Abstract: At least a method for verifying the authenticity of one or more authentication messages in an authentication procedure between a network and a mobile device is described wherein the method comprises: sending an authentication request through a first radio access node to a said mobile device, said radio access node being associated with first location information; said mobile device generating second location information associated with the location of said mobile device; and, verifying the authenticity of the origin of said authentication request by checking if said second location information comprises said first location information.

Abstract: In a method for managing use information of a measurement device, an operating interface of the device is locked before the device is operated. When a user starts to use the device, the method provides a login interface to verify whether the user is authorized to login the operating interface. If the user is authorized to login the operating interface, the operating interface is unlocked and the method records first information of starting to operate the device. After finishing the operation or when an elapsed time of the device not in use is greater than a predetermined time, the method controls the user to log out the operating interface, records second information of finishing the operation, and the operating interface is locked. The first information and the second information are saved in a text file.

Abstract: A node device provides secure communication services over a data network, such as the Internet or another public or private packet switched network, to multiple computers that are coupled through the node device and multiple other node devices. The node device includes a network communication interface for coupling the node device to the data network. The node device includes a data storage containing cryptographic information including information that is unique to the node device. The node device also includes a tunneling communication service coupled to the network interface configured to maintaining an encrypted communication tunnel with each of multiple other node devices using the cryptographic information. For example, the encrypted communication tunnels are implemented using the IPsec or PPTP protocols. The node device includes a routing database for holding routing data and a router coupled to the tunneling communication service and to the routing database.

Abstract: Plural modes of operation may be established on a mobile device. Specific modes of operation of the mobile device may be associated with specific spaces in memory. By using a “class” designation within the existing certificate store structure and key store structure, certificates and keys can be assigned to one space among plural spaces. Accordingly, a personal certificate store and a personal key store may exist in a personal space. Similarly, a corporate certificate store and a corporate key store may exist in a corporate space. APIs designed to work within such a system may be arranged to employ a “class” attribute when managing certificates and cryptographic keys.

Abstract: This disclosure describes techniques for dynamically assembling and utilizing a pedigree of a resource. A pedigree of a resource is a set of statements that describe a provenance of the resource. As described herein, a document may include local pedigree fragments and optionally one or more pointers to remote pedigree fragments not locally stored in the document. A pedigree fragment, generally, is a data structure that specifies a direct relationship between a first resource, e.g., a primary resource, and a second resource from which an asserted fact of the first resource is derived. Because a pedigree fragment specifies such direct relationships, a set of pedigree fragments may be used to assemble the complete pedigree of resource.

Abstract: A network component comprising at least one processor configured to implement a method comprising deriving a Master Session Key (MSK) using a secret key and at least one parameter obtained from an Extensible Authentication Protocol (EAP) sequence, deriving a first Pairwise Master Key (PMK) and a second PMK from the MSK, authenticating with a home gateway (HG) using the first PMK, and authenticating with an end point using the second PMK. Included is an apparatus comprising a node comprising an access controller (AC) and a protocol for carrying authentication for network access (PANA) Authentication Agent (PAA), wherein the AC is configured to manage authentication for a UE, and wherein the PAA is configured to implement a PANA to forward authentication information related to the UE.

Abstract: A card to card transfer method used in the financial system is provided in the present invention, and comprises an initializing step, a transferring step and a transaction confirming step, wherein the initializing step includes the steps of calculating and obtaining the public key certificate and checking the amount of the transaction and so on, and the transferring step includes the steps of performing the transaction and so on. The present invention can achieve the function of transferring the electronic cash between two cards and can prevent the risk of repeatedly transferring the money into the card for transfer-in by using the card for transfer-out and so on.

Abstract: Erroneous deletion of data due to a collision of digest information during data de-duplication using digest information is prevented. When backup data is stored on a backup server 1100, digest information of the backup data is generated and stored in a digest information management table 4200. In addition, when a backup data storage request is made to the backup server 1100, a digest information verification control sub-program 1127 generates digest information of data to be backed up, and performs verification against the digest information of the backed up data already stored on the backup server 1100. If, by this verification, it is found that backed up data having the same digest information is already stored, de-duplication is realized by reusing the existing backed up data without newly storing the data to be backed up.

Abstract: Embodiments of the invention provide systems and methods for providing service level, policy-based QoS enforcement on a network or networks. According to one embodiment, a system can comprise at least one communications network, a first endpoint communicatively coupled with the communications network, and a second endpoint communicatively coupled with the communications network and can monitor traffic on the communications network between the first endpoint and the second endpoint. A policy enforcer can be communicatively coupled with the network monitor. The policy enforcer can apply one or more policies based the traffic between the first endpoint and the second endpoint. The one or more policies can define a Quality of Service (QoS) for the traffic between the first endpoint and the second endpoint and can apply the policies to affect the traffic between the endpoints to maintain the QoS defined by the one or more policies.

Abstract: An example method disclosed herein to monitor Internet usage comprises intercepting, using a kernel extension executing in an operating system kernel of a device, a first request to be sent to a content source by a monitored client executing on the device, providing a first certificate to the client in response to intercepting the first request sent by the client to the content source, the first certificate associated with a meter that is to monitor Internet usage, sending a second request to the content source, receiving a second certificate that is associated with the content source in response to sending the second request to the content source, and obtaining a session key to decrypt encrypted traffic exchanged between the content source and the client, the session key being obtained from the client based on the first certificate and being sent to the content source based on the second certificate.

Abstract: A root-account management apparatus generates an electronic signature based on a survival condition and a secret key when an authentication result of a user of a client apparatus is proper, and transmits derived-account credence element information including the survival condition, the electronic signature and a public key certificate to a derived-account management apparatus. The derived-account management apparatus creates derived-account information which becomes valid when the survival condition is satisfied so that the derived-account information includes both the derived-account credence element information which becomes invalid when a validity term of the public key certificate expires and a biometric information template of the user which is valid regardless of this validity term. Accordingly, even if an authentication element as a root (public key certificate) becomes invalid, a derived authentication element (biometric information template) can be prevented from becoming invalid.

Abstract: An authorization assisting device sends to the VBN server an authorization request for access to the WAN by a requesting user device. A registration driver has a set of assignable IP address ranges for multiple routing realms, and assigns an IP address to a user device from a relevant IP address range depending on a routing realm from which communication from the user device is received. The assignable IP address ranges include one or more authorization address ranges from which the registration driver assigns an IP address to a user device whose authorization request is received from the authorization assisting device. An authorization module processes the authorization request to generate an authorization response granting or denying access to the WAN by the requesting user device based on registration data in a registration data store and the information in the authorization request.

Abstract: Provided are a method, system, and program for managing locks enabling access to a shared resource. A first server receives a lock request from a client for the shared resource. A determination is made as to whether a second server owns the client locks. The first server issues a request to the second server to transfer ownership of the client locks to the first server, wherein the client lock requests are handled by the server owning the client locks.

Abstract: Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the capability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence.

Abstract: Technologies are described herein for post attack man-in-the-middle detection. A first computer receives and stores public key certificates when connections are established. The first computer also uploads the stored public key certificates associated with a domain to a second computer each time a connection is established with the domain. The second computer receives the public key certificates from the first computer. The second computer then determines whether any of the public key certificates provided by the first computer are fraudulent certificates by comparing the received certificates to known valid certificates. If the second computer determines that the first computer has received one or more fraudulent certificates, the second computer may cause action to be taken with regard to the fraudulent certificates.

Abstract: A method and apparatus for external organization (EO) path length (EOPL) validation are provided. A relying party node (RPN) stores a current EO path length constraint (EOPLC) value, and an EOPL counter that maintains a count of an actual external organization path length. The RPN obtains a chain of certificates that link a subject node (SN) to its trust anchor, and processes the certificates in the chain. When a certificate has a lower EOPLC than the current EOPLC value, the RPN replaces the current EOPLC value with the lower EOPLC. When the certificate currently being evaluated includes an enabled EO flag, the RPN increments the EOPL counter by one. The EOPL validation fails when the EOPL counter is greater than the current EOPLC value, and is successful when the last remaining certificate in the chain is processed without having the EOPL counter exceed the current EOPLC value.

Abstract: This authentication device includes: a volatile memory; a non-volatile memory which stores a plurality of electronic certificate files; a unit which refers to the non-volatile memory upon start-up, and which stores a hierarchical relationship between the plurality of electronic certificate files in the volatile memory; a unit for searching for a desired electronic certificate file based upon the hierarchical relationship between the plurality of electronic certificate files in the volatile memory; and an authentication unit which performs authentication using the electronic certificate file which has been found by the search unit.

Abstract: An apparatus, system, and method are disclosed for auditing access to secure data. A detection module detects an access to the secure data. A record module records an encrypted log entry describing the access to the secure data. A verification module verifies the secure data is securely stored.

Abstract: Methods and software for distributing several data objects containing status information about security certificates, and a directory of the data objects, through a peer-to-peer data distribution network. Other methods and software for preparing a certificate status object containing validity information about a security certificate, and a reaffirmation object identifying the certificate status object, both to be transmitted to a requesting client after an expiration time contained in the certificate status object.

Abstract: The object of the present invention is to safeguard the authenticity and integrity of real-time data in a distributed real-time computer system. The present invention considers other requirements of real-time data processing, such as the timeliness of real-time data transmission and limited resource availability. Frequent modification of an asymmetric key pair hinders intruders from cracking a key before its validity has expired. The present method can also be extended to safeguard the confidentiality of real-time data. It can be implemented efficiently on a multiprocessor system-on-chip (MPSoC).

Abstract: A computer implemented method for accessing materials for a meeting may include receiving a call from a meeting participant by a system, wherein the meeting participant calls a prearranged teleconference number to participate in the meeting. The method may also include validating participation of the meeting participant in the meeting by the system. The method may further include providing access to an appropriate set of materials to the meeting participant based on a predetermined attribute associated with the meeting participant.

Abstract: In one embodiment, a method includes defining a request for confidential information from a domain of confidential information based on an input from a relying entity. The domain of confidential information can be associated with a subject entity. A response to the request can be defined at an information provider. The method can also include sending the response to the relying entity when the response has been approved by the subject entity.

Abstract: Policy filtering services are built into security processing of an execution environment for resolving how to handle a digital security certificate of a communicating entity without requiring a local copy of a root certificate that is associated with the entity through a certificate authority (“CA”) chain. Policy may be specified using a set of rules (or other policy format) indicating conditions for certificate filtering. This filtering is preferably invoked during handshaking, upon determining that a needed root CA certificate is not available. In one approach, the policy uses rules specifying conditions under which a certificate is permitted (i.e., treated as if it is validated) and other rules specifying conditions under which a certificate is blocked (i.e., treated as if it is invalid). Preferably, policy rules are evaluated and enforced in order of most-specific to least-specific.

Abstract: Access control for an application is described. An exemplary method includes receiving a first command of an application to invoke a function of a user interface, identifying a first authorization context based on a first user context and the function of the user interface invoked, retrieving a first access policy providing access criteria associated with the first authorization context, and applying the first access policy to the accessibility of the function. The method includes receiving a second command to invoke the function in a second instance of the application and identifying a second authorization context based on a second user context and the function of the user interface invoked. The second authorization context is different than the first authorization context. The method includes retrieving a second access policy providing second access criteria associated with the second authorization context and applying the second access policy to the accessibility of the function.

Abstract: The present invention provides a method for obtaining a proxy call session control function address, comprising when a terminal accesses an IP multi-media subsystem through a world interoperability for microwave access (WiMAX) network in roaming scenarios, a visited authentication, authorization, and accounting server (V-AAA) of the terminal retransmitting an access request message sent by an access service network (ASN) or a dynamic host configuration protocol (DHCP) or a home agent (HA) of said terminal to a home authentication, authorization, and accounting server (H-AAA) of said terminal after receiving the access request message, and H-AAA finally deciding whether the P-CSCF is located in a visited network or a home network according to a roaming protocol and visited network capability, and returning the determined P-CSCF address information, included by H-AAA in an access accept message corresponding to said access request message, to the sender of said access request message through V-AAA.

Abstract: A method is disclosed for obtaining certificate revocation information from a server, obtaining from a client a request for a revocation status of a certificate and notifying the client when the certificate identified in the client request has been revoked. The method may be performed by a networking device that is separate from the server and the client.

Abstract: A hash module of a mail sender creates a hash data context structure. The hash module processes the headers and the body of an e-mail message in the order required, for example by the DKIM specification, until the data to be hashed has been input. The hash module converts the context structure into printable characters and the encoded structure is transmitted over the Internet or other network to the next participating system. The token authority's hash module decodes the context back into binary form. After ensuring business logic is satisfied, it generates additional headers required for signature, which are then added to the developing hash. The hash module finalizes the hash function and creates the hash value. The authorization module creates the signature and returns it to the e-mail module, which attaches the signature to the message and transmits it to the destination mailbox provider, which verifies the token.

Abstract: A system and method for performing a security check may include using at least one processor to periodically check a status of a flag, generate and store a baseline representation of modules stored on the device where the flag is determined to be set to a first state, and, where the flag is determined to be set to a second state, generate an active representation of modules stored on the first device, compare the active representation of modules to the baseline representation of modules, and, responsive to a determination in the comparing step of a difference between the baseline and active representations of modules, output an alert. The flag status may depend on an association of the device with one of a plurality of authorization policies, each mapped to one of the two states. Results of the comparison may be appended to an activity log of the device.

Abstract: A method begins by a processing module receiving a dispersed storage network (DSN) access request that includes a requester identifier (ID), wherein the requester ID is associated with a certificate chain. When the certificate chain is valid, the method continues with the processing module accessing registry information for the DSN. The method continues with the processing module identifying one of a plurality of access control lists based on at least one of information associated with the requester ID and information associated with the certificate chain, identifying one or more entries of the one of the plurality of access control lists based on the information associated with the certificate chain to produce one or more identified entries, and generating, for the DSN access request, permissions from one or more sets of permissions associated with the one or more identified entries.

Abstract: A method for modifying one or more system resources is provided. One or more licenses for modifying one or more system resources on a client device can be acquired. An authenticator can be generated and stored on a remote server. The authenticator can be transferred to the client device. The client device can be connected to the remote server and the remote server can authenticate the client device via the authenticator. The remote server can confirm the availability of one or more licenses, and based on the availability of one or more licenses, modify one or more system resources disposed in, on, or about the client device. After modifying the one or more system resources the remote server can decrement the remaining license count.

Abstract: A method and apparatus for distributing Certificate Revocation List (CRL) information in an ad hoc network are provided. Ad hoc nodes in an ad hoc network can each transmit one or more certificate revocation list advertisement message(s) (CRLAM(s)). Each CRLAM includes an issuer certification authority (CA) field that identifies a certification authority (CA) that issued a particular certificate revocation list (CRL), a certificate revocation list (CRL) sequence number field that specifies a number that specifies the version of the particular certificate revocation list (CRL) that was issued by the issuer certification authority (CA). Nodes that receive the CRLAMs can then use the CRL information provided in the CRLAM to determine whether to retrieve the particular certificate revocation list (CRL).

Abstract: Digital cash token protocols employ two pairs of private and public keys. Each public key is certified separately and the protocols do not use any blind signature schemes. As a result, the digital cash token protocols provide strong protection of user privacy by using two certified public keys instead of a blind signature. One pair of certified keys consists of one master user private key and one master user public key. A second pair of certified keys consists of one pseudonym user private key and one pseudonym user public key. The use of a master key pair and a pseudonym key pair circumvents the need for blind signatures. As a result, the proposed protocols do not require blind signatures and do not add additional overhead and security requirements necessitated by conventional blind signature schemes. The protocols use public key protocols and digital signatures and symmetric key protocols, which may be readily implemented in standard information security based systems based on cryptographic constructs.

Abstract: Active management technology (AMT) may be provisioned in a client device automatically, which may provide a secure connection between the provisioning server and the client device. The client device comprising the active management technology may support zero-touch provisioning and one-touch provisioning.

Abstract: A unique TIO based trust information delivery scheme is disclosed that allows clients to verify received certificates and to control Java and Javascript access efficiently. This scheme fits into the certificate verification process in SSL to provide a secure connection between a client and a Web server. In particular, the scheme is well suited for incorporation into consumer devices that have a limited footprint, such as set-top boxes, cell phones, and handheld computers. Furthermore, the TIO update scheme disclosed herein allows clients to update certificates securely and dynamically.

Abstract: An Asynchronous Enhanced Shared Secret Provisioning Protocol (ESSPP) provides a novel method and system for adding devices to a network in a secure manner. A registration process is launched by at least one of two network devices together. These two devices then automatically register with each other. When two devices running Asynchronous ESSPP detect each other, they exchange identities and establish a key that can later be used by the devices to mutually authenticate each other and generate session encryption keys. An out-of-band examination of registration signatures generated at the two devices can be performed to help ensure that there was not a man-in-the-middle attacker involved in the key exchange.

Abstract: Provided is a data management device for managing data recorded onto a readable and writable recording medium by an application that is verified based on a digital certificate. The recording medium has a plurality of areas and access to each area is restricted to a different application. The data management device includes an application authentication module, a mapping module, and a local storage display module. The application authentication module verifies that an application is an authentic application based on a digital certificate attached to the application. The mapping module associates, if the application is verified, an area accessible by the application with a subject name described in the digital certificate used for the verification. The local storage display module displays information regarding the area accessible by the application, with the use of the subject name associated with the area.

Abstract: A method and system for supporting multiple digital certificate status information providers are disclosed. An initial service request is prepared at a proxy system client module and sent to a proxy system service module operating at a proxy system. The proxy system prepares multiple service requests and sends the service requests to respective multiple digital certificate status information providers. One of the responses to the service requests received from the status information providers is selected, and a response to the initial service request is prepared and returned to the proxy system client module based on the selected response.

Abstract: What is disclosed is a system and method that allows a secondary certificate authority to rely on one or more existing primary certificate authorities to establish identity of a user and provide identity certificates. The secondary certificate authority applies business rules to those identity certificates to establish a community of privilege, and then issues and maintains new privilege certificates without issuing new private keys or smart cards. The new privilege certificates bind the original identity, the sponsor, i.e., the primary certificate authority, and the privilege. The new privilege certificates can be used on a Public Key Infrastructures (PKI) transaction basis, for example, to grant access to unclassified and Multi-Level Secure (MLS) resources without further reference to the existing primary certificate authorities.

Abstract: A tamper resistant servicing Agent for providing various services (e.g., data delete, firewall protection, data encryption, location tracking, message notification, and updating software) comprises multiple functional modules, including a loader module (CLM) that loads and gains control during POST, independent of the OS, an Adaptive Installer Module (AIM), and a Communications Driver Agent (CDA). Once control is handed to the CLM, it loads the AIM, which in turn locates, validates, decompresses and adapts the CDA for the detected OS environment. The CDA exists in two forms, a mini CDA that determines whether a full or current CDA is located somewhere on the device, and if not, to load the full-function CDA from a network; and a full-function CDA that is responsible for all communications between the device and the monitoring server. The servicing functions can be controlled by a remote server.

Abstract: An e-mail firewall applies policies to e-mail messages transmitted between a first site and a plurality of second sites. The e-mail firewall includes a plurality of mail transfer relay modules for transferring e-mail messages between the first site and one of the second sites. Policy managers are used to enforce and administer selectable policies. The policies are used to determine security procedures for the transmission and reception of e-mail messages. The e-mail firewall employs signature verification processes to verify signatures in received encrypted e-mail messages. The e-mail firewall is further adapted to employ external servers for verifying signatures. External servers are also used to retrieve data that is employed to encrypt and decrypt e-mail messages received and transmitted by the e-mail firewall, respectively.

Abstract: Rather than managing a certificate chain related to a newly issued identity certificate at a terminal to which a wireless device occasionally connects, a certificate server can act to determine the identity certificates in a certificate chain related to the newly issued identity certificate. The certificate server can also act to obtain the identity certificates and transmit the identity certificates towards the device that requested the newly issued identity certificate. A mail server may receive the newly issued identity certificate and the identity certificates in the certificate chain and manage the timing of the transmittal of the identity certificates. By transmitting the identity certificates in the certificate chain before transmitting the newly issued identity certificate, the mail server allows the user device to verify the authenticity of the newly issued identity certificate.

Abstract: An elliptic curve random number generator avoids escrow keys by choosing a point Q on the elliptic curve as verifiably random. An arbitrary string is chosen and a hash of that string computed. The hash is then converted to a field element of the desired field, the field element regarded as the x-coordinate of a point Q on the elliptic curve and the x-coordinate is tested for validity on the desired elliptic curve. If valid, the x-coordinate is decompressed to the point Q, wherein the choice of which is the two points is also derived from the hash value. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random number with the escrow key.

Abstract: Unlike the technology for a program downloaded through conventional broadcast waves, in the case of downloading a program via a network, there is a possibility that such program will be activated without noticing that the program is tampered with. For this reason, when a program is downloaded via a network, a file hierarchy for the program located on a server is constructed in a local area of a terminal. Subsequently, the authentication of the program is performed with respect to the file hierarchy constructed in the local area, and the credibility of the program is guaranteed.

Abstract: A method and system for authentication is provided. A central node for issuing certificates to a plurality of nodes associated with the central node in a network is also provided. The central node receives a first key from at least one node from among the plurality of nodes and generates a second key based on the received first key and generates a certificate for the at least one node. The generated certificate is transmitted to the at least one node.

Abstract: An initiator shares y_ir with a responder, calculates HASH_I on the basis of y_ir, and sends HASH_I to an IKE proxy server. The initiator receives a digital signature SIG_S generated for HASH_I and the address of the initiator from the IKE proxy server and sends the digital signature SIG_S to the responder.

Abstract: The present invention includes a computer-implemented method and an Enterprise Resource Planning System (ERP). The method and system allows a user to enable an electronic signature approval process for modification of data in a transaction. The method includes accessing a table that corresponds with the transaction and adding a signature field having a property sheet to the table. The method also includes defining a select property in the property sheet with a select parameter. The select property configured to provide approval of modified data in the transaction upon entry of a valid electronic signature.

Abstract: Two approaches are provided for distributing trust among a set of certificate authorities. Each approach may be used to secure data in motion. One approach provides methods and systems in which the secure data parser is used to distribute trust in a set of certificate authorities during initial negotiation (e.g., the key establishment phase) of a connection between two devices. Another approach provides methods and systems in which the secure data parser is used to disperse packets of data into shares. A set of tunnels is established within a communication channel using a set of certificate authorities, keys developed during the establishment of the tunnels are used to encrypt shares of data for each of the tunnels, and the shares of data are transmitted through each of the tunnels. Accordingly, trust is distributed among a set of certificate authorities in the structure of the communication channel itself.

Abstract: A transaction processing service operates as an intermediary between acquirers of financial transaction requests and issuing institutions that process the financial transaction requests. The intermediary service enables a customer to selectively change the status of an account's associated with a payment instrument by activating or deactivating the account. The intermediary service may manage account status locally using a rules module. Alternatively, the issuing institution may manage account status, while the intermediary service provides an interface for customers. A customer communicates with the intermediary service to direct the service to change the account status. The intermediary service determines the account's issuing institution and provides an indication to the issuing institution of the current status of the account (or of the change in status).

Abstract: A method and apparatus are provided for generating identity data to be provisioned in product devices that are a part of a project. The method includes establishing a template associated with each CA in a hierarchical chain of CAs having a root CA at a highest level in the chain and a signing CA at a lowest level in the chain. The template associated with the signing CA inherits mandatory attribute fields specified in the root CA and any intermediate CA in the hierarchical chain. The mandatory attribute fields are user-specifiable fields to be populated with PKI data. A configuration file is generated upon receipt of an order for digital certificates using PKI data provided by a user to populate the mandatory attribute fields of the template associated with the signing CA. The digital certificates requested in the order are generated using the PKI data in the configuration file.

Abstract: An authentication-authorization system for a mobile communication terminal and a method therefor are provided. When a mobile communication terminal is in a connect state, code data randomly generated by a remote encoding terminal is continuously provided to the terminal and data management terminal. When an application service program on the mobile communication terminal or an application service terminal connected to the mobile communication terminal need to execute an authentication-authorization, identification data of the mobile communication terminal and its card and code data can be offered to the data management terminal to carry out a bidirectional dynamic authentication-authorization, to determine whether allow the application service program or the application service terminal to keep providing an application service or not.