Including Intelligent Token Patents (Class 713/159)
  • Patent number: 7765588
    Abstract: A system and method verify a user's identity in an Internet-related transaction. One system and method use a personal computer having identification information, a card reader, and a personal identification card having access information, to verify a user's identity using the access information and the identification information. Another system and method use a personal computer, a card reader, and a personal identification card having access information, wherein the card reader is included as part of a mouse coupled to the personal computer and wherein a user's identity is verified using the access information. Another system and method use a personal computer, a device coupled to the personal computer having identification information, a card reader, and a personal identification card having access information to verify a user's identity using the access information and the identification information.
    Type: Grant
    Filed: November 17, 2008
    Date of Patent: July 27, 2010
    Inventors: Harvinder Sahota, Neil Sahota
  • Publication number: 20100185851
    Abstract: A system and a method for cryptographic coupon reloading are provided for, wherein a coupon comprises, on one hand, a pseudo-random number ri=PRFK(i), where i is an index for labeling the coupon, PRF is a predetermined pseudo-random function and K is a regeneration key, and, on the other hand, a “reduced-coupon” xi such that xi=ƒ(ri), where ƒ is a predetermined one-way function, characterized in that it comprises the following steps: a candidate device (1) and a second device (2) acquire a common value of a token T, said candidate device (1) transmits a verification value vT to the second device (2), the second device (2) verifies whether said verification value vT is given by vT=PRF?Q(T), where PRF? is a predetermined keyed pseudo-random function identical to, or derived from, said pseudo-random function PRF, and where Q is an authentication key owned by the second device (2) and known to the candidate device (1) provided the candidate device (1) is a legitimate reloading device (1), and if the verificati
    Type: Application
    Filed: June 26, 2008
    Publication date: July 22, 2010
    Inventors: Matthew Robshaw, Henri Gilbert, Marc Girault, Loic Juniot
  • Patent number: 7761702
    Abstract: A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.
    Type: Grant
    Filed: April 15, 2005
    Date of Patent: July 20, 2010
    Assignee: Cisco Technology, Inc.
    Inventors: Brian E. Weis, Jan Vilhuber, Michael Lee Sullenberger, Frederic R.P. Detienne
  • Patent number: 7757084
    Abstract: A method of validating a consumable authentication chip is provided having the steps of: numerously calling a trusted chip's test function with an incorrect value to generate an invalid response or not generate the response thereby invalidating the consumable chip; if generated, in the trusted chip, generating a secret random number, calculating its signature and symmetrically encrypting the number/signature using a first secret key; calling the consumable chip's read function with the encrypted number/signature to symmetrically decrypt the encrypted number/signature using the first key, calculate the decrypted number's signature, compare the signatures, and if they match, symmetrically encrypt the decrypted random number and a data message using a second secret key; calling the trusted chip's test function with the message and the encrypted number/message to symmetrically encrypt the number and message using the second key, compare the encrypted numbers/messages, validate the consumable chip if they match, a
    Type: Grant
    Filed: February 15, 2007
    Date of Patent: July 13, 2010
    Assignee: Silverbrook Research Pty Ltd
    Inventors: Simon Robert Walmsley, Kia Silverbrook
  • Patent number: 7751567
    Abstract: Methods and apparatus are presented for providing local authentication of subscribers traveling outside their home systems. A subscriber identification token 230 provides authentication support by generating a signature 370 based upon a key that is held secret from a mobile unit 220. A mobile unit 220 that is programmed to wrongfully retain keys from a subscriber identification token 230 after a subscriber has removed his or her token is prevented from subsequently accessing the subscriber's account.
    Type: Grant
    Filed: June 1, 2005
    Date of Patent: July 6, 2010
    Assignee: QUALCOMM Incorporated
    Inventors: Roy F. Quick, Jr., Gregory G. Rose
  • Patent number: 7752442
    Abstract: A distributed security system is provided. The distributed security system uses a security policy that is written in a policy language that is transport and security protocol independent as well as independent of cryptographic technologies. This security policy can be expressed using the language to create different security components allowing for greater scalability and flexibility. By abstracting underlying protocols and technologies, multiple environments and platforms can be supported.
    Type: Grant
    Filed: October 20, 2005
    Date of Patent: July 6, 2010
    Assignee: Microsoft Corporation
    Inventors: Giovanni M. Della-Libera, Christopher G. Kaler, Scott A. Konersmann, Butler W. Lampson, Paul J. Leach, Bradford H. Lovering, Steven E. Luocco, Stephen J. Millet, Richard F. Rashid, John P. Shewchuk
  • Patent number: 7747541
    Abstract: An apparatus is provided for validating a device. The apparatus includes a first integrated circuit which is configured to generate a random number, reference information using the random number and a secret key. A control system is configured to: receive the random number and the reference information from the first integrated circuit, receive validation information from a second integrated circuit positioned on the device whereby the validation information is generated by the second integrated circuit using the random number and the secret key, and compare the reference and validation information received from the integrated circuits to validate the device.
    Type: Grant
    Filed: June 3, 2007
    Date of Patent: June 29, 2010
    Assignee: Silverbrook Research Pty Ltd
    Inventors: Simon Robert Walmsley, Paul Lapstun
  • Publication number: 20100161973
    Abstract: An authentication mechanism for use in network-based services generates an authentication token. The authentication token is provided to a client device as part of the code comprising a content page. The content page code is received and loaded by a browser application at the client device. When the content page code is received and loaded by the browser application, the authentication token is loaded by the browser as well. Upon receiving subsequent input, the browser application may send a content request to the server. The content request includes the authentication token maintained by the browser application in the content page. A server may validate the authentication token provided in the request using version information and one or more master authentication tokens.
    Type: Application
    Filed: March 1, 2010
    Publication date: June 24, 2010
    Applicant: Microsoft Corporation
    Inventors: Andy Chin, Alina Vikutan, Johnny C. Liu
  • Patent number: 7743412
    Abstract: A computer system includes an interface and a processor. The interface is adapted to receive a request from another computer system for identification of the first computer system. The adapter also furnishes a hash value that identifies the first computer system to the other computer system. The processor is coupled to the interface and is adapted to encrypt an identifier that identifies the first computer system with a key associated with the other computer system to provide the hash value.
    Type: Grant
    Filed: February 26, 1999
    Date of Patent: June 22, 2010
    Assignee: Intel Corporation
    Inventors: James Q. Mi, Vishesh Parikh, Albert Y. Teng
  • Patent number: 7739500
    Abstract: Exemplary embodiments disclosed herein may include a method and system for creating an attendance marker and establishing consistent recognition of an ongoing digital relationship, including receiving an identity key about a server, creating an attendance marker, associating the attendance marker with the server. Other embodiments relate to systems and methods for recognizing a server, website, and/or other system for a client, such as a computer system for a user. Such authentication involves receiving an identity key about a web server or other system, creating an attendance marker, associating the attendance marker with the server, requesting an attendance marker associated with a server, and recognizing the server based at least in part on the attendance marker.
    Type: Grant
    Filed: March 7, 2005
    Date of Patent: June 15, 2010
    Assignee: Microsoft Corporation
    Inventors: Kim Cameron, Arun K. Nanda, Andy Harjanto, Stuart L. S. Kwan
  • Patent number: 7735125
    Abstract: The invention includes systems and methods for identifying and verifying the identity of a user of a kiosk using an external verification system. The kiosk receives customer input data that indicates the identity of the user of the kiosk. The kiosk generates an identification query that includes at least some customer input data. The kiosk transmits the identification query to an external verification system. The kiosk receives a verification response from the external verification system. The kiosk then processes the verification response to verify the identity of the user of the kiosk. These systems and methods advantageously provide identification and verification of the identity of a user of a kiosk. With sufficient identification and verification, financial institutions can comply with government regulations designed to reduce the opportunity for money laundering, terrorism, fraud, and identity theft while offering users of kiosks a wider range of financial services.
    Type: Grant
    Filed: October 15, 2004
    Date of Patent: June 8, 2010
    Assignee: Nexxo Financial, Inc.
    Inventors: David R. Alvarez, Mitchell A. Shapiro, James V. Elliott
  • Patent number: 7724927
    Abstract: Methods and systems according to the invention may compare a large-area biometric specimen and a small-area biometric sample. For example, a large-area plain surface fingerprint image may be stored in a fingerprint database as a specimen, and then a small-area plain surface fingerprint image may be acquired as a sample. The small-area image sample may be submitted to a fingerprint matching system for comparison with a large-area image specimen from the database. A determination may be made as to whether the small-area image matches a portion of the large-area image.
    Type: Grant
    Filed: June 14, 2006
    Date of Patent: May 25, 2010
    Assignee: Ultra-Scan Corporation
    Inventors: John K. Schneider, Fred W. Kiefer
  • Patent number: 7725712
    Abstract: A method of authenticating a user for access includes creating an authentication key in the form of a user formula selected from a set of variables and operations provided by the authentication system, storing the user formula in the authentication system, utilizing a display to present the user with an arrangement of variables generated by the authentication system including the variables of the user formula, each assigned a value, applying the assigned values to matching variables in the user formula and calculating a first result, interspersing one or more additional characters among the characters of the first result, and conveying the first result with the additional characters to the authentication system. The authentication system authenticates the user if the number of additional characters conveyed with the first result is below a predetermined threshold and the first result matches a second result of a separate and independent calculation of the user formula by the authentication system.
    Type: Grant
    Filed: October 25, 2006
    Date of Patent: May 25, 2010
    Assignee: SyferLock Technology Corporation
    Inventors: Lev Ginzburg, Paul Sitar, George Kelly Flanagin
  • Publication number: 20100122082
    Abstract: An identity validation system and method for the Internet provides user accountability while supporting user privacy to counter SPAM, Internet vandalizers, and predators, as well as cyber bullies who use the Internet to communicate with actual or potential victims. The system includes network authority software that issues a permanent identity and secret code to a user and disseminates different hashed versions of the permanent identity and secret code to different agents. A user hardware Internet passport generates hashed versions of the permanent identity and secret code as well as a passcode that is generated from the hashed secret code and user software generates a temporary identity from the hashed permanent identity. The user software transmits the temporary identity and passcode to a selected agent that performs the actual identity validation.
    Type: Application
    Filed: September 29, 2009
    Publication date: May 13, 2010
    Inventors: Leiwen Deng, Aleksandar Kuzmanovic
  • Publication number: 20100115270
    Abstract: A method authenticating a consumable is disclosed. The consumable includes a first integrated circuit operative to receive data and return the data encrypted. The method receives a random number from a trusted second integrated circuit. The random number is communicated to the first integrated circuit, and in response a first message containing the random number encrypted by the first integrated circuit is received from the first integrated circuit. Also, a second message containing the random number encrypted by the trusted integrated circuit is received from the trusted second integrated circuit. By comparing the first and second messages it is determined that the consumable is authentic when the first and second messages are the same.
    Type: Application
    Filed: January 14, 2010
    Publication date: May 6, 2010
    Inventors: Kia Silverbrook, Simon Robert Walmsley
  • Patent number: 7707405
    Abstract: A system 100 for providing credentials to a computational component in a distributed processing network is provided. The system 100 includes: (a) a plurality of crypto-tokens 150a-n, each crypto-token 150a-n comprising a unique identifier, optionally a digital certificate comprising a unique public key and the unique identifier, and a private key corresponding to the public key; (b) a provisioning system 100 comprising a certificate authority 104 operable to generate the plurality of crypto-tokens 150a-n; and (c) a computational component 128 comprising a drive operable to receive and communicate with a selected crypto-token 150. The computational component 128 uses the digital certificate and private key in any of the crypto-tokens 150a-n to establish a secured communication session with the provisioning system 100. Before the establishing operation, any of the plurality of crypto-tokens 150a-n can be engaged with the computational component 128 to establish the secure communication session.
    Type: Grant
    Filed: September 21, 2004
    Date of Patent: April 27, 2010
    Assignee: Avaya Inc.
    Inventors: Robert R. Gilman, Richard L. Robinson, Robert J. Serkowski
  • Publication number: 20100088509
    Abstract: This invention provides for progressive processing of biometric samples to facilitate verification of an authorized user. The initial processing is performed by a security token. Due to storage space and processing power limitations, excessive false rejections may occur. To overcome this shortfall, the biometric sample is routed to a stateless server, which has significantly greater processing power and data enhancement capabilities. The stateless server receives, processes and returns the biometric sample to the security token for another attempt at verification using the enhanced biometric sample. In a second embodiment of the invention, a second failure of the security token to verify the enhanced biometric sample sends either the enhanced or raw biometric sample to a stateful server. The stateful server again processes the biometric sample and performs a one to many search of a biometric database.
    Type: Application
    Filed: June 30, 2009
    Publication date: April 8, 2010
    Inventors: Dominique Louis, Joseph Fedronic, Eric F. Le Saint
  • Patent number: 7694131
    Abstract: Providing reference tokens. A method includes receiving a request for a token. In response to the request for a token and in place of a token, one or more rich pointers are sent referencing one or more tokens. The rich pointers point to locations where one or more actual tokens can be retrieved. When only a single pointer is sent, the pointer is a reference other than an HTTP URL.
    Type: Grant
    Filed: September 29, 2006
    Date of Patent: April 6, 2010
    Assignee: Microsoft Corporation
    Inventors: Christopher G. Kaler, Arun K. Nanda
  • Patent number: 7681228
    Abstract: Financial institution back office computerized transaction-processing system with embedded privacy and security layer (EPSL) enables strong transaction authentication prior to a merchant or vendor contact, based on a user account number, transaction conditions like anticipated transaction time and money, user two-factor authentication with a static transaction PIN and a transaction session-specific random partial password or PIN recognition algorithm. User enters the user name and then, challenged by server with a random session-specific subset of a password or PIN character's consecutive position numbers, enters based on cognitive association a one time authentication response. The authentication session is interactive, transaction session-specific, and followed by either a transaction denial or an alphanumeric transaction signature generated by EPSL for this specific transaction. Then, the user submits her request to a transaction counterpart along with the transaction signature.
    Type: Grant
    Filed: February 14, 2006
    Date of Patent: March 16, 2010
    Assignee: Authernative, Inc.
    Inventor: Len L. Mizrah
  • Patent number: 7673135
    Abstract: An authentication mechanism for use in network-based services generates an authentication token. The authentication token is provided to a client device as part of the code comprising a content page. The content page code is received and loaded by a browser application at the client device. When the content page code is received and loaded by the browser application, the authentication token is loaded by the browser as well. Upon receiving subsequent input, the browser application may send a content request to the server. The content request includes the authentication token maintained by the browser application in the content page. A server may validate the authentication token provided in the request using version information and one or more master authentication tokens.
    Type: Grant
    Filed: December 8, 2005
    Date of Patent: March 2, 2010
    Assignee: Microsoft Corporation
    Inventors: Andy Chin, Alina Vikutan, Johnny C. Liu
  • Publication number: 20100049972
    Abstract: An apparatus and method for determining contents information corresponding to a Rights Object (RO) by transmitting information on contents together when the RO is moved from a mobile device to a memory card or a smart card or when the RO is moved from the memory card or the smart card to the mobile device are provided. The apparatus includes a meta information manager for determining information on contents corresponding to the RO when the RO is moved, and for generating meta information containing the determined contents information, and a controller for providing control to transmit the RO and the meta information generated by the meta information manager to a portable storage device. Accordingly, the conventional problem can be solved in which information on contents cannot be determined by using a Contents IDentifier (CID) if the RO does not exist together with the contents.
    Type: Application
    Filed: August 18, 2009
    Publication date: February 25, 2010
    Applicant: Samsung Electronics Co., Ltd.
    Inventors: Seong Choi, Jung-Hun Park, Yun-Sang Oh
  • Patent number: 7668315
    Abstract: Methods and apparatus are presented for providing local authentication of subscribers travelling outside their home systems. A subscriber identification token 230 provides authentication support by generating a signature 370 based upon a key that is held secret from a mobile unit 220. A mobile unit 220 that is programmed to wrongfully retain keys from a subscriber identification token 230 after a subscriber has removed his or her token is prevented from subsequently accessing the subscriber's account.
    Type: Grant
    Filed: May 22, 2001
    Date of Patent: February 23, 2010
    Assignee: QUALCOMM Incorporated
    Inventors: Roy F. Quick, Jr., Gregory G. Rose
  • Patent number: 7669232
    Abstract: Systems and methods for authentication using paired dynamic secrets in secured wireless networks are provided. Each authenticated user is assigned a random secret generated so as to be unique to the user. The secret is associated with a wireless interface belonging to the user, so that no other wireless interface may use the same secret to access the network. The secret may be updated either periodically or at the request of a network administrator, and reauthentication of the wireless network may be required.
    Type: Grant
    Filed: December 19, 2008
    Date of Patent: February 23, 2010
    Assignee: Ruckus Wireless, Inc.
    Inventors: Tyan-Shu Jou, Ming Sheu, Bo-Chieh Yang, Tian-Yuan Lin, Ted Tsei Kuo
  • Publication number: 20100031032
    Abstract: A wall plate assembly has a first port adapted to be coupled to a device and a second port adapted to be coupled to a communications network. The wall plate assembly is operable to obtain authentication information from a user and to determine from the obtained authentication information whether the user should be granted or denied access to the network. The assembly is operable when the determination indicates the user should be granted access to provide endpoint location identification information associated with the wall plate assembly and the authentication information to the second port, and is operable responsive to a acknowledgement signal received via the second port to grant access to the network via the first port. The assembly is operable when either no acknowledgment signal is received or the determination indicates the user should be denied access to isolate the first port from the network.
    Type: Application
    Filed: April 9, 2008
    Publication date: February 4, 2010
    Applicant: Leviton Manufacturing Co., Inc.
    Inventor: Julius Ametsitsi
  • Patent number: 7657740
    Abstract: The present invention provides an apparatus for verifying the authority of an owner, in terms of an identifier of a product, the first verification information for verifying the authority held at a terminal for an owner with the authority involving the product, and the second verification information for verifying the authority concerning the identifier of the product stored in a product database. The apparatus comprises means for receiving the identifier and the first verification information, means for acquiring the second verification information from the product DB, and means for determining whether or not there is the authority from the first verification information and the second verification information. A hash value acquired from a one-way hash function is employed as a verification key of the verification information.
    Type: Grant
    Filed: December 28, 2005
    Date of Patent: February 2, 2010
    Assignee: International Business Machines Corporation
    Inventors: Masayuki Numao, Yoshinobu Ishigaki, Yuji Watanabe
  • Patent number: 7657488
    Abstract: An apparatus is provided for validating a device. The apparatus includes a first integrated circuit which stores a first key, is configured to generate a random number, and is configured to generate encrypted information using the generated random number and the first key. A control system is configured to: receive the encrypted information and random number from the first integrated circuit, send the encrypted information to a second integrated circuit positioned on the device, receive decrypted information from the second integrated circuit whereby the decrypted information is generated using the encrypted information and a second key, and compare the random number and decrypted information received from the respective integrated circuits to validate the device.
    Type: Grant
    Filed: June 5, 2007
    Date of Patent: February 2, 2010
    Assignee: Silverbrook Research Pty Ltd
    Inventors: Kia Silverbrook, Simon Robert Walmsley
  • Patent number: 7644433
    Abstract: An interactive client-server authentication system and method are based on Random Partial Pattern Recognition algorithm (RPPR). In RPPR, an ordered set of data fields is stored for a client to be authenticated in secure memory. An authentication server presents a clue to the client via a communication medium, such positions in the ordered set of a random subset of data fields from the ordered set. The client enters input data in multiple fields according to the clue, and the server accepts the input data from the client via a data communication medium. The input data corresponds to the field contents for the data fields at the identified positions of the random subset of data fields. The server then determines whether the input data matches the field contents of corresponding data fields in a random subset.
    Type: Grant
    Filed: December 23, 2002
    Date of Patent: January 5, 2010
    Assignee: Authernative, Inc.
    Inventor: Len L. Mizrah
  • Patent number: 7634800
    Abstract: Providing a user with assurance that a networked computer is secure, typically before completion of the log-in operation. This can be accomplished by extending the local log-in process to perform a host assessment of the workstation prior to requesting the user's credentials. If the assessment finds a vulnerability, the log-in process can inform the user that the machine is or may be compromised, or repair the vulnerability, prior to completion of the log-in operation. By performing vulnerability assessment at the level of the workstation, a network server is able to determine whether the workstation is a “trusted” platform from which to accept authentication requests. If the vulnerability assessment shows that the workstation is compromised, or if the possibility of remote compromise is high, the network server can elect to fail the authentication on the grounds that the workstation cannot be trusted.
    Type: Grant
    Filed: May 8, 2006
    Date of Patent: December 15, 2009
    Assignee: International Business Machines Corporation
    Inventors: Curtis E. Ide, Philip C. Brass, Theodore R. Doty
  • Publication number: 20090282243
    Abstract: A puzzle-based protocol is provided that allows a token and verifier to agree on a secure symmetric key for authentication between the token and verifier. A token stores a secret key and one or more puzzle-generating algorithms. The verifier independently obtains a plurality of puzzles associated with the token, pseudorandomly selects at least one of the puzzles, and solves it to obtain a puzzle secret and a puzzle identifier. The verifier generates a verifier key based on the puzzle secret. The verifier sends the puzzle identifier and an encoded version of the verifier key to the token. The token regenerates the puzzle secret using its puzzle-generating algorithms and the puzzle identifier. The token sends an encoded response to the verifier indicating that it knows the verifier key. The token and verifier may use the verifier key as a symmetric key for subsequent authentications.
    Type: Application
    Filed: May 9, 2008
    Publication date: November 12, 2009
    Applicant: QUALCOMM Incorporated
    Inventors: Gregory Gordon Rose, Alexander Gantman, Miriam Wiggers De Vries, Michael Paddon, Philip Michael Hawkes
  • Publication number: 20090282240
    Abstract: A secure decentralized storage system provides scalable security by addressing the performance bottleneck of the security manager and the complexity issue of security administration in large-scale storage systems.
    Type: Application
    Filed: April 17, 2009
    Publication date: November 12, 2009
    Applicant: HUAZHONG UNIVERSITY OF SCIENCE & TECHNOLOGY
    Inventors: KE ZHOU, Dan Feng, Zhongying Niu, Tianming Yang, Qinhua Yan, Dongliang Lei, Wei Yan
  • Patent number: 7616762
    Abstract: A method and apparatus for protecting privacy in power line communication (PLC) networks. Data transmitted on a PLC network is encrypted according to a network key and can be properly received only by registered devices that have the proper network ID and network key value so that proper decryption can be performed. According to the invention a streaming media device is provided with a compatible network ID and network key during a registration process facilitated by coupling the device (applicant) to a direct power line connection associated with another device (administrator). The network key, and optionally network ID, are then shared over the direct connection without being distributed over the PLC network at large. By way of example, the data is prevented from being distributed across the PLC network in response to using selectable filtering of PLC data, and preferably a secure data communication mechanism, such as public-private key encoding.
    Type: Grant
    Filed: January 28, 2005
    Date of Patent: November 10, 2009
    Assignees: Sony Corporation, Sony Electronics, Inc.
    Inventors: Tohru Doumuki, Ryuichi Iwamura
  • Patent number: 7614078
    Abstract: A method and apparatus for authorizing an access requester to access a data communication network is provided. A determination is made that a threshold access control server cannot process an access request associated with the access requester. Access requester history data, or data that describes the access history for an access requester, is analyzed to obtain a threshold access level. A threshold access level is an expression of how likely that a particular access requester is a legitimate access requester. A session profile is selected for the access requester based on the threshold access level. The session profile indicates one or more actions the access requester is authorized to perform in the network. The session profile may subsequently be transmitted to the access requester to allow the access requester access to the network to the extent appropriate in view of the access requester history data.
    Type: Grant
    Filed: April 2, 2003
    Date of Patent: November 3, 2009
    Assignee: Cisco Technology, Inc.
    Inventor: Jeremy Stieglitz
  • Patent number: 7614002
    Abstract: A system and method that evaluates privacy policies from web sites to determine whether each site is permitted to perform operations (e.g., store, retrieve or delete) directed to cookies on a user's computer. Various properties of each cookie and the context in which it is being used are evaluated against a user's privacy preference settings to make the determination. An evaluation engine accomplishes the evaluation and determination via a number of criteria and considerations, including the cookie properties, its current context, the site, the zone that contains the site, and any P3P data (compact policy) provided with the site's response. The user privacy preferences are evaluated against these criteria to determine whether a requested cookie operation is allowed, denied or modified. A formalized distinction between first-party cookies versus third-party cookies may be used in the determination, along with whether the cookie is a persistent cookie or a session cookie.
    Type: Grant
    Filed: July 1, 2005
    Date of Patent: November 3, 2009
    Assignee: Microsoft Corporation
    Inventors: Aaron R. Goldfeder, Cem Paya, Frank M. Schwieterman, Darren Mitchell, Rajeev Dujari, Stephen J. Purpura
  • Patent number: 7600129
    Abstract: Determining access includes determining if particular credentials/proofs indicate that access is allowed, determining if there is additional data associated with the credentials/proofs, wherein the additional data is separate from the credentials/proofs, and, if the particular credentials/proofs indicate that access is allowed and if there is additional data associated with the particular credentials/proofs, then deciding whether to deny access according to information provided by the additional data. The credentials/proofs may be in one part or in separate parts. There may be a first administration entity that generates the credentials and other administration entities that generate proofs. The first administration entity may also generate proofs or may not generate proofs. The credentials may correspond to a digital certificate that includes a final value that is a result of applying a one way function to a first one of the proofs.
    Type: Grant
    Filed: July 16, 2004
    Date of Patent: October 6, 2009
    Assignee: CoreStreet, Ltd.
    Inventors: Phil Libin, Silvio Micali, David Engberg, Alex Sinelnikov
  • Patent number: 7600253
    Abstract: A computer-implemented method for correlating entities between a service provider and a service requester is provided. The computer-implemented method receives a request for a service from a service requester and determines whether the request contains an entity token representative of an entity referenced by the service requester that can be resolved. When the entity token is not resolved, the entity token is sent to a token correlator that requests the service requester, or an authorized party, to provide entity information. The token correlator forwards the entity information to the service provider to validate and return encrypted to the token correlator from which is generated a new entity token. The new token is sent to the service provider and, selectively, to the authorized third party, and used for locating the service of the request by the service provider.
    Type: Grant
    Filed: August 21, 2008
    Date of Patent: October 6, 2009
    Assignee: International Business Machines Corporation
    Inventor: Wei-Lung Wang
  • Patent number: 7599890
    Abstract: A memory card (110) includes a memory (1415) to store encrypted content data, a license hold unit (1440) to store at least a portion of license information distributed by a distribution system, a plurality of authentication data hold units (1400.1, 1400.2), each storing a plurality of authentication data that are authenticated respectively by a plurality of public authentication keys KPma, KPmb common to the distribution system, and a switch (SW2) to selectively provide the data from the plurality of authentication data hold units outside of said recording apparatus according to a request external to the memory card (110).
    Type: Grant
    Filed: March 28, 2001
    Date of Patent: October 6, 2009
    Assignees: Sanyo Electric Co., Ltd., Fujitsu Limited, Hitachi, Ltd.
    Inventors: Yoshihiro Hori, Hiroshi Takemura, Takatoshi Yoshikawa, Toshiaki Hioki, Takahisa Hatakeyama, Takayuki Hasebe, Shigeki Furuta, Masataka Takahashi, Takeaki Anazawa, Tadaaki Tonegawa
  • Publication number: 20090249063
    Abstract: A system includes an agent-side apparatus and an owner-side apparatus. The agent-side apparatus includes a transmission unit for responding to operation inputs from an agent, and a transfer unit for transferring a data processing request to the owner-side apparatus, and transferring a processing result to a management object apparatus. The owner-side apparatus includes a commission condition storage unit in which a commission condition of the agent; an agent authentication unit for authenticating authentication information; a performing unit for performing data processing associated with decryption of an encryption data, when the agent authentication unit normally performs the authentication, and when the data processing request falls within a range of the agent commission condition, upon receiving the data processing request from the agent-side apparatus; and a result transmission unit for transmitting the processing result of the performing unit to the agent-side apparatus.
    Type: Application
    Filed: March 30, 2009
    Publication date: October 1, 2009
    Applicant: FUJITSU LIMITED
    Inventors: Hideki SAKURAI, Yasuo NOGUCHI
  • Patent number: 7596692
    Abstract: Method, system, and computer program products for identifying potentially fraudulent receivers of digital content. A receiver authenticates to an auditing service with data that should be unique to the receiver. The auditing service detects when multiple receivers attempt to authenticate with the same data, suggesting that a receiver has been cloned or duplicated. The audit service also detects when a receiver authenticates improperly, suggesting an unsuccessful and unauthorized attempt to duplicate an authorized receiver. Individual receivers may be networked together. To help protect a receiver's authentication data from tampering, at least a portion of the data may be digitally signed with a private key. The audit service may then verify the digital signature with a corresponding public key. Varying the order in which data is signed or where the data is stored from one receiver or group of receivers to another may provide an additional level of security.
    Type: Grant
    Filed: June 5, 2002
    Date of Patent: September 29, 2009
    Assignee: Microsoft Corporation
    Inventors: Barbara Lynch Fox, David G. Conroy, Brian A. LaMacchia
  • Publication number: 20090235069
    Abstract: A method of and system for secure data transmission between a client and a third party computer arrangement. The method includes authenticating a user of the client by a security server via a communication session; making available a key pair by the security server, the key pair including a public key and a private key; and performing the secure data transmission between the client and the third party computer arrangement while using the key pair. The key pair having a limited life time defined by: a predetermined duration in time, a predetermined number of communication sessions, or a predetermined number of actions.
    Type: Application
    Filed: July 13, 2006
    Publication date: September 17, 2009
    Applicant: TRUST INTEGRATION SERVICES B.V.
    Inventors: Marco Alexander Henk Sonnega, Zdenek Kalenda
  • Patent number: 7590859
    Abstract: A method of accomplishing two-factor user authentication, comprising providing two separate user authentication methods, enabling a user to communicate authentication data for both authentication methods to a first web site using the internet, and enabling the communication of at least some of the authentication data from the first web site to a second web site also using the internet. Both web sites are thus involved in user authentication using the authentication data.
    Type: Grant
    Filed: January 16, 2002
    Date of Patent: September 15, 2009
    Assignee: Secure Computing Corporation
    Inventor: Sean Brennan
  • Patent number: 7574734
    Abstract: This invention provides for progressive processing of biometric samples to facilitate verification of an authorized user. The initial processing is performed by a security token. Due to storage space and processing power limitations, excessive false rejections may occur. To overcome this shortfall, the biometric sample is routed to a stateless server, which has significantly greater processing power and data enhancement capabilities. The stateless server receives, processes and returns the biometric sample to the security token for another attempt at verification using the enhanced biometric sample. In a second embodiment of the invention, a second failure of the security token to verify the enhanced biometric sample sends either the enhanced or raw biometric sample to a stateful server. The stateful server again processes the biometric sample and performs a one to many search of a biometric database.
    Type: Grant
    Filed: August 15, 2002
    Date of Patent: August 11, 2009
    Inventors: Dominique Louis Joseph Fedronic, Eric F. Le Saint
  • Patent number: 7574596
    Abstract: First data to be sent by a first party to a second party is encrypted using an encryption key string formed using at least a hash value generated using second data and a secret, shared with a trusted party, that serves as identification of the first party. The second data comprises, for example, one or more conditions that serve as identifiers of the second party, and a hash-value element generated by hashing the first data. The encrypted first data and the encryption key string is made available to the second party which forwards the encryption key string to the trusted party with a request for the corresponding decryption key. The trusted party carries out at least one check on the basis of data contained in the encryption key string and, if this at least one check is satisfactory, provides a decryption key to the second party.
    Type: Grant
    Filed: April 22, 2004
    Date of Patent: August 11, 2009
    Assignee: Hewlett-Packard Development Company, L.P.
    Inventors: Liqun Chen, Martin Sadler, Keith Alexander Harrison
  • Patent number: 7565527
    Abstract: Techniques for generating a multi-factor asymmetric key pair having a public key and split private key with multiple private portions, at least one of the multiple portions being a multiple factor private key portion, are provided. First and second asymmetric key pairs are generated, each having a private key and a public key. A text string and the first private key are cryptographically combined to make a first private key portion of the split private key. This first private key portion is a multiple factor private key portion. A second private key portion of the split private key is generated based upon the generated first private key portion and the second private key.
    Type: Grant
    Filed: February 14, 2005
    Date of Patent: July 21, 2009
    Assignee: TriCipher, Inc.
    Inventors: Ravinderpal Singh Sandhu, Brett Jason Schoppert, Ravi Ganesan, Mihir Bellare, Colin Joseph deSa
  • Publication number: 20090177882
    Abstract: The invention relates to an authentication token (10) for a communication network comprising a microprocessor (11), a memory (12), a stored secret key (Ki) and a set of instructions for controlling the microprocessor (11) into performing an authentication calculation on the basis of a received random (RAND) and on the basis of the stored secret key, characterized in that it includes a memory location dedicated for storing a counter value and it includes instructions for making the counter value evolve each time the authentication calculation is performed.
    Type: Application
    Filed: February 15, 2007
    Publication date: July 9, 2009
    Inventors: Swami Saran, Yugant Bhargav
  • Patent number: 7559028
    Abstract: A user inputs information, such as a mathematical function, composed of variable strings, functions, characters, expressions, etc., into an information input field connected to a function variable processing system. In one embodiment, the function variable processing system breaks down the information into tokens. The tokens are then processed to detect any undefined user definable tokens, e.g., tokens that the user may add and/or change the definitions associated therewith. The function variable processing system generates a display of the undefined user definable tokens along with any associated token definition input fields and/or menus of token definitions. The user may input token definitions using the token definition input fields and/or may select the token definitions from the menus. The function variable processing system associates the undefined user definable tokens with the definitions inputted by the user to convert the undefined user definable tokens to defined user definable tokens.
    Type: Grant
    Filed: January 24, 2005
    Date of Patent: July 7, 2009
    Assignee: Oracle International Corporation
    Inventor: David Yung
  • Publication number: 20090164777
    Abstract: A method and system for authenticating a partner service provider and a primary service provider includes a network and, a partner service provider generating a request for a first encrypted token from a partner service provider and communicating the request to the network. An authentication web service receives the request for the first encrypted token from the network and generates the first encrypted token. The partner service provider generates a request for data with the first encrypted token and communicates the request for data to the network. A data web service receives the request for data and communicates the request for data from the data web service to the authentication web service. The authentication web service validates the request for data and communicates a validation result to the data web service. The data web service communicates data to the partner service provider from the data web service after validating.
    Type: Application
    Filed: December 19, 2007
    Publication date: June 25, 2009
    Inventor: Kapil Chaudhry
  • Publication number: 20090164778
    Abstract: A system and method for communicating between a user device locator module and a user receiving device includes forming a secure connection with a user device locator module. The user receiving device communicates user identifier data and port data to the user device locator module. An authentication module authenticates the user data from the user device locator module and generates an authentication signal. The user device locator module registers the port data at the user device locator module in response to the authentication signal.
    Type: Application
    Filed: December 20, 2007
    Publication date: June 25, 2009
    Inventor: Kapil Chaudhry
  • Patent number: 7552322
    Abstract: One embodiment of the present invention provides a system that uses a portable security token to facilitate public key certification for a target device in a network. During system operation, the portable security token is located in close physical proximity to the target device to allow the portable security token to communicate with the target device through a location-limited communication channel. During this communication, the portable security token receives an authenticator for the target device, and forms a ticket by digitally signing the authenticator with a key previously agreed upon by the portable security token and a certification authority (CA). Next, the portable security token sends the ticket to the target device, whereby the target device can subsequently present the ticket to the CA to prove that the target device is authorized to receive a credential from the CA.
    Type: Grant
    Filed: June 24, 2004
    Date of Patent: June 23, 2009
    Assignee: Palo Alto Research Center Incorporated
    Inventors: Dirk Balfanz, Glenn E. Durfee, Diana K. Smetters
  • Publication number: 20090150667
    Abstract: In an authentication server, information representing a first part of a response to a challenge is received during the authentication preparation phase. The challenge and the first part of the response are stored for further use. The challenge is resent and information representing a second part of the response to the challenge is received during a modified authentication phase. The first and second parts of the response are checked against the challenge for authenticating the user. In a smartcard reader, the response received from the smartcard is sent to a computing device, when the smartcard reader received the challenge via an interface to the computing device during normal authentication. In response to the smartcard reader having received the challenge via the interface to the computing device during an authentication preparation phase, the smartcard reader sends the first part of the response to the computing device.
    Type: Application
    Filed: November 26, 2008
    Publication date: June 11, 2009
    Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventor: Boris Baltzer
  • Patent number: 7546468
    Abstract: A system including a secure LSI 1 establishes a communication path to/from a server 3 (UD1), and receives a common key-encrypted program generated by encryption with a common key and transmitted from the server 3 (UD6 and UD7). The received common key-encrypted program is decrypted to generate a raw program, and the raw program is re-encrypted with an inherent key to newly generate an inherent key-encrypted program, which is stored in an external memory.
    Type: Grant
    Filed: October 30, 2003
    Date of Patent: June 9, 2009
    Assignee: Panasonic Corporation
    Inventors: Makoto Fujiwara, Yusuke Nemoto, Junichi Yasui, Takuji Maeda, Takayuki Ito, Yasushi Yamada, Shinji Inoue