Abstract: A memory card (110) includes a memory (1415) to store encrypted content data, a license hold unit (1440) to store at least a portion of license information distributed by a distribution system, a plurality of authentication data hold units (1400.1, 1400.2), each storing a plurality of authentication data that are authenticated respectively by a plurality of public authentication keys KPma, KPmb common to the distribution system, and a switch (SW2) to selectively provide the data from the plurality of authentication data hold units outside of said recording apparatus according to a request external to the memory card (110).

Abstract: A computer-implemented method for correlating entities between a service provider and a service requester is provided. The computer-implemented method receives a request for a service from a service requester and determines whether the request contains an entity token representative of an entity referenced by the service requester that can be resolved. When the entity token is not resolved, the entity token is sent to a token correlator that requests the service requester, or an authorized party, to provide entity information. The token correlator forwards the entity information to the service provider to validate and return encrypted to the token correlator from which is generated a new entity token. The new token is sent to the service provider and, selectively, to the authorized third party, and used for locating the service of the request by the service provider.

Abstract: Determining access includes determining if particular credentials/proofs indicate that access is allowed, determining if there is additional data associated with the credentials/proofs, wherein the additional data is separate from the credentials/proofs, and, if the particular credentials/proofs indicate that access is allowed and if there is additional data associated with the particular credentials/proofs, then deciding whether to deny access according to information provided by the additional data. The credentials/proofs may be in one part or in separate parts. There may be a first administration entity that generates the credentials and other administration entities that generate proofs. The first administration entity may also generate proofs or may not generate proofs. The credentials may correspond to a digital certificate that includes a final value that is a result of applying a one way function to a first one of the proofs.

Abstract: A system includes an agent-side apparatus and an owner-side apparatus. The agent-side apparatus includes a transmission unit for responding to operation inputs from an agent, and a transfer unit for transferring a data processing request to the owner-side apparatus, and transferring a processing result to a management object apparatus. The owner-side apparatus includes a commission condition storage unit in which a commission condition of the agent; an agent authentication unit for authenticating authentication information; a performing unit for performing data processing associated with decryption of an encryption data, when the agent authentication unit normally performs the authentication, and when the data processing request falls within a range of the agent commission condition, upon receiving the data processing request from the agent-side apparatus; and a result transmission unit for transmitting the processing result of the performing unit to the agent-side apparatus.

Abstract: Method, system, and computer program products for identifying potentially fraudulent receivers of digital content. A receiver authenticates to an auditing service with data that should be unique to the receiver. The auditing service detects when multiple receivers attempt to authenticate with the same data, suggesting that a receiver has been cloned or duplicated. The audit service also detects when a receiver authenticates improperly, suggesting an unsuccessful and unauthorized attempt to duplicate an authorized receiver. Individual receivers may be networked together. To help protect a receiver's authentication data from tampering, at least a portion of the data may be digitally signed with a private key. The audit service may then verify the digital signature with a corresponding public key. Varying the order in which data is signed or where the data is stored from one receiver or group of receivers to another may provide an additional level of security.

Abstract: A method of and system for secure data transmission between a client and a third party computer arrangement. The method includes authenticating a user of the client by a security server via a communication session; making available a key pair by the security server, the key pair including a public key and a private key; and performing the secure data transmission between the client and the third party computer arrangement while using the key pair. The key pair having a limited life time defined by: a predetermined duration in time, a predetermined number of communication sessions, or a predetermined number of actions.

Abstract: A method of accomplishing two-factor user authentication, comprising providing two separate user authentication methods, enabling a user to communicate authentication data for both authentication methods to a first web site using the internet, and enabling the communication of at least some of the authentication data from the first web site to a second web site also using the internet. Both web sites are thus involved in user authentication using the authentication data.

Abstract: This invention provides for progressive processing of biometric samples to facilitate verification of an authorized user. The initial processing is performed by a security token. Due to storage space and processing power limitations, excessive false rejections may occur. To overcome this shortfall, the biometric sample is routed to a stateless server, which has significantly greater processing power and data enhancement capabilities. The stateless server receives, processes and returns the biometric sample to the security token for another attempt at verification using the enhanced biometric sample. In a second embodiment of the invention, a second failure of the security token to verify the enhanced biometric sample sends either the enhanced or raw biometric sample to a stateful server. The stateful server again processes the biometric sample and performs a one to many search of a biometric database.

Abstract: First data to be sent by a first party to a second party is encrypted using an encryption key string formed using at least a hash value generated using second data and a secret, shared with a trusted party, that serves as identification of the first party. The second data comprises, for example, one or more conditions that serve as identifiers of the second party, and a hash-value element generated by hashing the first data. The encrypted first data and the encryption key string is made available to the second party which forwards the encryption key string to the trusted party with a request for the corresponding decryption key. The trusted party carries out at least one check on the basis of data contained in the encryption key string and, if this at least one check is satisfactory, provides a decryption key to the second party.

Abstract: Techniques for generating a multi-factor asymmetric key pair having a public key and split private key with multiple private portions, at least one of the multiple portions being a multiple factor private key portion, are provided. First and second asymmetric key pairs are generated, each having a private key and a public key. A text string and the first private key are cryptographically combined to make a first private key portion of the split private key. This first private key portion is a multiple factor private key portion. A second private key portion of the split private key is generated based upon the generated first private key portion and the second private key.

Abstract: The invention relates to an authentication token (10) for a communication network comprising a microprocessor (11), a memory (12), a stored secret key (Ki) and a set of instructions for controlling the microprocessor (11) into performing an authentication calculation on the basis of a received random (RAND) and on the basis of the stored secret key, characterized in that it includes a memory location dedicated for storing a counter value and it includes instructions for making the counter value evolve each time the authentication calculation is performed.

Abstract: A user inputs information, such as a mathematical function, composed of variable strings, functions, characters, expressions, etc., into an information input field connected to a function variable processing system. In one embodiment, the function variable processing system breaks down the information into tokens. The tokens are then processed to detect any undefined user definable tokens, e.g., tokens that the user may add and/or change the definitions associated therewith. The function variable processing system generates a display of the undefined user definable tokens along with any associated token definition input fields and/or menus of token definitions. The user may input token definitions using the token definition input fields and/or may select the token definitions from the menus. The function variable processing system associates the undefined user definable tokens with the definitions inputted by the user to convert the undefined user definable tokens to defined user definable tokens.

Abstract: A method and system for authenticating a partner service provider and a primary service provider includes a network and, a partner service provider generating a request for a first encrypted token from a partner service provider and communicating the request to the network. An authentication web service receives the request for the first encrypted token from the network and generates the first encrypted token. The partner service provider generates a request for data with the first encrypted token and communicates the request for data to the network. A data web service receives the request for data and communicates the request for data from the data web service to the authentication web service. The authentication web service validates the request for data and communicates a validation result to the data web service. The data web service communicates data to the partner service provider from the data web service after validating.

Abstract: A system and method for communicating between a user device locator module and a user receiving device includes forming a secure connection with a user device locator module. The user receiving device communicates user identifier data and port data to the user device locator module. An authentication module authenticates the user data from the user device locator module and generates an authentication signal. The user device locator module registers the port data at the user device locator module in response to the authentication signal.

Abstract: One embodiment of the present invention provides a system that uses a portable security token to facilitate public key certification for a target device in a network. During system operation, the portable security token is located in close physical proximity to the target device to allow the portable security token to communicate with the target device through a location-limited communication channel. During this communication, the portable security token receives an authenticator for the target device, and forms a ticket by digitally signing the authenticator with a key previously agreed upon by the portable security token and a certification authority (CA). Next, the portable security token sends the ticket to the target device, whereby the target device can subsequently present the ticket to the CA to prove that the target device is authorized to receive a credential from the CA.

Abstract: In an authentication server, information representing a first part of a response to a challenge is received during the authentication preparation phase. The challenge and the first part of the response are stored for further use. The challenge is resent and information representing a second part of the response to the challenge is received during a modified authentication phase. The first and second parts of the response are checked against the challenge for authenticating the user. In a smartcard reader, the response received from the smartcard is sent to a computing device, when the smartcard reader received the challenge via an interface to the computing device during normal authentication. In response to the smartcard reader having received the challenge via the interface to the computing device during an authentication preparation phase, the smartcard reader sends the first part of the response to the computing device.

Abstract: A system including a secure LSI 1 establishes a communication path to/from a server 3 (UD1), and receives a common key-encrypted program generated by encryption with a common key and transmitted from the server 3 (UD6 and UD7). The received common key-encrypted program is decrypted to generate a raw program, and the raw program is re-encrypted with an inherent key to newly generate an inherent key-encrypted program, which is stored in an external memory.

Abstract: A system including a secure LSI 1 establishes a communication path to/from a server 3 (UD1), and receives a common key-encrypted program generated by encryption with a common key and transmitted from the server 3 (UD6 and UD7). The received common key-encrypted program is decrypted to generate a raw program, and the raw program is re-encrypted with an inherent key to newly generate an inherent key-encrypted program, which is stored in an external memory.

Abstract: The described systems, methods and data structures are directed to a portable computing environment. A communication link is established between a portable device and a host device. The portable device is equipped with a processing unit and is configured to execute a process that is accessible by the host device. The host device includes an application configured to interact with the process on the portable device. The process on the portable device provides data to the application on the host device using the communication link. The application uses the data to provide a computing environment.

Abstract: A system and method include means for processing a cryptographic certificate adapted to provide security functionality. A register means is provided and means for adjusting the register means to account for services when the cryptographic certificate is processed. In accordance with another aspect, a system and method include a register means for storing funds. Means are provided for processing a digital token providing proof of postage payment and means are also provided for processing a cryptographic certificate adapted to provide security functionality. Means debit funds stored in the register means when the digital token is processed and when the cryptographic certificate is processed. Processing the cryptographic certificate may involve many functions such as providing security services and/or certificate management functions (including generating and verifying cryptographic certificates) and/or key management functions and/or access to any needed private keys to perform security services.

Abstract: The described systems, methods and data structures are directed to a portable computing environment. A communication link is established between a portable device and a host device. The portable device is equipped with a processing unit and is configured to execute a process that is accessible by the host device. The host device includes an application configured to interact with the process on the portable device. The process on the portable device provides data to the application on the host device using the communication link. The application uses the data to provide a computing environment.

Abstract: The described systems, methods and data structures are directed to a portable computing environment. A communication link is established between a portable device and a host device. The portable device is equipped with a processing unit and is configured to execute a process that is accessible by the host device. The host device includes an application configured to interact with the process on the portable device. The process on the portable device provides data to the application on the host device using the communication link. The application uses the data to provide a computing environment.

Abstract: A trusted authority delegates authority to a device. This delegation of authority is effected by providing a yet-to-be completed chain of public/private cryptographic key pairs linked in a subversion-resistant manner. The chain terminates with a penultimate key pair formed by public/private data, and a link towards an end key pair to be formed by an encryption/decryption key pair of an Identifier-Based Encryption, IBE, scheme. The private data is securely stored in the device for access only by an authorized key-generation process that forms the link to the end key pair and is arranged to provide the IBE decryption key generated using the private data and encryption key. This key generation/provision is normally only effected if at least one condition, for example specified in the encryption key, is satisfied. Such a condition may be one tested against data provided by the trusted authority and stored in the device.

Abstract: A method of accomplishing two-factor user authentication, comprising providing two separate user authentication methods, enabling a user to communicate authentication data for both authentication methods to a first web site using the internet, and enabling the communication of at least some of the authentication data from the first web site to a second web site also using the internet. Both web sites are thus involved in user authentication using the authentication data.

Abstract: An image forming apparatus includes a document control service that generates authentication information corresponding to the request to output a stored document and transmits the authentication information to the network service, and a document output service that receives the authentication information from the network service, obtains the stored document corresponding to the authentication information, and outputs the obtained stored document. After authenticating the stored document, the document control service generates authentication information corresponding to a request to output the stored document from an external network apparatus. The document control service, the external network apparatus, and the document output service can exchange the authentication information instead of the stored document.

Abstract: A key management technique establishes a secure channel through an indeterminate number of nodes in a network. The technique comprises enrolling a smart card with a unique key per smart card. The unique key is derived from a private key that is assigned and distinctive to systems and a card base of a card issuer. An enrolled smart card contains a stored public entity-identifier and the secret unique key. The technique further comprises transacting at a point of entry to the network. The transaction creates a PIN encryption key derived from the smart card unique key and a transaction identifier that uniquely identifies the point of entry and transaction sequence number. The technique also comprises communicating the PIN encryption key point-to-point in encrypted form through a plurality of nodes in the network, and recovering the PIN at a card issuer server from the PIN encryption key using the card issuer private key.

Abstract: This invention concerns a consumable authentication method for validating the existence of an untrusted chip. A random number is encrypted using a first key and sent to an untrusted chip. In the untrusted chip it is decrypted using a secret key and re-encrypted together with a data message read from the untrusted chip. This is decrypted so that a comparison can be with the generated random number and the read data message.

Abstract: Suppression malfunction of an authentication circuit for authenticating a battery pack. Signal line for applying an intermediate potential between the power supply and ground and for reading the potential of a thermistor for detecting the temperature is used as a transmission path for exchanging data between a battery pack and main device. A master-authentication circuit and slave-authentication circuit comprise level-correction circuits, which are connected to the signal line by way of a voltage-comparator circuit. The level-correction circuits are constructed such that they correct the signal applied to the signal line so that it is greater than or less than the unstable-region voltage, and outputs it to the input end of the authentication circuits, so that unstable-region voltage is not applied to the input end.

Abstract: Apparatus for parsing and tokenizing a data stream comprises: a storage component to store a history buffer containing an unencoded version of a previously encoded string; a comparison component to compare a string from the input data stream with the unencoded version of at least one previously encoded string; a second storage component store: an indicator that at least two matches were found by the first comparison component, and tokens corresponding to the matches; a summing component to sum potential token lengths to provide total potential token lengths; a second comparison component to compare total potential token lengths; a selection component to select a match corresponding to a shortest total token length to represent the string from said input data stream; and an emitting component for emitting tokens representing the match corresponding to the shortest total token length. The tokens may be used in, for example, compression or encryption.

Abstract: The described systems, methods and data structures are directed to a portable computing environment. A communication link is established between a portable device and a host device. The portable device is equipped with a processing unit and is configured to execute a process that is accessible by the host device. The host device includes an application configured to interact with the process on the portable device. The process on the portable device provides data to the application on the host device using the communication link. The application uses the data to provide a computing environment.

Abstract: The invention relieves an application programmer of the responsibility for managing access rights, by providing application code that is independent of the protection in a chip card. When an application, for example in a docking station, is given access to an object pertaining to another application in a chip card, two capabilities are created respectively in the applications, as objects, to protect all subsequent accesses to the object by filtering them through the two capabilities. On accessing an object pertaining to an application, if a second object pertaining to the other application is passed on to the latter, two other capabilities are added in the applications to protect access to the second object.

Abstract: A security and protection device (1) for protection of the data and executable codes of any fixed or portable computer system and that has a memory medium to be protected. The security and protection device (1) is located physically between the computer system (2) and the memory medium (MP) to be protected, in order to allow the computer system (2) access to the data and codes to be protected after execution of the protection functions independently of the machine code executed by the computer system (2) and requires no interaction with the processor of the system for the execution of these functions.

Abstract: This application is directed to a system for remotely directing a host device to perform an operation using a key. The key may include a communications circuitry for transmitting data, for example a key identifier or an instruction to perform an operation, within a personal area network created by the communications circuitry. When a host device is within the personal area network, the key may transmit data received by a transceiver on the host device. In response to receiving the data, the host device may perform an operation (e.g., an authentication operation). In some embodiments, the key may transmit data identifying an operation for the host device to perform. In some embodiments, the host device may store in memory key identification information and an associated operation which may be retrieved when the key is brought in proximity of the host device.

Abstract: The present invention discloses a system and method of leveraging mobile telephone provider assets and distribution network to securely deliver security tokens, such as PKI certificates. The invention is not limited to using a mobile telephony infrastructure and other pre-existing distributions can also be used. In the invention, a user requested security token can be delivered to a storefront associated with a mobile telephone provider. The storefront can be one proximate to a requesting user. An optional activation key can also be conveyed to the requesting user. The requesting user can be required to physically travel to the storefront to receive the security token. At the storefront, an identity of the requesting user can be verified, such as through photo identification. The security token can be provided when the requesting user has been successfully verified. Use of the security token can still require activation involving the activation key.

Abstract: A system and method to verify a user's identity in an Internet-related transaction. One system and method use a personal computer having identification information, a card reader, and a personal identification card having access information, to verify a user's identity using the access information and the identification information. Another system and method use a personal computer, a card reader, and a personal identification card having access information, wherein the card reader is included as part of a mouse coupled to the personal computer and wherein a user's identity is verified using the access information. Another system and method use a personal computer, a fingerprint reader, a card reader, and a personal identification card having access information to verify a user's identity using the access information and the data of the fingerprint reader.

Abstract: Techniques are disclosed for performing operations in an authentication token or other cryptographic device in a system comprising an authentication server. In one aspect, a code generated by the authentication server is received in the cryptographic device. The code may have associated therewith information specifying at least one operation to be performed by the cryptographic device. The cryptographic device authenticates the code, and responsive to authentication of the code, performs the specified operation. If the code is not authenticated, the operation is not performed. The code may be determined as a function of a one-time password generated by the authentication server. The function may also take as an input an identifier of the operation to be performed.

Abstract: An electronic system is disclosed. In one embodiment, the electronic system comprises a wireless communication adapter that includes an antenna for transmitting and/or receiving information and a connector configured to enable selective mating engagement of the connector with a connection port of an electronic device. In one embodiment, the wireless communication adapter is configured to communicate information between first and second electronic devices via the antenna. Other electronic systems, devices, and methods are also disclosed.

Abstract: Access control to data processing means, such as a smart card, is made secure by simulating a comparison block by block of part of a secret code with part of a presented code through a block-by-block comparison of part of the presented code and part of a determined number when the presented code is found to be erroneous. Each time the card is used, a constant number of operations are applied to the presented code and at least for part of the secret code, and at most for a complementary part to the determined number, thus avoiding different signatures of power consumption for different presented codes.

Abstract: A system and computer implemented method for providing a widget are described. The widget is portable, embeddable and for dynamically displaying multimedia content. The method and system include receiving a request corresponding to the widget and performing an authentication corresponding to the request. The method and system also include fulfilling the request if the authentication is successful.

Abstract: A mechanism for controlled sharing of files by clustered applications is provided. The mechanism expands a distributed file access protocol, such as the direct access file system protocol, by including an open with share token command and an open_downgrade operation to adjust the access and deny levels for a given resource.

Abstract: An illegal data use prevention system includes a registrar which issues first authentication information for a game machine reproducing data and second authentication information for a user-identifying IC card. The data is identified by the first authentication information and the second authentication information. The game machine contains the first authentication information and, for example, executes a game program in accordance with a result of determination as to whether the IC card contains the second authentication information. Thus, illegal use of data is effectively prevented.

Abstract: To provide an improved management structure of memory devices storing service-use applications. A card for a memory device applied to use various services is provided as one child card or more corresponding to each of the services, a parent card-stores data for child-card issue management, and the child-card issue processing is executed based on the parent card, such as parent card authentication. An issue certificate having a parent-card digital signature is stored in the child card, the issue certificate contains a service code and a child-card identification, and thus it becomes possible to confirm a service set in the child card based on the issue certificate as the parent-card signature data.

Abstract: A telecommunications system and method is disclosed for implementing a Policy Enforcement Point (PEP) for an Internet Service Provider (ISP) at the subscriber premises. This PEP enforces policies with respect to authentication of subscribers, authorization to access and services, accounting and mobility of the subscribers. These policies are defined by the ISP operator in a Policy Decision Point (PDP), which is a server connected to the Internet that communicates with the PEP. In addition, the ISP can supply an encryption key for the PEP and an encryption key for a particular subscriber. Thus, all communications between the subscriber and the PEP, as well as between the PEP and the PDP can be encrypted.

Abstract: A system on a chip (SOC) device is disclosed comprising external outputs, and external inputs. A first secure storage location is operably decoupled from all of the external outputs of the SOC device during a normal mode of operation. By being decoupled from all external outputs, representations of the data stored at the first secure device are prevented from being provided to the external outputs. The decryption engine is also included on the system on a chip, comprising a first data input, and a private key input coupled to a first portion of the first secure storage location, and an output coupled to a second secure location. The decryption engine is operable to determine decrypted data from data received at the first data input based upon a private key received at the private key input. The decryption engine is further operable to write the decrypted data only to the first secure memory location and the second secure location.

Abstract: The present invention provides a method and system for communicating via a handheld device to Internet applications such as customer relationship management applications. Automatically generated user information, such as an electronic mail (e-mail) address, containing a certification key is used to authenticate a mobile user's access to Internet applications. Access from mobile devices, such as personal data assistants, is possible because no password is required to log in. Other security measures may be used in conjunction with providing user information to ensure access only to authorized users.

Abstract: A trusted authentication chip for use in authenticating an untrusted authentication chip; the trusted authentication chip including a random number generator, a symmetric encryption function and two secret keys for the function, a signature function and a test function; wherein the trusted authentication chip generates test data including a random number and its signature, encrypted using a first of said secret keys and transmits the test data to the untrusted authentication chip, wherein the trusted authentication chip receives a data message and an encrypted version of the data message in combination with the random number from the untrusted authentication chip, the data message being encrypted using a second of said secret keys, wherein the test function operates to encrypt the random number together with the data message by the symmetric encryption function using the second secret key, compare the two versions of the random number encrypted together with the data message using the second key, and in the e

Abstract: An augmented boot code module includes instructions to be executed by a processing unit during a boot process. The augmented boot code module also includes an encrypted version of a cryptographic key that can be decrypted with a cryptographic key that remains in the processing unit despite a reset of the processing unit. In one embodiment, the processing unit may decrypt the encrypted version of the cryptographic key and then use the decrypted key to establish a protected communication channel with a security processor, such as a trusted platform module (TPM). Other embodiments are described and claimed.

Abstract: A system that allows secure processing in a case where a download-requesting terminal and a download-destination terminal are different devices is implemented. A content distribution server receives a ticket carrying a signature of a download destination from a terminal requesting downloading of content, and verifies the ticket to verify that a device serving as the download destination is a device authorized by the download-requesting terminal, thereby verifying the authenticity of the device serving as the download destination without directly authenticating the device serving as the download destination. Furthermore, a content-signing key [Ksig] or a hash value is exchanged as data that can be cryptographically processed only at the download-requesting device and the download-destination device, so that, for example, checking of the integrity of the content is allowed only at a legitimate download-destination device.

Abstract: First data to be sent by a first party to a second party is encrypted using an encryption key that is formed using at least a hash value generated by a keyed hash of at least one condition that typically serves as an identifier of an intended recipient of the first data. The encrypted first data is provided to a data recipient who requests a decryption key from the trusted party. The trusted party is responsible for verifying that the recipient meets the specified conditions before providing the decryption key. A valid decryption key is only provided if the correct conditions have been supplied to the trusted party.

Abstract: A method for calculating hashing of a message in a device communicating with a smart card involves storing a same hash function in said device and said smart card, wherein the message includes-data blocks including secret data and other public data, and wherein secret data is only known by the smart card, performing a calculation of the hash function of the secret data in the smart card, and performing the calculation of the hash function of all or part of other public data in the device.