems, methods and computer readable media are disclosed for a vectorized tile differencing algorithm for a remote desktop protocol (RDP). A server executes a CBC-variant vectorized hash algorithm that is used to produce a big key that identifies the tile, and keeps track of these big keys. Where a serial version of the algorithm operates on a single portion of the image at once—such as 32 bits—the vectorized algorithm operates on a plurality of these portions simultaneously. Where the server identifies that a tile has already been sent to a client via RDP because it has a second big key that matches the big key, it sends the big key to the client—which caches received tiles—and the client uses it to access the proper tile for display. Where the server identifies that a tile has not already been sent to the client, it sends the client the tile.

Abstract: There are provided an information processing apparatus which provides a user credential sharing service on a user credential sharing condition intended by a vendor that creates an application, and a control method for the information processing apparatus. To accomplish this, the information processing apparatus generates sharing settings which defines a sharing condition for each item of a user credential among applications according to a manifest file acquired from each application. Upon receiving a request of a user credential from one of the applications, the information processing apparatus provides the user credential to the requesting application according to the generated sharing settings.

Abstract: An information processing system including a medium where a content to be played is stored; and a playing apparatus for playing a content stored in the medium; with the playing apparatus being configured to selectively activate a playing program according to a content type to be played, to obtain a device certificate correlated with the playing program from storage by executing the playing program, and to transmit the obtained device certificate to the medium; with the device certificate being a device certificate for content types in which content type information where the device certificate is available is recorded; and with the medium determining whether or not an encryption key with reading being requested from the playing apparatus is an encryption key for decrypting an encrypted content matching an available content type recorded in the device certificate, and permitting readout of the encryption key only in the case of matching.

Abstract: A method includes (a) receiving, at a computing device, a first certificate signing request (1CSR) from a certificate authority (CA), the 1CSR including an embedded second certificate signing request (2CSR), the 2CSR having been received by the CA from an entity seeking a signed certificate from the CA that validates an identity claim made by the entity in the 2CSR, the CA having performed a preliminary verification of the 2CSR prior to embedding it in the 1CSR, (b) verifying that the 1CSR came from the CA, (c) performing a verification procedure on the embedded 2CSR independent of the preliminary verification performed by the CA, to validate the identity claim made by the entity in the 2CSR, and (d) upon successfully validating the identity claim made by the entity in the 2CSR, sending a certificate to the CA, the certificate validating the identity claim made by the entity in the 2CSR.

Abstract: Systems and methods for authenticating a media device or other information handling system so as to be able to receive content from one or more media content providers. Authenticating the device includes determining what authentication information the media content providers require for access and then to generating and providing to the media device an authentication token that includes the required information. In some embodiments this may be accomplished by a service center, which removes the need for additional authentication steps to be performed by the media device or the media content providers. In addition, the service center may also determine when changes are made to the authentication information and may then ensure that the authentication token is changed or updated to reflect these changes. This ensures that the media device is at least partially immune to changes to authentication.

Abstract: Embodiments of the present invention provide a method for processing data, a computing node, and a system. The method includes: registering, by a BPE, an algorithm with a CEP instance; transferring, by the CEP instance when detecting that an event concerned by the algorithm satisfies a computation-triggering condition, an event required for computation to the BPE; obtaining, by the BPE, a computation result, and if determining that a further computation is required for the computation result, writing the computation result as an intermediate event to the CEP instance; and transferring, by the CEP instance when detecting that an event concerned by another algorithm satisfies a computation-triggering condition thereof and the intermediate event is an event required for computation thereof, the intermediate event to a BPE that registers the another algorithm. The CEP instance performs association of multiple events and multiple algorithms, which simplifies a computation process and improves timeliness.

Abstract: Example methods disclosed herein include intercepting, with a meter executing on a computing device, a request sent by a client application to establish a secure communication session with a network server. Such disclosed example methods also include receiving, at the meter in response to forwarding the request to the network server, a first public key provided by the network server for encrypting a session key, and providing, from the meter to the client application, a second public key associated with the meter instead of the first public key provided by the network server in response to the request being intercepted. Such disclosed example methods further include using the first public key and a private key associated with the second public key to enable the meter to access an unencrypted version of the session key, and monitoring, with the meter, the network traffic using the unencrypted version of the session key.

Abstract: A wireless communication system includes a pager or similar device that communicates to a home terminal. The home terminal confirms the identity of the pager and attaches a certificate to the message for ongoing transmission. Where the recipient is also a pager, an associated home terminal verifies the transmission and forwards it in a trusted manner without the certificate to the recipient.

Abstract: In a first embodiment of the present invention, a method for operating a presence server in a home network is provided, the method comprising: receiving a request for presence information; sending an event notification to all subscribed control points informing them of the request for presence information; receiving an action from one of the subscribed control points accepting or rejecting the request for presence information; and if the action received from the one of the subscribed control points accepts the request for presence information, causing presence information regarding the one of the subscribed control points to be sent to the entity that sent the request for presence information.

Abstract: Greater network utilization is implemented through dynamic network reconfiguration and allocation of network services and resources based on the data to be transferred and the consumer transferring it. A hierarchical system is utilized whereby requests from lower layers are aggregated before being provided to upper layers, and allocations received from upper layers are distributed to lower layers. To maximize network utilization, paths through the network are reconfigured by identifying specific types of packets that are to be flagged in a specific manner, and then by further identifying specific routing rules to be applied in the transmission of such packets. Network reconfiguration is performed on an incremental basis to avoid overloading a path, and capacity can be reserved along one or more paths to prevent such overloading. Background data is agnostic as to specific transmission times and is utilized to prevent overloading due to reconfiguration.

Abstract: A transmission device including: copy unit that extracts part or all of partial contents, as tracking information, from a content, and copies the extracted tracking information, thereby generating pieces of tracking information; candidate information obtaining unit that obtains pieces of candidate information respectively corresponding to the pieces of tracking information; evidence information obtaining unit that obtains evidence information generated dependently on a piece of candidate information selected by the reception device from among the pieces of candidate information; hash generating unit that generates hash values respectively in accordance with the pieces of candidate information; embed unit that embeds the hash values respectively into the pieces of tracking information, and embeds the evidence information into each piece of tracking information; and transmit unit that transmits each piece of tracking information in which a hash value and the evidence information have been embedded.

Abstract: Techniques for injecting encryption keys into a meter as a part of a manufacturing process are discussed. Since various encryption keys injected into meters may be specific to each individual meter, a utility company customer may require a copy of the injected encryption keys associated with each individual meter. The techniques may include providing a copy of keys injected into each meter to a utility company customer. In some instances, the meter manufacturer may not store or persist various encryption keys that are injected into the meters during the manufacturing process.

Abstract: A distributed operation is performed using at least one first and second computer-based object, wherein control information is used to influence or determine a property, a function of the first and/or second computer-based objects. The control information includes details of a parameter identifier, a value associated with the parameter identifier, a range of validity and a remote access attribute. The control information is provided in a retrievable manner, according to the included range of validity, in a memory organized according to ranges of validity and is associated with the first computer-based object. During a function or service call for performing the distributed operation, which is sent from the first computer-based object to the second, the control information is transmitted to the second computer-based object, provided in a retrievable manner in the memory organized according to the ranges of validity and associated with the second computer-based object.

Abstract: A method and system for roaming between heterogeneous networks. The method involves authenticating a mobile communication device on a first network, and providing the device with a single-use token that can be used to sign on to a second network without requiring conventional re-authentication over the second network.

Abstract: A message including a digital signature is received at a processor. It is determined whether a specific authorized certificate issuer is configured for a message originator within a data protection policy. In response to determining that the specific authorized certificate issuer is configured for the message originator within the data protection policy, it is determined whether a message originator certificate used to generate the digital signature is issued by the configured specific authorized certificate issuer.

Abstract: In one example, a platform device includes a control unit configured to receive a first software package signed by a first software development entity with a first certificate of a first certificate hierarchy associated with the first software development entity, execute the first software package only after determining that a root of the first certificate hierarchy corresponds to a certificate authority of a developer of the platform device, receive a second software package signed by a second software development entity with a second certificate of a second certificate hierarchy associated with the second software development entity, wherein the second certificate hierarchy is different than the first certificate hierarchy, and execute the second software package only after determining that a root of the second certificate hierarchy corresponds to the certificate authority of the developer of the platform device.

Abstract: A third-party can subscribe to one or more electronic message group lists without joining the group lists by creating a trust relationship between the subscriber and a group list member. In particular, the subscriber can send a trust indicator to the group member, who can then determine whether to accept the trust indicator for all or specific groups that are associated with the group member, as appropriate. In at least one embodiment, the group member can send a trust indicator acceptance message to the subscriber that identifies the group member, and any or all group lists associated with the group member. The subscriber can then receive messages directed to the trusted group member or group lists, and can send group messages to the group lists subject to a receive setting associated with the group lists or group members of the group lists.

Abstract: Device information for each of multiple devices associated with a user account is maintained by a cloud service. The device information can include credential information allowing the device to be accessed by other ones of the multiple devices, remote access information indicating how the device can be accessed by other ones of the multiple devices on other networks, and property information including settings and/or device drivers for the device. The device information for each of the multiple devices is made available to other ones of the multiple devices, and can be used by the multiple devices to access one another and provide a consistent user experience across the multiple devices.

Abstract: A method is provided for provisioning a device certificate. A device certificate request is transmitted from a communication device to a server in a communication network using an established communications channel between the communication device and the server. The device certificate request comprises at least a user identifier and a device identifier. The server provides to the communication device a device certificate that includes the user identifier and the device identifier and that is signed by a private key of a certificate authority.

Abstract: The invention relates to a motor vehicle electronics device comprising a first interface (116) for establishing a first connection to a first ID token (134) in order to read data from the first ID token, —a memory (104) for storing a certificate, —means (122) for the cryptographic authentication with respect to the first ID token using the certificate, —means (130) for actuating at least one display apparatus (136, 138) for reproducing the data, and —a second interface (118) for storing the certificate in the memory.

Abstract: A unique TIO based trust information delivery scheme is disclosed that allows clients to verify received certificates and to control Java and Javascript access efficiently. This scheme fits into the certificate verification process in SSL to provide a secure connection between a client and a Web server. In particular, the scheme is well suited for incorporation into consumer devices that have a limited footprint, such as set-top boxes, cell phones, and handheld computers. Furthermore, the TIO update scheme disclosed herein allows clients to update certificates securely and dynamically.

Abstract: A method for assembling authorization certificate chains among an authorizer, a client, and a third party allows the client to retain control over third party access. The client stores a first certificate from the authorizer providing access to a protected resource and delegates some or all of the privileges in the first certificate to the third party in a second certificate. The client stores a universal resource identifier (URI) associated with both the first certificate and the third party and provides the second certificate and the URI to the third party. The third party requests access to the protected resource by providing the second certificate and the URI, without knowledge or possession of the first certificate. When the authorizer accesses the URI, the client provides the first certificate to the authorizer, so that the client retains control over the third party's access.

Abstract: A DRM client on a device establishes trust with a DRM server for playback of digital content. The client executes in a secure execution environment, and the process includes (1) securely loading loader code from secure programmable memory and verifying it using a digital signature scheme and first key securely stored in the device; (2) by the verified loader code, loading DRM client code from the memory and verifying it using a digital signature scheme and second key included in the loader code; (3) by the verified DRM client code (a) obtaining a domain key from the memory; (b) encrypting the domain key with a device identifier using a DRM system key included in the DRM client code; and (c) sending the encrypted domain key and device identifier to the DRM server, whereby the device becomes registered to receive content licenses via secure communications encrypted using the domain key.

Abstract: A method for encrypting print jobs that includes receiving output data, encrypting the output data with a randomly-generated symmetric session key, generating a session key header by encrypting the randomly-generated symmetric session key using an asymmetric user public key, and encrypting the session key header using a server public key.

Abstract: Methods and systems for third party client authentication of a client. A method includes displaying a user interface on a display of the client, the user interface including an option to select a supported credential type of a third party authentication server, receiving a command selecting the supported credential type, and sending credential information and the selected supported credential type to an authentication server for third party authentication by the third party authentication server. The third party authentication server may support a token-based authentication protocol for implementing single sign on (SSO).

Abstract: An example method disclosed herein to monitor Internet usage comprises intercepting, using a kernel extension executing in an operating system kernel of a device, a first request to be sent to a content source by a monitored client executing on the device, providing a first certificate to the client in response to intercepting the first request sent by the client to the content source, the first certificate associated with a meter that is to monitor Internet usage, sending a second request to the content source, receiving a second certificate that is associated with the content source in response to sending the second request to the content source, and obtaining a session key to decrypt encrypted traffic exchanged between the content source and the client, the session key being obtained from the client based on the first certificate and being sent to the content source based on the second certificate.

Abstract: Obfuscating a message, in one aspect, may include detecting sensitive information in a message to be broadcast into public or quasi-public computer network environment; replacing the sensitive information in the message with a representation that preserves general aspects of the sensitive information and a user interface element, the user interface element for enabling a viewer of the message to request access to details of the sensitive information; and transmitting the replaced message for broadcasting into the public or quasi-public computer network environment. De-obfuscating the message, in one aspect, may include authenticating one or more viewers or receivers of the message and based on the authentication, presenting details associated with the sensitive information.

Abstract: A computer implemented method and apparatus for one-step signature trust of digitally signed documents comprising determining whether a digital signature is otherwise valid except for a lack of trust in a digital certificate; offering a recipient an option to establish trust in the digital certificate; and adding the digital certificate to a list of the recipient's trusted digital certificates when recipient opts to establish trust.

Abstract: A method, apparatus, and system of pause and replay of media content through bookmarks on a server device are disclosed. In one embodiment, a method of a server device includes authenticating a user of a client device, communicating a media content to the client device through a network, processing a pause request of the client device to pause the media content, storing a bookmark location indicating a current playback location of the media content in the client device on the server device, processing a play request of the user to play the media content from the bookmark location (e.g., the play request may be received from a different client device of the user), and communicating the media content from the bookmark location to the user.

Abstract: Data storage and management systems can be interconnected as clustered systems to distribute data and operational loading. Further, independent clustered storage systems can be associated to form peered clusters. As provided herein, methods and systems for creating and managing intercluster relationships between independent clustered storage systems, allowing the respective independent clustered storage systems to exchange data and distribute management operations between each other while mitigating administrator involvement. Cluster introduction information is provided on a network interface of one or more nodes in a cluster, and intercluster relationships are created between peer clusters. A relationship can be created by initiating contact with a peer using a logical interface, and respective peers retrieving the introduction information provided on the network interface.

Abstract: The present invention discloses an apparatus, system and method for accessing internet webpage. The system includes a user terminal and a proxy server. The user terminal is configured to initiate an access request to the proxy server, the access request including URL information of a target webpage which carries an identifier of requiring security authentication, and receive and display target webpage information outputted from the proxy server. The proxy server is configured to receive the access request, perform security authentication on the URL information of the target webpage which carries the identifier of requiring security authentication according to pre-stored webpage security database information; if the security authentication is passed, obtain the target webpage information and output the target webpage information to the user terminal. By applying the present invention, network delay overload for accessing the internet webpage can be reduced, and user experience can be improved.

Abstract: A first device with a changing identity establishes a secure connection with a second device in a network by acting as its own certificate authority. The first device issues itself a self-signed root certificate that binds an identity of the first device to a long-term public key of the first device. The root certificate is digitally signed using a long-term private key, where the long-term public key and the long-term private key form a public/private key pair. The first device provides its root certificate to the second device in any trusted manner The first device can then create a certificate for one or more short-term identities acquired by the first device and sign the newly-created certificate using the long-term private key. The first device can authenticate itself to the second device by sending the newly-created certificate to the second device.

Abstract: A method includes generating a chain of trust for a virtual endpoint. The virtual endpoint is associated with a layered architecture that includes layers, which include a physical layer. For each layer, a code image of a process of the layer is measured before the process is loaded to form a node of the chain of trust.

Abstract: Methods, devices, and storage media storing instructions to obtain logs from a security device and one or multiple service-providing devices, wherein the logs include information pertaining to traffic flow activity at an application layer associated with a service; store rules that identify behavior ranging from unintentional through intentional for one or multiple communication layers including an application layer; interpret the logs based on the rules; determine whether a violation exists based on the interpreting; and generate a notification that indicates the violation exists in response to a determination that the violation exists.

Abstract: A method for assembling authorization certificate chains among an authorizer, a client, and a third party allows the client to retain control over third party access. The client stores a first certificate from the authorizer providing access to a protected resource and delegates some or all of the privileges in the first certificate to the third party in a second certificate. The client stores a universal resource identifier (URI) associated with both the first certificate and the third party and provides the second certificate and the URI to the third party. The third party requests access to the protected resource by providing the second certificate and the URI, without knowledge or possession of the first certificate. When the authorizer accesses the URI, the client provides the first certificate to the authorizer, so that the client retains control over the third party's access.

Abstract: A configuration is provided wherein usage restrictions of an application are determined in accordance with timestamps. A certificate revocation list (CRL) in which the revocation information of a content owner who is a providing entity of an application program recorded in a disc is recorded is referred to verify whether or not a content owner identifier recorded in an application certificate is included in the CRL, and in the case that the content owner identifier is included in the CRL, comparison between a timestamp stored in a content certificate and a CRL timestamp is executed, and in the case that the content certificate timestamp has date data equal to or later than the CRL timestamp, utilization processing of the application program is prohibited or restricted. According to the present configuration, a configuration is realized wherein an unrevoked application is not subjected to utilization restriction, and only a revoked application is subjected to utilization restriction.

Abstract: Two approaches are provided for distributing trust among certificate authorities. Each approach may be used to secure data in motion. One approach provides methods and systems in which a secure data parser is used to distribute trust in a set of certificate authorities during initial negotiation (e.g., the key establishment phase) of a connection between two devices. Another approach of the present invention provides methods and systems in which the secure data parser is used to disperse packets of data into shares. A set of tunnels is established within a communication channel using a set of certificate authorities, keys developed during the establishment of the tunnels are used to encrypt shares of data for each of the tunnels, and the shares of data are transmitted through each of the tunnels. Accordingly, trust is distributed among a set of certificate authorities in the structure of the communication channel itself.

Abstract: Embodiments are directed to towards cloud scale automatic identity management. A floating network may be established using agents operative on hosts across one or more networks. Each node of the floating network is resident on host (computer or cloud instance) that includes an agent configured to perform one or more networking tasks that establish the floating network. Parent nodes may be nodes designated as points in the floating network for adding additional nodes. Accordingly, each parent node includes at least one parent agent that includes at least parent credentials. Agent installers provided to a host may generate a child agent for the host that includes child credentials generated based on its parent credentials. An unambiguous identity value for the new child node may be determined by tracing a trust relationship path from the child node to the root node of the floating network.