Abstract: A method for calibrating a temperature float of a one time password token and a device thereof are provided in the invention relating to the information security field. The method includes steps: the one time password token measures a current ambient temperature at intervals of a first predetermined time, retrieves a data table for a characteristic value relating to the measured temperature, and calibrates a current time value inside the token according to the characteristic value at intervals of a second predetermined time. The one time password token includes a timer module, a measuring module, a retrieving module, a table storing module, a calibrating module, a triggering module, a generating module and a displaying module. The invention calibrates time differentiation of the one time password token caused by the temperature float.

Abstract: In one embodiment, a method comprises receiving a request from a first party for access to controlled data, and providing access to the controlled data to a second party. The first party requests access to the controlled data and a token is provided to the first party. The token includes data associated with authorized access to the controlled data. A request for access to the controlled data including the token is later received from the second party, and access to the controlled data is provided to the second party.

Abstract: Digital cash token protocols employ two pairs of private and public keys. Each public key is certified separately and the protocols do not use any blind signature schemes. As a result, the digital cash token protocols provide strong protection of user privacy by using two certified public keys instead of a blind signature. One pair of certified keys consists of one master user private key and one master user public key. A second pair of certified keys consists of one pseudonym user private key and one pseudonym user public key. The use of a master key pair and a pseudonym key pair circumvents the need for blind signatures. As a result, the proposed protocols do not require blind signatures and do not add additional overhead and security requirements necessitated by conventional blind signature schemes. The protocols use public key protocols and digital signatures and symmetric key protocols, which may be readily implemented in standard information security based systems based on cryptographic constructs.

Abstract: An Asynchronous Enhanced Shared Secret Provisioning Protocol (ESSPP) provides a novel method and system for adding devices to a network in a secure manner. A registration process is launched by at least one of two network devices together. These two devices then automatically register with each other. When two devices running Asynchronous ESSPP detect each other, they exchange identities and establish a key that can later be used by the devices to mutually authenticate each other and generate session encryption keys. An out-of-band examination of registration signatures generated at the two devices can be performed to help ensure that there was not a man-in-the-middle attacker involved in the key exchange.

Abstract: A token calculates a one time password by generating a HMAC-SHA-1 value based upon a key K and a counter value C, truncating the generated HMAC-SHA-1 value modulo 10^Digit, where Digit is the number of digits in the one time password. The one time password can be validated by a validation server that calculates its own version of the password using K and its own counter value C?. If there is an initial mismatch, the validation server compensate for a lack of synchronization between counters C and C? within a look-ahead window, whose size can be set by a parameter s.

Abstract: Methods and computer-readable media are provided for refreshing a page validation token. In response to a request for a form from a client, a server responds with the requested form, a page validation token, and a page token refresh program. The client executes the page token refresh program in response to a request to post the contents of the form to the server computer. The page token refresh program determines whether a preset period of time has elapsed since server computer generated the page validation token. If the period of time has not elapsed, the form is posted to the server with the page validation token and processed by the server computer. If the page timeout has elapsed, the page token refresh program refreshes the page validation token prior to posting the form by requesting an updated page validation token from the server.

Abstract: Registering a client computing device for online communication sessions. A registration server receives a message that has a push token that is unique to the client computing device and a phone number of the client computing device from an SMS (Short Message Service) transit device, which received an SMS message having the push token from the client computing device and determined the phone number of the client computing device from that SMS message. The registration server associates the push token and the phone number and stores it in a registration data store, which is used for inviting users for online communication sessions.

Abstract: A tamper resistant servicing Agent for providing various services (e.g., data delete, firewall protection, data encryption, location tracking, message notification, and updating software) comprises multiple functional modules, including a loader module (CLM) that loads and gains control during POST, independent of the OS, an Adaptive Installer Module (AIM), and a Communications Driver Agent (CDA). Once control is handed to the CLM, it loads the AIM, which in turn locates, validates, decompresses and adapts the CDA for the detected OS environment. The CDA exists in two forms, a mini CDA that determines whether a full or current CDA is located somewhere on the device, and if not, to load the full-function CDA from a network; and a full-function CDA that is responsible for all communications between the device and the monitoring server. The servicing functions can be controlled by a remote server.

Abstract: Systems and methods are described for securely downloading management client software onto a device from an embedded stub in the device. In one embodiment, the stub client is activated by a message with credentials from a management server. The stub client, after verification of the credentials, downloads and activates a full management client. The management client then participates in any authorized management session with the device management server. The messages are preferably encrypted using a key that is based on the credentials. The credentials may be specific to the device and to the service provider associated with the device.

Abstract: A deployable computing environment may facilitate interaction and data sharing between users and devices. Users, devices, and relationships between the users and devices may be represented within the deployable computing environment. A relationship between a user and a device may specify that the device is owned by the user and that the device is authorized to perform operations within the deployable computing environment on behalf of the user. Secure authentication of devices and users for interaction within the deployable computing environment is achieved by authenticating tickets corresponding to the user, the device, and the relationship. A device identification ticket and a user identification ticket are used to authenticate the device and user for interaction within the deployable computing environment. A device claim ticket allows the device to perform delegated operations (e.g., data synchronization, peer connectivity, etc.) on behalf of the user without the user's credentials (e.g.

Abstract: Disclosed are apparatus and methods for associating a mobile device with a web service or a user account. A unique code is displayed on the mobile device. The unique code is associated with a user account or web service to be utilized with the mobile device. Instructions for a user to enter the unique code in an authentication process via an authentication portal of a management device are also displayed. After it is determined that a user has performed the authentication process, any user identification, which has been associated with the unique code, is then obtained from the management device. The obtained user identification is then stored for use by the mobile device. After user identification has been obtained and stored, the stored user identification is used for the mobile device to participate in an authentication process for authorizing the mobile device to utilize a web service or user account associated with the user identification.

Abstract: A method for requesting a certificate from a certificate issuer for a public key that is associated with a corresponding private key stored by a storing entity, the method comprising: generating by means of a generating entity a certificate request message indicative of a request for a certificate; and transmitting the certificate request message to the certificate issuer; the certificate request message including an indication of the relationship between the storing entity and the generating entity.

Abstract: A method and system which provides communication between a first portable device and a second portable device. The first portable device stores a first sequence number and a first key, and the second portable device stores a second sequence number and a second key. Verification is performed using the first and second keys. The first sequence number is compared to the second sequence number. If the second sequence number is newer than the first sequence number, the first sequence number is set to have a value of the second sequence number if the verification succeeds. If the first sequence number is newer than the second sequence number, the second sequence number is set to have a value of the first sequence number if verification succeeds.

Abstract: A system for token-based management of a PKI (public key infrastructure) personalization process includes a token request and management system (TRMS) configured to gather request information from a requestor; and a token personalization system (TPS) configured to personalize a hardware token such that usage of the hardware token is constrained by the request information. A method for token-based management of a PKI personalization process includes: requesting a hardware token; personalizing a hardware token such that the hardware token is confined to operation within limiting parameters; binding the hardware token to a workstation which is configured receive the hardware token and use credentials within the hardware token to request and download PKI data from a PKI server, the workstation being further configured to personalize an end user product by loading the PKI data into internal memory contained within the end user product; and monitoring usage of the hardware token and the PKI data.

Abstract: A mobile communication device operates in a wireless communication network with use of a communication service provided by a service provider (e.g. a wireless carrier for voice telephony, or data service provider for data synchronization). An application server receives, via the wireless network, a message from the mobile device. The message has a field for inclusion of a token having a digital signature corresponding to the service provider. The application server performs token validation of the message, which includes a verification step for verifying the digital signature of the token with a public key corresponding to the service provider. The application server then grants or denies access to an application service depending on the outcome of the token validation. In one embodiment, the application service is an e-commerce transaction service, wherein a proof-of-work (POW) test (e.g. a Captcha test) otherwise utilized for the service is bypassed or excluded.

Abstract: A tolerant key verification method is provided. The tolerant key verification method comprises the following steps. A first key is generated instantly according to first characteristic values from a user terminal and is transmitted to a verification server to perform a comparison. When a data in the verification server matches the first key, the verification server makes no response and asks a network-service server to provide a network service to the user terminal. When the data doesn't match the first key, the verification server makes no response. When no data is available, the verification server makes no response and asks a message server to send a key-regeneration signal to the user terminal such that the user terminal generates a second key instantly according to second characteristic values. The verification server saves the second key and asks the network-service server to provide the network service to the user terminal.

Abstract: A transaction processing service operates as an intermediary between acquirers of financial transaction requests and issuing institutions that process the financial transaction requests. The intermediary service enables a customer to selectively change the status of an account's associated with a payment instrument by activating or deactivating the account. The intermediary service may manage account status locally using a rules module. Alternatively, the issuing institution may manage account status, while the intermediary service provides an interface for customers. A customer communicates with the intermediary service to direct the service to change the account status. The intermediary service determines the account's issuing institution and provides an indication to the issuing institution of the current status of the account (or of the change in status).

Abstract: A method of generating authentication seeds for a plurality of users, the method involving: based on a single master seed, generating a plurality of derivative seeds, each one for a corresponding different one of a plurality of users; and distributing the plurality of derivative seeds to a verifier for use in individually authenticating each of the plurality of users to that verifier, wherein generating each one of the plurality of derivative seeds involves mathematically combining the master seed and a unique identifier identifying the corresponding user.

Abstract: An authentication-authorization system for a mobile communication terminal and a method therefor are provided. When a mobile communication terminal is in a connect state, code data randomly generated by a remote encoding terminal is continuously provided to the terminal and data management terminal. When an application service program on the mobile communication terminal or an application service terminal connected to the mobile communication terminal need to execute an authentication-authorization, identification data of the mobile communication terminal and its card and code data can be offered to the data management terminal to carry out a bidirectional dynamic authentication-authorization, to determine whether allow the application service program or the application service terminal to keep providing an application service or not.

Abstract: A secure decentralized storage system provides scalable security by addressing the performance bottleneck of the security manager and the complexity issue of security administration in large-scale storage systems.

Abstract: A data loss prevention system, method, and computer program product are provided for determining whether a device is protected with an encryption mechanism before storing data thereon. In operation, data to be stored on a device is identified. Additionally, it is determined whether the device is protected with an encryption mechanism. Furthermore, there is conditional reaction, based on the determination.

Abstract: A method of generating a device certificate. A method of generating a device certificate comprising, constructing a device certificate challenge at a device, sending information to a device certificate individualization server in response to the device certificate challenge, validating the device certificate challenge by the device certificate individualization server, and validating the device certificate response by the device.

Abstract: Secure cross-frame communication between frames in a web browser may be achieved using encryption. The communication may occur between frames that pass messages to one another via an untrusted, and potentially malicious, intermediary. To prevent an intermediary from reading the content of messages, frames may agree on and use a shared secret encryption key to encrypt messages. This key may be created by passing tokens between frames that want to securely communicate.

Abstract: A computer-implemented method for using reputation data to detect packed malware may include: 1) identifying a file downloaded from a portal, 2) determining that the file has been packed, 3) obtaining community-based reputation data for the file, 4) determining, by analyzing the reputation data, that instances of the file have been encountered infrequently (or have never been encountered) within the community, and then 5) performing a security operation on the file (by, for example, quarantining or deleting the file).

Abstract: Identification information used to identify a wireless-communication apparatus is acquired from a portable storage medium, a search for the wireless-communication apparatus is made based on the acquired identification information, and it is determined whether or not wireless parameters should be set to the wireless-communication apparatus according to the search result.

Abstract: Disclosure is a method and system for delivering a reusable framework. The disclosure invokes an interface to define an information service within the reusable framework. The defined information service is stored in a repository. The method further includes outputting a service request as an address for invoking the defined information service and establishing a data connection after receiving the service request wherein the defined information service can be invoked.

Abstract: A computer program product is provided and includes a tangible storage medium readable by a processing circuit and on which instructions are stored for execution by the processing circuit for performing a method. The method includes checking whether information to be translated between a key token and a key block is valid and, in an event a result of the checking is affirmative, preparing an output by translating the information between the key token and the key block such that the key token and the key block each include key control information cryptographically bound to key material via a wrapping method of the key token and the key block, respectively. The key control information of the key block is related to the key control information of the key token following the translation and disambiguation information for guiding the translation specified prior to or during the translation.

Abstract: System and method for transparent single sign-on authentication on computers in a networked environment. A preferred embodiment comprises receiving an authentication request from an operating system of a first computer, requesting credentials of an application making the authentication request, authenticating the credentials, storing the credentials if the authentication is successful, and transmitting the credentials to a second computer. On subsequent access requests made by the user on the second computer, the credentials can be retrieved from the secure store, eliminating the need to prompt the user to re-enter authentication information.

Abstract: An apparatus and method for determining contents information corresponding to a Rights Object (RO) by transmitting information on contents together when the RO is moved from a mobile device to a memory card or a smart card or when the RO is moved from the memory card or the smart card to the mobile device are provided. The apparatus includes a meta information manager for determining information on contents corresponding to the RO when the RO is moved, and for generating meta information containing the determined contents information, and a controller for providing control to transmit the RO and the meta information generated by the meta information manager to a portable storage device. Accordingly, the conventional problem can be solved in which information on contents cannot be determined by using a Contents IDentifier (CID) if the RO does not exist together with the contents.

Abstract: The invention relates to an authentication and/or rights containing retrievable token such as an IC card comprising at least one physical channel of communication to at least one apparatus and at least two logical channels of communication with said at least one apparatus wherein each logical channel of communication is associated with a different execution environment.

Abstract: A method, system, and computer usable program product for certificate renewal using a secure handshake are provided in the illustrative embodiments. A determination is made, forming an expiration determination, whether a validity period associated with a certificate ends within a predetermined period from a time of receiving the certificate. If the expiration determination is true, a holder of the certificate is notified about the expiration. The holder may be an application executing in a data processing system or the data processing system itself. A new certificate is requested on behalf of the holder. The requested new certificate is received. The new certificate is sent to the holder of the certificate over a network.

Abstract: A host computer system is categorized according to uniform resource locator (URL) information extracted from a digital certificate purportedly associated with said host. Thereafter, a secure communication session (e.g., an SSL session) with said host may be granted or denied according to results of the categorizing. If granted, messages associated with the secure session may be tunneled through a proxy without decryption, or, in some cases, even though the secure communication session was authorized messages may be decrypted at the proxy.

Abstract: A profile management method and system. The method includes retrieving by a computer processor from a user of social network, a user request for generating a profile. The computer processor retrieves user data and an encrypted master security token comprising an identifier associated with the user. The computer processor generates the profile with the user data and associates the profile with the encrypted master security token. The computer processor receives from the social network a request associated with a membership to the social network. The computer system adds communication data to the encrypted master security token and enables access to the profile based on the encrypted master security token. The computer processor transmits to said first social network, a copy of the profile.

Abstract: A password authentication apparatus and a password authentication method for preventing the leakage of password information from user's password input operations includes a memory device for storing a correct answer symbol and selection information for selecting at least one input symbol for each digit of a password; a display for displaying combinations of input symbol candidates based on user operation; a processor for selecting, for each digit of the password, one or more input symbols from the combinations of input symbol candidates displayed by the display based on the selection information corresponding to the digit to determine whether the correct answer symbol corresponding to the digit is included in the selected one or more input symbols; and an authentication board for authenticating that the password is entered correctly when the processor determines that correct answer symbols for all the digits of the password are included.

Abstract: A method for validating a cryptographic token includes (a) operating the cryptographic token to generate a pseudo-random number for authentication purposes by using a cryptographic seed uniquely associated with the cryptographic token, the cryptographic seed having been cryptographically generated using a precursor value, (b) receiving a first value from the cryptographic token, the first value being the pseudo-random number generated by the cryptographic token, (c) inputting the first value and the precursor value into a trusted computing platform, and (d) operating the trusted computing platform to generate a validation signal if the first value can be derived using a specified algorithm from the precursor value, but to generate a failure signal if the first value cannot be derived using the specified algorithm from the precursor value. Accompanying methods and apparatus are also provided.

Abstract: A local network traffic processor and an application are resident on a common computer system. The application is configured to trust a server certificate issued by a local network traffic processor, the local network traffic processor operatively being paired with a remote network traffic processor. A proxy server certificate, generated using identification information of a server associated with the remote network traffic processor and signed by the local certification authority, is used to establish a secure session between a local network traffic processor and the application.

Abstract: A user authorization system, a user authorization apparatus, a smart card, and a user authorization method for ubiquitous authorization management are disclosed.

Abstract: Methods and apparatus for authenticating a user are disclosed. According to one aspect of the present invention, a method for authenticating a user includes displaying a first representation of a challenge. The challenge is based on a ruleset. The method also includes receiving a first input, determining if the first input furthers a successful completion of the first representation of the challenge, and determining if the first input completes the first representation of the challenge. If it is determined that the first input completes the first representation of the challenge and that the first input furthers the successful completion of the first representation of the challenge, the method further includes positively augmenting a security indicator.

Abstract: Methods, systems, and computer program products are provided for token-based content subscription. Embodiments include receiving a request for content subscription; receiving from a user a subscription token; and delivering content to a device associated with the subscription token.

Abstract: An authentication program on a network authenticator establishes a secure communication channel with an embedded device. The authentication program receives security credentials from an embedded device. The authentication program receives from the embedded device via the secure communication channel either a secret for the embedded device or a request to generate the secret for the embedded device. The authentication program registers the secret for the embedded device.

Abstract: Security tokens contain data that is each uniquely encrypted based on a unique biometric identifier of an authorized user of that token. Decoders receive the token and the user's biometric identifier, convert the biometric identifier to a biometric key, and apply the biometric key to decrypt the token. In this way, the decoders authenticate the users without performing a biometric identifier comparison. In some embodiments pieces or sets of the data are stored in designated data compartments, which are individually encrypted based on authority keys, and all of the encrypted data compartments are collectively encrypted based on the biometric key to create the token. The decoders store only the authority keys corresponding to the data compartments which they have authorization to open. In addition, in some embodiments the token and the biometric identifier are encrypted and sent to a remote authentication server for decryption of the token.

Abstract: A method is provided for controlling multiple access to a network service to prevent fraudulent use of the network service. The method includes identifying an account access counter for an account using identification information received from a user at a first device using a network, wherein the user is requesting access to a service provided at a second device, and further wherein the account access counter is the number of service access sessions active for the account; comparing the account access counter to a maximum account access number, wherein the maximum account access number defines a maximum number of service access sessions allowed for the account; and providing the user at the first device access to the service at the second device if the account access counter is less than the maximum account access number.

Abstract: A method for digitally signing of electronic documents which are to be kept secure for a very long time, thereby taking into account future cryptographic developments which could render currently cryptographic key-lengths insufficient. A double signature is issued for each document. A first digital signature ensures the long term security, while a second digital signature ensures the involvement of an individual user. Thereby, the second digital signature is less computationally intensive in its generation than the first digital signature.

Abstract: A system, method, and computer program product are provided for isolating a device associated with at least potential data leakage activity, based on user input. In operation, at least potential data leakage activity associated with a device is identified. Furthermore, at least one action is performed to isolate the device, based on user input received utilizing a user interface.

Abstract: Systems and methods for authentication using paired dynamic secrets in secured wireless networks are provided. Each authenticated user is assigned a random secret generated so as to be unique to the user. The secret is associated with a wireless interface belonging to the user, so that no other wireless interface may use the same secret to access the network. The secret may be updated either periodically or at the request of a network administrator, and reauthentication of the wireless network may be required.

Abstract: Systems and methods for handling user interface field data. A system and method can be configured to receive input which indicates that the mobile device is to enter into a protected mode. Data associated with fields displayed on a user interface are stored in a secure form on the mobile device. After the mobile device leaves the protected mode, the stored user interface filed data is accessed and used to populate one or more user interface fields with the accessed user interface field data for display to a user.

Abstract: A client platform can be verified prior to being granted access to a resource or service on a network by validating individual hardware and software components of the client platform. Digests are generated for the components of the client platform. The digests can be collected into an integrity report. An authenticator entity receives the integrity report and compares the digests with digests stored in either a local signature database, a global signature database in an integrity authority, or both. Alternatively, the digests can be collected and stored on a portable digest-collector dongle. Once digests are either validated or invalidated, an overall integrity/trust score can be generated. She overall integrity/trust score can be used to determine whether the client platform should be granted access to the resource on the network using a policy.

Abstract: Described is a method by mobile equipment to communicate with a network. The method includes receiving a network authentication token having a first message authentication code, an authentication message field and a first extended sequence number that includes a first hardware identifier and first sequence number, and authenticating the network based on the first message authentication code, the first hardware identifier, and the first sequence number.

Abstract: A computer that self-administers operating in restricted and unrestricted operating modes boots from a main processor and operates normally in the unrestricted operating mode and operates from an alternate processor in a security module in the restricted operating mode. The alternate processor may communicate directly with peripheral devices such as a display controller and keyboard. Because the main processor is not used and may not even be started in the restricted operating mode, viruses, shims, and other related attacks are virtually eliminated. In one embodiment, the security module may operate as a PCI bus master when in the restricted operating mode.

Abstract: A method for controlling a digital television (DTV) includes receiving independent space identification information recorded in a storage area of a compact wireless device and a wired equivalent privacy (WEP) key value of an access point (AP) card, receiving the WEP key value corresponding to the AP card of the DTV from a management server, and comparing the WEP key value received from the compact wireless device with the WEP key value received from the management server. If the WEP key values are identical to each other, receiving first checklist information associated with the use of the independent space from the management server, displaying the received first checklist information, and transmitting second checklist information, in which one or more elements of the displayed first checklist information is marked, to the management server.