Abstract: A method for controlling a digital television (DTV) includes receiving independent space identification information recorded in a storage area of a compact wireless device and a wired equivalent privacy (WEP) key value of an access point (AP) card, receiving the WEP key value corresponding to the AP card of the DTV from a management server, and comparing the WEP key value received from the compact wireless device with the WEP key value received from the management server. If the WEP key values are identical to each other, receiving first checklist information associated with the use of the independent space from the management server, displaying the received first checklist information, and transmitting second checklist information, in which one or more elements of the displayed first checklist information is marked, to the management server.

Abstract: An acquirer communicates with an intermediary transaction processing service to handle financial transaction requests received from multiple points of purchase. The acquirer receives an initial authorization request generated based on a transaction initiated by a customer at a point of purchase. The initial authorization request includes unique identifying information associated with the customer. The acquirer determines that the unique identifying information is associated with the intermediary service and provides at least part of the initial authorization request to the intermediary service. In response, the intermediary service provides account information to the acquirer. The acquirer then generates a modified authorization request based on the initial authorization request and the received account information and transmits the modified authorization to an issuing institution to request approval of the transaction.

Abstract: A method and apparatus of using a token comprises receiving an indication of a presence of a nearby short-range terminal and waking up the token in response to receiving the indication. The method further comprises performing authentication between the token and the terminal, without requiring a user to directly interact with the token.

Abstract: This document describes a channel binding mechanism based on parameter binding in the key derivation procedure. The method cryptographically binds access network parameters to a key without need to carry those parameters in EAP methods.

Abstract: Disclosed relates to an access control system and method based on hierarchical keys. The system comprises an access control server (ACS), a home gateway, and a plurality of sensor devices disposed on a home network. The ACS sets up user's access limits of authority and authorization verifier, and saves the related data of user's password and the user's access limits of authority. The gateway records the authority limits' level and the authority limits' key which are constructed based on a hierarchical key structure. When a user logs in the ACS to request access, an one-time communication key between the user and the home gateway is established by exchanging the ticket and the token that are issued by the ACS. This allows the user to access the information of the sensor devices.

Abstract: Systems and methods are provided for utilizing a digital coin. A bit string is received. The number of bits in the bit string represents a coin value of the digital coin. The individual bit values of the bits of the bit string are used to determine an identity of the digital coin. The identity of the digital coin is validated by a node of an authentication hierarchy. The validation includes comparing bit values of at least a portion of the bits of the bit string to bit values of corresponding bits of known bit strings that represent known issued digital coins. The validation also includes checking that a matching known issued digital coin was not previously redeemed. A digital coin can also be split into multiple digital coins that are each a continuous sequence of bits of the bit string of the original digital coin.

Abstract: A system and method for controlling access to a computer provides for loose security within a local network while retaining strong security against external access to the network. In one embodiment, a user has access to trusted nodes in a secured group within an unmanaged network, without being required to choose, enter and remember a login password. To establish such a secure blank password or one-click logon account for the user on a computer, a strong random password is generated and stored, and the account is designated as a blank password account. If the device is part of a secured network group, the strong random password is replicated to the other trusted nodes. When a user with a blank password account wishes to log in to a computer, the stored strong random password is retrieved and the user is authenticated.

Abstract: In general, the invention relates to a method for executing at least a portion of a server operation. The method includes providing an extension to a client connected to the server, where the extension includes a portable object connected to the client. The method further includes performing at least the portion of server operation by the extension, where performing at least the portion of the server operation includes executing a copy of at least a portion of server software stored on the portable object.

Abstract: A user credential management system and method for managing user credentials are provided. The user credential management system comprises an authentication module for authenticating a user login to a mobile device, and a message transforming module for associating a user credential to a message sent from the mobile device to a server. The method comprising the steps of authenticating a user login to a mobile device, locating a user credential associated with the user login, and associating the user credential to a message between the mobile device and a server.

Abstract: Techniques are provided for securely managing, using smart cards, the usage of a peripheral device. In one embodiment, both the peripheral device and the smart card have digital certificates and a means for authenticating each other. Each device requires authentication of the other device before access to the device's resources is granted. In one embodiment of the invention, the smart card executes a local Java application for managing usage data. The application provides quota and prior usage data to the peripheral device, and updates on the smart card usage data provided by the peripheral device. The usage data on the smart card is used to limit, audit, or track access to resources and operations on the peripheral device. In another embodiment, the authentication and usage management functions of the smart card is implemented on a remote server.

Abstract: An anonymous secure messaging method, system and computer program product for implementation over a wireless connection. The invention allows the securely exchange of information between a security token enabled computer system and an intelligent remote device having an operatively coupled security token thereto over the wireless connection. The invention establishes an anonymous secure messaging channel between the security token and the security token enabled computer system, which allows the intelligent remote device to emulate a locally connected security token peripheral device without requiring a physical connection. A dedicated wireless communications channel is incorporated to prevent several concurrent wireless connections from being established with the security token and potentially compromising the security of the information being sent on concurrent wireless connections.

Abstract: A secure NFC apparatus includes a plug-in socket, an NFC unit, and a protocol matching unit. A security module is inserted in the plug-in socket. The NFC unit communicates with the outside via non-contact NFC using signals based on an S2C protocol. The protocol matching unit determines the type of chip in the inserted security module, generates a chip identification signal according to results of the identification, and matches the protocol of the signals based on the S2C protocol, which are input to and output from the NFC unit, with the protocol of the signals, which are input to and output from the security module, according to the chip identification signal.

Abstract: A method of validating a digital certificate comprises retrieving from a first data store a digital certificate, retrieving from a second data store a plurality of certificate revocation lists (CRLs), and selecting one of the plurality of CRLs to validate the digital certificate as of a date which is before the current date.

Abstract: An authentication server, on receipt of a request to delete a user account, determines whether the account exists in a user authentication table. If the account exists, the authentication server deletes the account, and retrieves, from a requesters list in which information of devices from which users have to date requested user authentication is saved, an address of a device from which the user targeted for deletion has previously issued an authentication request, and issues a deletion request to that device together with account information. Similar processing to change a user account is performed in response to a change request.

Abstract: A system and method for providing roaming access on a network are disclosed. The network includes a plurality of wireless and/or wired access points. A user may access the network by using client software on a client computer (e.g., a portable computing device) to initiate an access procedure. In response, a network management device operated by a network provider may return an activation response message to the client. The client may send the user's username and password to the network provider. The network provider may rely on a roaming partner, another network provider with whom the user subscribes for internet access, for authentication of the user. Industry-standard methods such as RADIUS, CHAP, or EAP may be used for authentication. The providers may exchange pricing and service information and account information for the authentication session. A customer may select a pricing and service option from a list of available options.

Abstract: Embodiments of the invention include apparatuses, methods, and computer-program products that provide for a unique financial transaction security system. In one embodiment, the financial transaction security system receives a security protocol from a user. The security protocol includes instructions for allowing transactions without authentication and security features for the user if authentication is necessary. The system then determines that the user is conducting a transaction, compares the transaction to the instructions, and determines whether the transaction can occur without authentication. If the user is required to authenticate his identity, the system requests input from the user, compares the input to the security feature, and determines if the user is authenticated. The user is able to customize both the instructions and the security features to provide greater control over financial transaction security.

Abstract: An exemplary method includes receiving a request to register a peer in a peer-to-peer system; generating or selecting a transaction key for the peer; storing the transaction key in association with registration information for the peer; transmitting the transaction key to the peer and, in response to a request to perform a desired peer-to-peer transaction by another peer, generating a token, based at least in part on the transaction key. Such a token allows for secure transactions in a peer-to-peer system including remote storage of data and retrieval of remotely stored data. Other exemplary techniques are also disclosed including exemplary modules for a peer-to-peer server and peers in a peer-to-peer system.

Abstract: An authentication method between a first IC card and a second IC card interconnected through a terminal includes transmitting an identification number from the second IC card to the first IC card for deriving and storing a key in the first IC card. An authentication number is generated and stored in the first IC card, and is transmitted to the second IC card. The authentication number is encrypted inside the second IC card, and is transmitted to the first IC card. The encrypted authentication number is decrypted through the derived key, and is compared with the authentication number. The second IC card is authorized if the encrypted authentication number in the first IC card is equal to the authentication number. At least one of the transmissions includes an identification and/or authentication number to authorize the first IC card from the second IC card. The identification and/or authentication numbers include a reverse authentication number.

Abstract: A method for transmitting and receiving data of a terminal in a communication system and a communication terminal thereof are provided, which can minimize an exposure of authentication information. A communication terminal includes a rolling token generation unit for generating the rolling tokens; a memory for storing the generated rolling tokens; and a control unit for, if an authentication of the other terminal for performing a communication is completed, generating and transmitting a rolling token whenever a transmission to the other terminal is performed, and in case of receiving a specified rolling token from the other terminal, determining whether the rolling token currently received from the other terminal is identical to the rolling token most recently transmitted.

Abstract: Systems and methods for handling user interface field data. A system and method can be configured to receive input which indicates that the mobile device is to enter into a protected mode. Data associated with fields displayed on a user interface are stored in a secure form on the mobile device. After the mobile device leaves the protected mode, the stored user interface field data is accessed and used to populate one or more user interface fields with the accessed user interface field data for display to a user.

Abstract: A method and apparatus for automatically publishing content based identifiers are described. In one embodiment, the method comprises accessing an electronic communication to obtain a content based identifier (CBI) contained in the electronic communication. In one embodiment, the method may also comprise using the CBI to validate integrity of a hash chained log.

Abstract: A portable integrated security storage device includes: a password generation module for generating a password; a universal authentication module for storing universal authentication information; a communication interface connected to an external system for transmitting and receiving data with the external system; and a memory for storing the received data received through communication with the external system. The password and universal authentication information are transmitted to the external system for user authentication and device authentication, and encrypted data and a service secret key are received from the external system and stored in the memory.

Abstract: A system for authenticating a request to access a protected network resource behind two security layers is disclosed. The system includes a client which contains a web browser, a first server tier, and second server tier. The first server tier is protected behind a first security layer and hosts a first software object and second software object. The first server tier is operatively coupled to the client system via a first connection wherein the first software object and second software object are configured to be in communications with the web browser. The second server tier is protected behind the first security layer and second security layer and hosts an authentication service. The second server tier is operatively coupled to the first server tier via a second connection wherein the authentication service is configured to be in communications with the second software object.

Abstract: A method and apparatus are provided for enabling a Universal Plug and Play (UPnP) device to be automatically provisioned to access services without the need for manual interaction. In accordance with the invention, when a UPnP device needs to be provisioned, it automatically obtains pre-provisioning information from a provisioning device on the home network, and uses the pre-provisioning information to interact with the provisioning device to cause the UPnP device to be provisioned. The provisioning enables the UPnP device to access services, including digital rights management (DRM) services, over a network.

Abstract: A method and apparatus to provide a cryptographic protocol for secure authentication, privacy, and anonymity. The protocol, in one embodiment, is designed to be implemented in a small number of logic gates, executed quickly on simple devices, and provide military grade security.

Abstract: An authentication process for a client and a target service to perform mutual authentication. A combined code is received that comprises a combined code hash of at least two sets of data from which an encoding scheme of the at least two sets of data can be determined. The two sets of data comprise a first set of data that includes a first hash of a public key associated with a certificate used to establish a secure channel with a target service, and a second set of data that includes a credential for authentication. The certificate can be validated with the first set of data included in the combined code. In response to a successful validation of the certificate, the credential from the second set of data can be provided to the target service for authentication.

Abstract: An authentication device that the user wears reads biometrics information and executes individual authentication by verification. Only when the individual authentication has been successfully performed, authentication with an external unit (such as a server) can be started. Then, only when both the individual authentication based on the biometrics information and the mutual authentication between the external unit (such as a server) and the authentication device have been successfully performed, subsequent data processing, such as payment processing, can be executed. Therefore, even if a fraudulent third party uses a stolen authentication device, because the party cannot satisfy the start condition of authentication with the external server or a PC, fraudulent transactions and other illegitimate behaviors are effectively prevented.

Abstract: Digital cash token protocols employ two pairs of private and public keys. Each public key is certified separately and the protocols do not use any blind signature schemes. As a result, the digital cash token protocols provide strong protection of user privacy by using two certified public keys instead of a blind signature. One pair of certified keys consists of one master user private key and one master user public key. A second pair of certified keys consists of one pseudonym user private key and one pseudonym user public key. The use of a master key pair and a pseudonym key pair circumvents the need for blind signatures. As a result, the proposed protocols do not require blind signatures and do not add additional overhead and security requirements necessitated by conventional blind signature schemes. The protocols use public key protocols and digital signatures and symmetric key protocols, which may be readily implemented in standard information security based systems based on cryptographic constructs.

Abstract: The present invention disclosed a method and system of replacing smart cards. It uses a new identification device (a new SIM) to replace an old one (an old SIM) associated with a user account. The new identification device has an identification number (ICCID). The new identification device is activated in the following manner. The old identification device communicates with an identification-management center through a communication interface (mobile telephone). And the identification-management center recognizes the old identification device. The identification number of the new identification device is sent to the identification-management center through the communication interface. The identification-management center checks the identification number. If the identification number is correct, the user account will be assigned to the new identification device by the identification-management center.

Abstract: A method and a circuit for protecting a numerical quantity contained in an integrated circuit on a first number of bits, in a modular exponentiation computing of a data by the numerical quantity, including: selecting at least one second number included between the unit and said first number minus two; dividing the numerical quantity into at least two parts, a first part including, from the bit of rank null, a number of bits equal to the second number, a second part including the remaining bits; for each part of the quantity, computing a first modular exponentiation of said data by the part concerned and a second modular exponentiation of the result of the first by the FIG. 2 exponentiated to the power of the rank of the first bit of the part concerned; and computing the product of the results of the first and second modular exponentiations.

Abstract: In an authentication server, information representing a first part of a response to a challenge is received during the authentication preparation phase. The challenge and the first part of the response are stored for further use. The challenge is resent and information representing a second part of the response to the challenge is received during a modified authentication phase. The first and second parts of the response are checked against the challenge for authenticating the user. In a smartcard reader, the response received from the smartcard is sent to a computing device, when the smartcard reader received the challenge via an interface to the computing device during normal authentication. In response to the smartcard reader having received the challenge via the interface to the computing device during an authentication preparation phase, the smartcard reader sends the first part of the response to the computing device.

Abstract: A method of mutually authenticating between a local host and a software mobility device including an operating system virtualization layer, and a method of forming an input/output (I/O ) channel. The method of authenticating a local host in the software mobility device includes requesting a certificate from the local host in which an integrity value of the local host is stored, and receiving the certificate from the local host; receiving an integrity value measured in the local host and comparing the measured integrity value with the integrity value included in the certificate to verify the local host; and when the local host is verified, encrypting a security profile of the software mobility device and transmitting the encrypted security profile to the local host so as to provide secure communication between the local host and the software mobility device.

Abstract: A decryption key unique to each user system is a value obtained by (a)assigning different individual key generation polynomials to a root, a plurality of nodes, and a plurality of leaves of a tree structure, respectively, (b) assigning the different leaves on the tree structure a plurality of subgroups obtained by dividing a group of a plurality of user identification information items which are for individually identifying the user systems, and (c) substituting the user identification information item of the each user system into one of the individual key generation polynomials which corresponds to one of leaves assigned to one of the subgroups to which the user identification information item corresponding to the each user system belongs or an ancestor node of the one of the leaves and a common key generation polynomial common to the root, the nodes, and the leaves.

Abstract: A method and a system of customization and authentication of an electronic circuit for an application implementing an asymmetrical algorithm and using a certification authority, including use of an authentication channel of another application implementing the same asymmetrical algorithm and using another certification authority.

Abstract: The present invention discloses a method for self-service recharging and a system for the same, relating to the security communications of online banking. The system comprises a client and a server.

Abstract: The invention that addresses the problem of authentication of the transport packet stream (which constitutes a flow within a session), which has been admitted into a managed packet network. Authentication and the subsequent policing of the flows supporting an identified client's authorized service prevent a large class of denial of service attacks described below. Specifically, the invention addresses two different matters: 1) key distribution and management 2) various forms of using a shared key for the authentication of transport packets on the user-to-network-interface (UNI).

Abstract: An image forming apparatus for attaching an electronic signature to image data read from a paper document is disclosed. Validity of a first public key certificate that certifies a first signature key is determined. A first electronic signature-for the image data is generated by using the first signature key. The first electronic signature is prevented from being generated in response to an event that it is determined that the first public key certificate is invalid.

Abstract: A transaction processing service operates as an intermediary between acquirers of financial transaction requests and issuing institutions that process the financial transaction requests. The intermediary service utilizes a customer's mobile device as an out-of-band communication channel to notify a customer of a received financial transaction request. To send the notification, the intermediary service retrieves stored customer information, including an address of the customer's mobile device and a list of payment instruments that can be used to pay for the transaction. Before continuing to process the received financial transaction request, the service may first require the customer to confirm the transaction via the mobile device. The intermediary service retrieves financial account information associated with the customer from issuing institutions, and, if the transaction is confirmed, provides the account information to acquirers in order to allow transactions to be processed.

Abstract: A token calculates a one time password by generating a HMAC-SHA-1 value based upon a key K and a counter value C, truncating the generated HMAC-SHA-1 value modulo 10^Digit, where Digit is the number of digits in the one time password. The one time password can be validated by a validation server that calculates its own version of the password using K and its own counter value C?. If there is an initial mismatch, the validation server compensate for a lack of synchronization between counters C and C? within a look-ahead window, whose size can be set by a parameter s.

Abstract: Security tokens contain data that is each uniquely encrypted based on a unique biometric identifier of an authorized user of that token. Decoders receive the token and the user's biometric identifier, convert the biometric identifier to a biometric key, and apply the biometric key to decrypt the token. In this way, the decoders authenticate the users without performing a biometric identifier comparison. In some embodiments pieces or sets of the data are stored in designated data compartments, which are individually encrypted based on authority keys, and all of the encrypted data compartments are collectively encrypted based on the biometric key to create the token. The decoders store only the authority keys corresponding to the data compartments which they have authorization to open. In addition, in some embodiments the token and the biometric identifier are encrypted and sent to a remote authentication server for decryption of the token.

Abstract: Systems and methods for pseudonymous public keys based authentication are described that enable an authentication to achieve pseudonymity and non-repudiation, for example, at the same time. Pseudonymity may provide, for example, that a user can show to different parties different digital identifiers for authentication instead of, for example, always using a single digital identifier everywhere, which may lead to a breach of privacy. Non-repudiation may provide, for example, that the authentication data at the server side can be used, for example, to verify a user's authentication request, but not to generate an authentication request, which might lead to user impersonation. A user may use a physical token to generate the authentication request corresponding to the user's identity to pass the authentication.

Abstract: A data storage device includes a plurality of data storage units, a physical random number generator with a noise source based on a physical noise process, for generating a random number, and a replacer for selecting a data storage unit wherein data is to be stored, depending on the random number. Selecting, on the basis of genuine random numbers, data storage units and/or lines to be replaced in the cache.

Abstract: Methods, systems, and articles of manufacture consistent with the present invention provide for administering a protected item. An anti-theft key encoded with a radio frequency identification of the user and biometric data of the user is provided. The anti-theft key is associated with the protected item such that the protected item is accessible with the anti-theft key.

Abstract: A technique is utilized in the configuration and seeding of security tokens at third party facilities, particularly at facilities of a configuration agent, such that a token can be configured without the configuration agent having security-defeating knowledge about the token. Such a technique allows a third party to provision a token with a seed, but in such a way that the third party will not know, or be able to construct, the seed after the seed provisioning process is complete. The seed may include, by way of example, a symmetric key or other secret shared by two or more entities. In some arrangements, a method is used for secure seed provisioning. Data is derived from inherent randomness in a token or other authentication device. Based on the data, the token or other authentication device is provisioned with a seed.

Abstract: In a method and a device for transferring an e-mail by a public key cryptography between an e-mail transmission device and an e-mail reception device, a trigger message to which user authentication data and a public key are added is received from a transmitting side client, and trust is assigned to the public key within the trigger message to be transmitted to a receiving side client when the user authentication data within the trigger message are authenticated. In response thereto, a response message to which user authentication data and a public key are added is received from the receiving side client, and trust is assigned to the public key within the response message to be transmitted to the transmitting side client when the user authentication data within the response message are authenticated.

Abstract: A programmable electronic device (10) stores a number of cipher-text software modules (14) to which access is granted after evaluating a user's token (55, 80, 82), a software-restriction class (58) for a requested software module (14), and/or a currently active access-control model (60). Access-control models (60) span a range from uncontrolled to highly restrictive. Models (60) become automatically activated and deactivated as users are added to and deleted from the device (10). A virtual internal user proxy that does not require users to provide tokens (80, 82) is used to enable access to modules (16) classified in a global software-restriction class (62) or when an uncontrolled-access-control model (68) is active. Both licensed modules (76) and unlicensed modules (18,78) may be loaded in the device (10). However, no keys are provided to enable decryption of unlicensed modules (18,78).

Abstract: A method for content access control operative to enable authorized devices to access protected content and to prevent unauthorized devices from accessing protected content, the method comprising: providing a plurality of authorized devices; dividing the plurality of authorized devices into a plurality of groups, each of the plurality of authorized devices being comprised in at least one of the plurality of groups, no two devices of the plurality of authorized devices being comprised in exactly the same groups; determining whether at least one device of the plurality of authorized devices is to be prevented from having access to the protected content and, if at least one device is to be prevented, removing all groups comprising the at least one device from the plurality of groups, thus producing a set of remaining groups; and determining an authorized set comprising groups from the set of remaining groups, such that each device of the plurality of authorized devices which was not determined, in the determining

Abstract: Mail aliases are dynamically created in response to replies of an electronic mail (e-mail) communication. An e-mail communication is sent to a plurality of recipients, and one or more recipients of the e-mail communication respond to the e-mail. In response to receiving the replies, one or more mail aliases are automatically created.

Abstract: A method and system for performing document image correction using a document reader is disclosed. The method includes generating a document image representative of a document having a deformation; decoding an optical pattern embedded in the document from the document image to determine an optical signature for the document; receiving document classification data associated with the optical signature; and applying an image correction technique to the document image based on the document classification data to generate a corrected document image. A document capable of being read by a document reader is also disclosed. The document includes a substrate and an optical pattern embedded on the substrate. The optical pattern is part of a background pattern printed on the substrate. The optical pattern defines an optical signature unique to the particular class of document and is associated with document classification data for the document.

Abstract: An identification tag for authenticating a product is associated with the product and has authentication data transmissible to a reader device. The authentication data include source data including a tag identifier that uniquely identifies the identification tag and a signature value that is a result of a private key encryption of a representation of the source data, where the private key encryption uses a private key of a public key encryption method.