Abstract: A virtual token represents an item, and includes embedded data defining rules and/or capabilities which apply to the use of the item. A virtual token may include graphical image data which is used to generate a display on a computer, whereby selection of the display allows the item represented by the virtual token to be used. A virtual token may contain instructions for sending access requests to a location on a communications network. A system for handling virtual tokens includes a clearing and routing house for routing token access requests, authenticating and generating tokens, and maintaining container structures for tokens. The system also includes connectors installed in a communications network for creating, controlling and managing items represented by tokens, and device clients for executing token components that issue access requests to the clearing and routing house.

Abstract: In some aspects, an encryption key setting method includes inputting a code string, selecting a generating procedure for generating a code string from a plurality of generating procedures that were previously set, generating a code string using the inputted code string based upon the selected generating procedure, and setting the generated code string as an encryption key.

Abstract: A worm is a malicious process that autonomously spreads itself from one host to another. To infect a host, a worm must somehow copy itself to the host. The method in which a worm transmits a copy of itself produces network traffic patterns that can be generalized as a traffic behavior. As a worm spreads itself across the network, the propagation of the traffic behavior can be witnessed as hosts are infected, one after another. By monitoring the network traffic for propagations of traffic behaviors, a presence of a worm can be detected.

Abstract: A method for proving the validity of a digital document digitally signed using a digital key that corresponds to a digital certificate in a chain of digital certificates issued by certification authorities within a hierarchy of certification authorities. At least one secure digital time stamp is applied to at least one record comprising the digital document, the digital signature, certificate chain data, and information relating to the revocation of certificates by certification authorities within the certificate chain. If, at some later time, one or more digital certificates either expire or are revoked, the timestamp serves as evidence of the integrity of the signed digital document.

Abstract: A method and an electronic apparatus for rolling over from a first to second trusted certificate in the electronic apparatus. Information containing identification data for identifying the second trusted certificate is acquired in the electronic apparatus. Also, the second trusted certificate, which is preinstalled in the electronic apparatus, is activated based on said identification data.

Abstract: A method of operating a near field communication system includes receiving an electronic tag having information signed by using a private key, verifying the signed information of the electronic tag by using a public key corresponding to the private key, and connecting the mobile terminal to a content server using a result of the verification. The near-field communication system transfers the signed information of the smart poster by using the public key, and connects to the content server after verifying the signed information of the smart poster, thereby preventing malicious phishing using the smart poster.

Abstract: A system and method for authenticating the source and ensuring the integrity of traffic data collected from probe vehicles while maintaining the privacy of the data's source. This is accomplished by dividing the traffic analysis functionality into two distinct responsibilities: data collection, including authentication and verification, and data processing, and assigning each responsibility to a different entity, such the first entity has access to authentication information which identifies the data's source but not to traffic information such as the source's location, and the second entity has access to the traffic information but not to the authentication information which identifies the data's source.

Abstract: An information processing apparatus includes an equipment means equipped on a predetermined portion of a living body and has a storage means which a first biological identification data associated with the predetermined portion of the living body, and a communication means which is held by the equipment means and transmits the first biological identification data to a communication target to which the predetermined position equipped with the equipment means is brought close. A biological authentication means which performs biological authentication, based on the first biological identification data and on a second biological identification data, said second biological identification data being extracted from biological information detected by a biological sensor.

Abstract: A method of verifying programming of an integrated circuit card includes transferring program data to a page buffer of a non-volatile memory, copying the program data to a buffer memory, calculating a first checksum value with respect to program data in the buffer memory, updating the program data in the buffer memory by copying the program data of the page buffer to the buffer memory, calculating a second checksum value with respect to updated program data in the buffer memory, comparing the first checksum value and the second checksum value, and determining, based on the comparison result, whether the program data of the page buffer is tampered.

Abstract: A computerized intellectual property trading exchange is disclosed for facilitating the trading of license contracts relating to intellectual property rights. The exchange includes at least one intellectual property license contract relating to intellectual property rights and a computer-accessible forum configured to allow a plurality of participants to trade the license contract. The plurality of participants includes at least one seller, which may be the owner, having the license contract and desiring to trade the license contract. The plurality of participants also includes at least one buyer desiring to obtain the license contract. The buyer may be an investor, speculator, market maker, or arbitrageur, who purchases the license contract to achieve appreciation. The buyer also may be a licensee, who purchases the license contract to practice the intellectual property rights.

Abstract: An online card-present transaction system facilitates card-present type transactions with a merchant over a public network. A host system is configured to accept authentication data from a user via an authentication device. The host system, after authenticating a user is configured to retrieve the user's account information from a user database system and translate a user account number into a temporary transaction number. The temporary transaction number is then transmitted directly from the host system to the merchant, thereby eliminating the need for the user to send to the merchant over the internet, the user's transaction account number.

Abstract: A system may account for the number of bounced e-mails by adding a number of records over the desired quantity to ensure that a minimum number of e-mails are not returned. To calculate an accurate number of extra records to identify, a system may need to track the percentage of messages returned and add a number of records equal to that percentage over the minimum number required by the particular campaign. However, unless the system accurately identifies a bounced e-mail as one originating from the system, spam or other unsolicited e-mail sent to the system may result in inaccuracies.

Abstract: The invention provides a system and method of authenticating a user to a network. For the method, it comprises: when the user at the device initiates a request for the restricted resource, the network receives the request and automatically initiates an authentication step relating to the user prior to providing the device access to the restricted resource, the authentication step including requesting a user account and a password; processing an input stream from the device from the user in response to the authentication step, the input stream comprising account data and a password; comparing the input stream against account data associated with the restricted resource; if the input stream matches the account data, providing the device with access to the restricted resource; and when the user at the device initiates a request for a non-restricted resource, providing the device with access to the non-restricted resource automatically.

Abstract: In one embodiment, the present invention includes a method to establish a secure pre-boot environment in a computer system; and perform at least one secure operation in the secure environment. In one embodiment, the secure operation may be storage of a secret in the secure pre-boot environment.

Abstract: In one embodiment, a method for facilitating authentication and ease the configuration of authentication includes receiving a credential type selection and selecting one or more authentication types based on the credential type selection and one or more policies set by the administrators. The policies can be preconfigured or dynamically pushed or fetched and updated to the client.

Abstract: An arrangement, system, and methods for creating and distributing authenticated personal information for users of network services and participants in social surveys, and in chat rooms and other forums. A trusted organization verifies that personal information presented by a user is correct, and authenticates the information in an encapsulated form as “certified profiles” within a smart card or other secure portable hardware device issued to the user Certified profiles are authenticated by digital signatures of the trusted organization and the profile users. Personal information in certified profiles can be in raw and/or in statistically-processed and abstracted form, and can be tailored by the user for specific needs to include whatever personal information is required, and to exclude all other personal information.

Abstract: Techniques are described for facilitating interactions between computing systems, such as by performing transactions between parties that are automatically authorized via a third-party transaction authorization system. In some situations, the transactions are programmatic transactions involving the use of fee-based Web services by executing application programs, with the transaction authorization system authorizing and/or providing payments in accordance with private authorization instructions previously specified by the parties. The authorization instructions may include predefined instruction rule sets that regulate conditions under which a potential transaction can be authorized, with the instruction rule sets each referenced by an associated reference token.

Abstract: A method of securely initializing subscriber and security data in a mobile routing system when the subscribers are also subscribers of a radio communication network. The method comprises, within the mobile routing system, authenticating subscribers to the mobile routing system using an authentication procedure defined for the radio communication network, collecting subscriber information from relevant nodes of the radio network, and agreeing upon keys by which further communications between the subscribers and the mobile routing system can take place, and using the subscriber information and keys in the provision of mobility services to subscriber mobile nodes and correspondent nodes.

Abstract: A device which defends Internet (3) users against malware, inauthentic Internet (3) servers (4), counterfeit secure terminals (1), and other attacks. A secure terminal (1) is used as a PC local peripheral. SSL client software (8) executes on the secure terminal (1). Protocol software (7) and application software (6) which employ SSL execute on the secure terminal (1). Received server (4) certificates and their digital signatures are verified against values pre-loaded into the secure terminal (1). The user and the secure terminal (1) are mutually authenticated by passwords.

Abstract: Portable terminal MS downloads coupon data and public key KEYP2 of IP server 20 from IP server 20. Service terminal T obtains from IP server 20, a server certificate to which a digital signature is applied by secret key KEYS2. One to one local communication by infrared radiation is performed between portable terminal MS and service terminal T. At this point, portable terminal MS decrypts a server certificate by utilizing public key KEYP2 of IP server 20. Then, portable terminal MS communicates specified data after authenticating the identity of service terminal T.

Abstract: Techniques are described for facilitating interactions between computing systems, such as by performing transactions between parties that are automatically authorized via a third-party transaction authorization system. In some situations, the transactions are programmatic transactions involving the use of fee-based Web services by executing application programs, with the transaction authorization system authorizing and/or providing payments in accordance with private authorization instructions previously specified by the parties. The authorization instructions may include predefined instruction rule sets that regulate conditions under which a potential transaction can be authorized, with the instruction rule sets each referenced by an associated reference token.

Abstract: Methods, signals, devices, and systems are provided for using proxy servers to transparently forward messages between clients and origin servers if, and only if doing so does not violate network policies. In some systems, a transparent proxy uses a combination of standard-format HTTP commands, embedding auxiliary information in URLs and other tools and techniques to redirect an initial client request to one or more policy modules, such as a login server or an identity broker or an access control server. The policy module authenticates the request, and uses HTTP redirection to have the client transmit authorization data to the proxy. The proxy extracts the authorization data, directs the client to use a corresponding cookie, and subsequently provides the implicitly requested proxy services to the client in response to the client's subsequently providing the authorization data in a cookie.

Abstract: A method and system for renewing certificates stored on tokens is described.

Abstract: A method in which a test function is called in a system's internal authentication IC multiple times with a known incorrect value such that, if the internal IC is invalid, an expected invalid response is not generated and, otherwise, the internal IC generates a secret random number and its signature and encrypts these using a first secret key, an external authentication IC connected to the system calls a read function which decrypts the encrypted random number and signature using the first key, calculates the decrypted random number's signature, compares the signatures and upon a match encrypts the decrypted random number and a message of the external IC using a second secret key, the internal IC calls the test function which encrypts the random number and message using the second key, compares the encrypted random numbers and messages, validates the external IC if they match and invalidates the external IC otherwise.

Abstract: A system and method for sharing files securely includes server software on a first device configured to communicate with server software operating on one or more other preauthorized devices, such as a second device. The servers communicate with each other securely using cryptographic information exchanged during a preauthorization phase using a range-limited communication channel. The server on the first device obtains file information from the other preauthorized device(s) and combines the information with local file information from the first device. This combined file information is sent to client software operating on the machine, which presents the combined file information to users.

Abstract: An online card-present transaction system facilitates card-present type transactions with a merchant over a public network. A host system is configured to accept authentication data from a user via an authentication device. The host system, after authenticating a user is configured to retrieve the user's account information from a user database system and translate a user account number into a temporary transaction number. The temporary transaction number is then transmitted directly from the host system to the merchant, thereby eliminating the need for the user to send to the merchant over the internet, the user's transaction account number.

Abstract: Described are techniques for storing data. A plurality of data portions and a corresponding token for each of the data portions are received. Each of said plurality of data portions is to be stored by one of a plurality of processes and each token has a corresponding token value. Each of the data portions is stored at a storage location on a device allocated for use by one of said plurality of processes. An entry is written in a log file in accordance with said storing of the data portion. The log file is a private log file of one of the plurality processes. An access structure used to access stored data portions is updated. The access structure is indexed by token values of the stored data portions. The updating of the access structure is performed in accordance with log entries from private log files of the plurality of processes.

Abstract: A digital signature is applied to digital data in real-time. The digital signature serves as a mark of authenticity assuring a recipient that the digital data did in fact originate from an indicated source. The digital signature may be applied to any digital data, including video signals, audio signals, electronic commerce information, data pertaining to land vehicles, marine vessels, aircraft, or any other data that can be transmitted and received in digital form.

Abstract: A system and method for providing security for an Internet server. The system comprises: a logical security system for processing login and password data received from a client device during a server session in order to authenticate a user; and a physical security system for processing Internet protocol (IP) address information of the client device in order to authenticate the client device for the duration of the server session.

Abstract: A setting information distribution apparatus belonging to a first network, comprises: authentication unit that receives and authenticates an authentication request from a user terminal which requires an access authentication by using a network access authentication procedure between the user terminal and the first network; transmitting unit that transmits an authentication cooperation request which requires setting data to be set to the user terminal to another, network by using the network access authentication procedure and an authentication cooperation procedure between a plurality of networks; and distribution unit that distributes a first response message added with setting data to the user terminal by producing the first response message corresponding to the authentication request by adding the setting data included in a second response message corresponding to the authentication cooperation request.

Abstract: The invention proposes to divide a content to be transmitted via a network into a set of slices and to generate a set of files from this set of slices. The slices (or the files) are encrypted before downloading in such a way that the client cannot use the slice (or the file) before having acquired the associated decryption key. The invention thereby allows protecting a downloaded content on a slice-by-slice basis (or on a file-by-file basis) rather than protecting a downloaded content as a whole. The transmission (in download mode) between the server and the client is ruled by the HTTP protocol that is accepted by all firewalls and NAT. Consequently, the transmitted content is accessible for any client device that has access to the Web without restriction. Advantageously, the slices can be decoded independently of each other.

Abstract: A system, method, and computer program product for establishing mutual trust on a per-deployment basis between two software modules. For example, the first software module may be a Websphere (WS) Information Integrator (II) deployment instance, and the second software module may be a plugin instance. By executing for this deployment an initial handshake between the software modules, both modules identify themselves and exchange digital certificates received from a trusted certification authority and respective public keys. Subsequent communications for this deployment between the software modules proceed with each module encrypting its communications with the public key of the other module; thereby establishing mutual trust between the software modules for each deployment.

Abstract: A method and system operative to preclude content providers from tracking users, while still allowing content providers to communicate to users. An intermediary, such as an access channel provider for instance, gives content providers non-repeating user-identification-tokens, each of which a content provider can use as a key to access an intermediary resource that facilitates a communication to the user, without revealing the user's identity to the content provider.

Abstract: A method and apparatus for secure authentication of a hardware token is disclosed. In one embodiment, a host computer fingerprint is used to generate a partial seed for a challenge-response authentication which is performed on the hardware token. In another embodiment, the host computer fingerprint is used as a personal identification number for the hardware token.

Abstract: A system, method, and program product is provided that provides authentication on a per-role basis in a Role-Based Access Control (RBAC) environment. When a user attempts to acquire a role, the improved RBAC system determines whether (a) no authentication is required (e.g., for a non-sensitive role such as accessing a company's product catalog), (b) a user-based authentication (e.g., password) is required, or (c) a role-based authentication (e.g., role-specific password is required).

Abstract: Encrypted communications between servers and client devices over an unsecured channel, such as the Internet, without using a public key infrastructure are disclosed. Messages to a client device are encrypted using an encryption key of an authorized individual, regardless of the identity of the user of the client device. Encryption is performed by a system that does not expose encryption keys to the client device or the server, thereby preventing man-in-the-middle attacks against the encryption key. Secure communications are combined with a two-factor protocol for authenticating the identity of an individual. An individual authenticates by generating a cipher using a light-weight certificate that has a shared secret but no other information identifying the individual. Separately, a server generates the same cipher using the shared secret, thereby authenticating the individual's identity to a relying party.

Abstract: An online card-present transaction system facilitates card-present type transactions with a merchant over a public network. A host system is configured to accept authentication data from a user via an authentication device. The host system, after authenticating a user is configured to retrieve the user's account information from a user database system and translate a user account number into a temporary transaction number. The temporary transaction number is then transmitted directly from the host system to the merchant, thereby eliminating the need for the user to send to the merchant over the internet, the user's transaction account number.

Abstract: An online card-present transaction system facilitates card-present type transactions with a merchant over a public network. A host system is configured to accept authentication data from a user via an authentication device. The host system, after authenticating a user is configured to retrieve the user's account information from a user database system and translate a user account number into a temporary transaction number. The temporary transaction number is then transmitted directly from the host system to the merchant, thereby eliminating the need for the user to send to the merchant over the internet, the user's transaction account number.

Abstract: A computing platform 20 provides multiple computing environments 24 each containing a guest operating system 25 provided by a virtual machine application 26. Optionally, each computing environment 24 is formed in a compartment 220 of a compartmented host operating system 22. A trusted device 213 verifies that the host operating system 22 and each guest operating system 25 operates in a secure and trusted manner by forming integrity metrics which can be interrogated by a user 10. Each computing environment is isolated and secure, and can be verified as trustworthy independent of any other computing environment.

Abstract: A secure user authentication system, operable over a client-server communications network to authenticate a system user. The system includes an application server which includes a site which is able to be enabled, and an authentication server, which is able to enable the application server site. The authentication server includes a core database, and receives and stores user authentication-enabling data in the core database. The system further includes a client, and a client program which is able to be actuated in the client. The client program includes the user authentication-enabling data. Upon actuation, the client program automatically directly connects to the authentication server, and sends the client authentication-enabling data to the authentication server, for secure user authentication by the authentication server.

Abstract: An authentication-authorization system for a mobile communication terminal and a method therefore are provided. When a mobile communication terminal is in a connect state, code data randomly generated by a remote encoding terminal is continuously provided to the terminal and data management terminal. When an application service program on the mobile communication terminal or an application service terminal connected to the mobile communication terminal need to execute an authentication-authorization, identification data of the mobile communication terminal and its card and code data can be offered to the data management terminal to carry out a bidirectional dynamic authentication-authorization, to determine whether allow the application service program or the application service terminal to keep providing an application service or not.

Abstract: A data processing system accepts a removable hardware device, which becomes electrically engaged with a system unit within the data processing system, after which the removable hardware device and the hardware security unit mutually authenticate themselves. The removable hardware device stores a private key of a first asymmetric cryptographic key pair and a public key of a second asymmetric cryptographic key pair that is associated with the hardware security unit, and the hardware security unit stores a private key of the second asymmetric cryptographic key pair and a public key of the first asymmetric cryptographic key pair that is associated with the removable hardware device. In response to successfully performing the mutual authentication operation between the removable hardware device and the hardware security unit, the system unit is enabled to invoke cryptographic functions on the hardware security unit while the removable hardware device remains electrically engaged with the system unit.

Abstract: To verify a qualification on a network without notifying verifier privacy information that can identify as a subject of a public key certificate while keeping safety of the public key infrastructure technology. An attribute certificate validation method wherein by preparing an environment in which only an attribute certificate validation device operated by a trusted third party can access a user's public key certificate, the verifier transmits attribute certificate and signed data received from a user having presented a qualification, to the attribute certificate validation device to thereby request the device to make a check to confirm authenticity of the holder of the attribute certificate, thereby preventing the public key certificate (particularly, privacy information contained in the public key certificate) of the user from being passed to the verifier.

Abstract: A secure mechanism for transparent key recovery for a user who has changed authentication information is disclosed. A password manager agent intercepts requests by a user to access secure resources that require user credentials. Upon detecting changed authentication information for the user, the password manager agent automatically regenerates the components of a cryptographic key associated with the user that was previously used to encrypt user credentials for the user and then destroyed. After regeneration of the original cryptographic key, the password manager agent uses the key to decrypt the user credentials necessary for the requested application. The regenerated key is then destroyed and the user credentials are re-encrypted by the password manager agent using a new cryptographic key associated with the user made up of multiple components.

Abstract: A method of protecting secret key integrity in a hardware cryptographic system includes first obtaining an encryption result and corresponding checksum of known data using the secret key, saving those results, then masking the secret key and storing the masked key. When the masked key is to be used in a cryptographic application, the method checks key integrity against fault attacks by decrypting the prior encryption results using the masked key. If upon comparison, the decryption result equals valid data, then the key's use in the cryptographic system can proceed. Otherwise, all data relating to the masked key is wiped from the system and fault injection is flagged.

Abstract: The global access control system and method presents a solution to synchronizing the physical access devices that federal agencies must try to meet Federal Information Processing Standards (FIPS) 201 requirements. The method encompasses wire and wireless technology, IP Security (IPSec), the assignment of IPv6 addresses to every device, integrating with logical access control systems, and providing a homogeneous audit and control format. As part of FIPS 201, Government identification badges (Personal Identity Verification (PIV) cards) will include an IPv6 address that uniquely identifies every card holder. By assigning an IPv6 address to every access device and using the card holder's IPv6 address, every access device can be used for global access control. Moreover, common and interoperable audit records throughout an entire enterprise (logical and physical) are possible.

Abstract: Using a password (?), a client (C) computes part (H1(<C,?C>) of the password verification information of a server (S), and together they use this information to authenticate each other and establish a cryptographic key (K?), possibly using a method resilient to offline dictionary attacks. Then over a secure channel based on that cryptographic key, the server sends an encryption (EE<C,?>(sk)) of a signing key (sk) to a signature scheme for which the server know a verification key (pk). The encryption is possibly non-malleable and/or includes a decryptable portion (E<C,?>(sk)) and a verification portion (H8(sk)) used to verify the decrypted value obtained by decrypting the decryptable portion. The signing key is based on the password and unknown to the server. The client obtains the signing key using the password, signs a message, and returns the signature to the server.

Abstract: To unlock a HDD when a computer is in the suspend state, at both BIOS and the HDD a secret is combined with a password to render a new one-time password. BIOS sends its new one-time password to the HDD which unlocks itself only if a match is found. The new one-time password is then saved as an “old” password for subsequent combination with the secret when coming out of subsequent suspend states. In this way, if a computer is stolen the thief cannot sniff the bus between BIOS and the HDD to obtain a password that is of any use once the computer ever re-enters the suspend state.

Abstract: The present invention is an apparatus, method and system for secure point-of-sale (POS) and biometric data/finger print identification communications technology and systems processing methods in the area of financial merchant transactions. The present invention may use either or both standalone biometrics and biometric/fingerprinting technology with a touch screen device or a portable/mobile wireless device to securely process merchant POS financial transactions.

Abstract: The present invention provides a device for authenticating user's access rights to resources, which comprises first memory means for storing challenging data, second memory means for storing unique identifying information of the user, third memory means for storing proof support information which is a result of executing predetermined computations to the unique identifying information of the user and unique security characteristic information of the device, response generation means for generating a response from the challenging data stored in the first memory means, the unique identifying information stored in the second memory means and the proof support information stored in the third memory means, and verification means for verifying the legitimacy of the response by verifying that the response, the challenging data and the unique security characteristic information of the device satisfy a specific predefined relation.