Abstract: A method and apparatus for sending protected data from a sender unit to a receiver unit via an intermediate unit. A Transfer Init message that contains a ticket associated with the receiver unit is sent from the intermediate unit to the sender unit. The intermediate unit then receives a transfer response message from the sender unit, and also data which has been protected using at least one security key associated with the ticket and obtained from a Key Management Server. A message is sent to the receiver unit, the message including information required for security processing of the protected data. The protected data is then sent to the receiver unit, allowing the receiver unit to access the protected data.

Abstract: An invention is described for securely deploying a provable identity for virtual machines (VMs) in a dynamic environment. In an embodiment, a fabric controller instructs a VM host to create a VM and sends that VM a secret. The fabric controller sends that same secret (or a second secret, such as the private key of a public/private key pair) to the security token service along with an instruction to make an account for the VM. The VM presents proof that it possesses the secret to the security token service and in return receives a full token. When a client connects to the deployment, it receives the public key from the security token service, which it trusts, and the full token from the VM. It validates the full token with the public key to determine that the VM has the identity that it purports to have.

Abstract: A digital signature of a message originator of a message is validated by a processor on message retrieval by a message recipient as a first-tier validation of the message. In response to a successful first-tier validation of the digital signature of the message originator, a transaction token and a message originator identifier are extracted from a message payload of the message. Communication is initiated with a verification service within a secure messaging environment of the message originator as a second-tier validation of the message using the extracted transaction token and the extracted message originator identifier to confirm whether the secure messaging environment of the message originator generated the transaction token and inserted the transaction token into the message payload. Results of the second-tier validation of the message with the verification service within the secure messaging environment of the message originator are determined.

Abstract: Systems and methods for providing information security in an unobtrusive manner are presented herein. An authentication component can enable a primary user of a multi-user communications device, based on an authentication process initiated by the primary user, to classify information stored in the multi-user communications device as invisible to other users of the device. The information classified as invisible to the other users can include phone number(s), phone message(s), email address(es), email(s), electronic message(s), call history, email history, and/or personal data. In addition, an information access component can enable the primary user to access the information classified as invisible to the other users of the multi-user communications device upon authentication of the primary user's identity.

Abstract: A secure mechanism for performing a network boot sequence and provisioning a remote device may use a private key of a public key/private key encryption mechanism to generate a command by a server and have the command executed by the device. The command may be used to verify the authenticity of the remote device, and may be used to establish ownership of the device. After authenticity and, in some cases ownership is established, bootable software may be downloaded and executed. The remote device may be provisioned with software applications. One mechanism for performing the initial encrypted commands is through a Trusted Platform Module. In many embodiments, the public key for the initial encrypted communication may be provided through a trusted second channel.

Abstract: A digital signature of a message originator of a message is validated by a processor on message retrieval by a message recipient as a first-tier validation of the message. In response to a successful first-tier validation of the digital signature of the message originator, a transaction token and a message originator identifier are extracted from a message payload of the message. Communication is initiated with a verification service within a secure messaging environment of the message originator as a second-tier validation of the message using the extracted transaction token and the extracted message originator identifier to confirm whether the secure messaging environment of the message originator generated the transaction token and inserted the transaction token into the message payload. Results of the second-tier validation of the message with the verification service within the secure messaging environment of the message originator are determined.

Abstract: A method for authenticating a transmitter to a receiver, as well as for the protected transmission of messages; both the transmitter, as well as the receiver at least having a first common key; a random number, as well as at least one first partial code of a first code calculated from the random number with the aid of the first key from the receiver to the transmitter being transmitted in a synchronization message; the first partial code being checked by the transmitter; a first counter being generated by the transmitter; useful data, as well as a first partial counter of first counter and at least one second partial code of a second code calculated with the aid of a second key being transmitted by the transmitter to the receiver in a message; and the receiver checking the second partial code to verify the transmitter, as well as the transmitted message.

Abstract: A method and system for securing data in a computer system provides the capability to secure information even when it leaves the boundaries of the organization using a data loss agent integrated with encryption software. A method for securing data in a computer system comprises detecting attempted connection or access to a data destination to which sensitive data may be written, determining an encryption status of the data destination, allowing the connection or access to the data destination when the data destination is encrypted, and taking action to secure the sensitive data when the data destination is not encrypted.

Abstract: A method, device and system for service presentation, which includes: receiving a presentation request message; acquiring presentation information from the presentation request message; storing the presentation information; when the presentee accesses the presented content, receiving an authentication and rating request message transmitted from the service enabling component; performing authenticating and rating according to the authentication and rating request message and the stored presentation information. The present invention is applicable to presenting content type services and so on.

Abstract: Automatic identification and authentication of a user of a mobile application entails receiving from the wireless communications device a unique device identifier and an e-mail address corresponding to the wireless communications device, associating a registration identifier with the unique device identifier and the e-mail address, generating an authentication token, and communicating the authentication token and the registration identifier to the wireless communications device.

Abstract: An embodiment generally relates to a method of managing tokens. The method includes detecting a presence of a token at a client and determining a status of the token. The method also includes formatting the token at the client in response to the status of the token being unformatted.

Abstract: Various embodiments of a system and method for digital rights management using a secure end-to-end protocol with embedded encryption keys are described. A DRM framework may implement a secure end-to-end protocol configured to protect messages sent between trusted endpoints by encrypting and decrypting the messages within software applications executing on each trusted endpoint. An encryption key embedded within a binary representation of a DRM client may be used by the DRM client to encrypt and decrypt messages sent over the secure protocol. The DRM client may request authentication using the secure protocol and receive an authentication token used by the DRM client to acquire a license to view protected content. The encryption key may be chosen from a pool of encryption keys and embedded in the DRM client during the software build process for the DRM client. The secure protocol may be designed according to Representational State Transfer guidelines.

Abstract: A method and apparatus wherein the method includes the steps of generating a globally unique identifier (GUID) for a security system appliance, saving a public key and private key of the security system appliance in a memory of the security system appliance, a manufacturer of the security system appliance generating a signed version of the GUID and the public key, saving the signed version of the GUID and public key in the memory of the security system appliance, the security system appliance sending a registration message including the signed version of the GUID and public key to a security system server and the security system server authenticating the security system appliance using the signed version of the GUID and public key of the security system appliance and a public key of the manufacturer.

Abstract: A system and method are provided for key-based network equipment remote access authentication. A remote client machine and a piece of network equipment perform client-server authentication while the network equipment employs an access validation server to perform access validation for key-based authentication.

Abstract: A signature generation apparatus includes basic operation execution units each executing a basic operation included in a signature generation procedure; and a whole operation controller connected to the basic operation execution units to control operations in the basic operation execution units and monitor operation states of the basic operation execution units, in which when there is a basic operation execution unit among the basic operation execution units which is executing a secret operation which uses data to be concealed as an argument, the whole operation controller causes basic operation execution units other than the basic operation execution unit to simultaneously execute a random number operation which uses a random number originally used for signature generation as an argument.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: A computer-implemented technique is presented. The technique can include selectively initiating, at a mobile computing device including one or more processors, communication between the mobile computing device and a public computing device. The technique can include transmitting, from the mobile computing device, authentication information to the public computing device. The authentication information can indicate access privileges to a private account associated with a user of the mobile computing device. The technique can include receiving, at the mobile computing device, an access inquiry from the public computing device. The access inquiry can indicate an inquiry as to whether the user wishes to login to the private account at the public computing device. The technique can also include transmitting, from the mobile computing device, an access response to the public computing device. The access response can cause the public computing device to provide the user with access to the private account.

Abstract: A method and system for roaming between heterogeneous networks. The method involves authenticating a mobile communication device on a first network, and providing the device with a single-use token that can be used to sign on to a second network without requiring conventional re-authentication over the second network.

Abstract: A storage controller and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.

Abstract: A communication apparatus performs data communication with a communication device, and includes an authentication processing portion configured to perform authentication processing, including a round trip time (RTT) test on authentication requests received from one or more unauthenticated communication devices and a data communication portion configured to perform data communications with the communication device authenticated by the authentication processing portion. If, in authentication processing of a current authentication request, a prior RTT test is being performed corresponding to a prior authentication request originating from the same communication device, the current RTT test is not performed, and authentication processing waits for the completion of the prior RTT test. If the result of the prior RTT test is successful, authentication processing uses the result of the prior RTT test as the result corresponding to the current authentication request.

Abstract: Mechanisms and methods are provided for managing OAuth access in a database network system, and extending the OAuth flow of authentication to securely store the OAuth encrypted refresh token in the storage available with current browsers or any other non-secure storage on user system.

Abstract: A method of operating data security and an electronic device supporting the same are provided. The method includes executing a general Application (App) based on a non-trusted execution module; executing a first trusted App related to the execution of the general App based on a trusted execution module; generating a message by encrypting data generated in the first trusted App; transmitting the encrypted message to the general App; and transmitting the encrypted message to a second trusted App related to the execution of the general App and executed based on the trusted execution module.

Abstract: A communication device and method for authentication of a message being transmitted from the communication device. The method includes receiving, by a messaging utility, content of a message provided for transmission from the communication device. Based on a determination that the message requires user authentication before the message is transmitted to a recipient, the method further includes selecting, based on contextual data, one or more biometric capturing components of the communication device; triggering at least one selected biometric capturing component to capture a corresponding biometric input from a user of the communication device; and transmitting the message when the biometric input as belonging to an authorized user of the communication device. In one embodiment, a clearinghouse service authenticates a biometric input from a user of the communication device in order to certify the user and/or the message.

Abstract: Some embodiments provide an independent authentication system for authenticating entities that have registered accounts across different online service providers on behalf of the service providers. The authentication system maintains a database of previously verified entity information. A service provider requests authentication by providing the authentication system with unverified and basic identifying information used by an entity when registering with the service provider. The authentication system attempts to match the registration information against previously verified information for a known entity. When a match is found, the authentication system generates a series of challenge questions. The questions are submitted to the entity through the service provider and answers are processed in order to authenticate the entity.

Abstract: A magnetic memory device includes a main memory made of magnetic memory, the main memory and further includes a parameter area used to store parameters used to authenticate data. Further, the magnetic memory device has parameter memory that maintains a protected zone used to store protected zone parameters, and an authentication zone used to store authentication parameters, the protection zone parameters and the authentication parameters being associated with the data that requires authentication. Upon modification of any of the parameters stored in the parameter memory by a user, a corresponding location of the parameter area of the main memory is also modified.

Abstract: The invention relates to AKA procedures for terminals (3) in a network. A method for enabling authentication and/or key agreement for a terminal (3) in a network is disclosed. The method involves the transfer of at least one AKA parameter (RANDn+m; RANDn+m, AUTNn+m) from the network to the terminal (3) during a terminal session n. The AKA parameter enables authentication and/or key agreement procedure of the terminal (3) in the network for a subsequent terminal session n+m.

Abstract: A method includes controlling security in a communication system that involves a node capable of routing traffic according to one or more security algorithms with respective security levels. The node is adapted to estimate at least one safety degree relating to the node, to select at least one security algorithm of the one or more security algorithms, depending on the estimated safety degree; and to activate the at least one security algorithm.

Abstract: A method of generating a time managed challenge-response test is presented. The method identifies a geometric shape having a volume and generates an entry object of the time managed challenge-response test. The entry object is overlaid onto the geometric shape, such that the entry object is distributed over a surface of the geometric shape, and a portion of the entry object is hidden at any point in time. The geometric shape is rotated, which reveals the portion of the entry object that is hidden. A display region on a display is identified for rendering the geometric shape and the geometric shape is presented in the display region of the display.

Abstract: Generally, this disclosure describes devices, methods and systems for securely providing context sensor data to mobile platform applications. The method may include configuring sensors to provide context data, the context data associated with a mobile device; providing an application programming interface (API) to a sensor driver, the sensor driver configured to control the sensors; providing a trusted execution environment (TEE) operating on the mobile device, the TEE configured to host the sensor driver and restrict control and data access to the sensor driver and to the sensors; generating a request for the context data through the API, the request generated by an application associated with the mobile device; receiving, by the application, the requested context data and a validity indicator through the API; verifying, by the application, the requested context data based on the validity indicator; and adjusting a policy associated with the application based on the verified context data.

Abstract: A method and system for selecting a communication network by a wireless communication device (106) includes receiving (310) an identification parameter at the wireless communication device from a communication network which identifies the communication network. Next, the method compares (312) the identification parameter with a list at the wireless communication device to determine (314) service information. The service information identifies the services supported by the communication network. The method further includes comparing (316) the service information with a service-related datum at the wireless communication device that indicates the services desired by the wireless communication device. Lastly, the method includes selecting (318) the communication network for accessing a requested service if the service information matches the service-related datum.

Abstract: An information processing apparatus for executing authentication processing, characterized by comprises: storage means for storing, in association with each other, an image, region information indicating a region included in the image, and word information indicating an object linked with the region; determination means for determining an image to be used for the authentication processing among the images stored in the storage means; display means for displaying the image determined by the determination means; specification means for specifying, in a case where a user designates a position within the image displayed by the display means, word information associated with region information of a region including the position; and authentication means for executing authentication processing using the word information specified by the specification means.

Abstract: Exemplary systems and methods are directed to decrypting electronic messages in a network. The system includes a processor configured to receive or monitor message sources for encrypted messages, where private keys associated with the encrypted messages are not previously provided to the system. For each message, extract a set of user certificate identifiers and corresponding encrypted session keys, securely communicate with private key provider to decrypt the encrypted session key with an acquired private key, and decrypt the message with the unencrypted session key.

Abstract: An information management apparatus includes a first control information setting unit that sets first control information for permitting use of information within a destination terminal to the information; a second control information setting unit that sets second control information for permitting the destination terminal to forward the information to the information; a displaying permitting unit that controls, when information set with the first control information is received from a source terminal, to permit the information to be used locally within an apparatus; and a forwarding permitting unit that controls, when information set with the second control information is received from a source terminal, to permit the information to be forwarded.

Abstract: A method transmits a message between a transmitter and a receiver on a bus using an identifier associated with the transmitter/receiver path for the purpose of authentication and a message counter. The identifier is dynamically selected from an identification sequence depending on the message counter value and is integrated into the message check sum but not transmitted via the bus. A control device and a vehicle are adapted to carry out the method for transmitting a message.

Abstract: In one embodiment, receive a first request in connection with accessing a set of encrypted data, wherein the set of encrypted data has an expiration date; the first request comprises a first key associated with the expiration date; and the set of encrypted data has been encrypted using the first key. Validate the first key by comparing the expiration date against a current time. Generate a second key for decrypting the set of encrypted data using the first key only if the expiration date has not passed.

Abstract: A system, method, and apparatus for the authentication of the physical location of a target node are disclosed herein. In one or more embodiments, the authentication of the target node's physical location is achieved by using ping ranging measurements obtained from the amount of time that elapses during ping messages being sent between the target node and at least one trusted node with a known physical location. The physical location of the trusted node(s) is obtained by using satellite geolocation techniques. The accuracy of the ranging measurements may be improved upon by using pre-coordination and/or priority determination of the ping messages being sent between the target node and the trusted node(s). In at least one embodiment, the ping messages are sent by dedicated ping response hardware that is associated with the target node and/or the trusted node(s). In some embodiments, the ping messages include a pseudo random code bit sequence.

Abstract: Aspects of the invention include methods and systems for electronically signing a plurality of documents, such as an insurance application, a loan application, a set of mortgage papers, a bank application, or the like. A customer, or multiple customers, electronically submits the signature once and the customer's one signature is applied to all of the areas where the customer signature is required. The electronic signature may include initials and/or a graphical representation of the customer's handwritten signature. Aspects of the invention include an apparatus comprising a display, a memory, and a processor coupled to the memory and programmed with computer-executable instructions that, when executed, perform a method for electronically signing a plurality of documents.

Abstract: A method for protecting a digital document and user data typed into a digital document is presented. The method comprises computation of an authentication tag when the document is sent from a server. A similar authentication tag is computed when the document is shown on a client. When another document referenced in the document is requested by the client from the server, the authentication tag computed by the client is attached to the request for that other document. The server receiving the request compares the authentication tag it computed with the one it received to verify if the request came from an authentic copy of the document. The method is suitable for protection of online banking, online investment, online shopping, and other electronic applications.

Abstract: Embodiments described herein provide for a system for verifying integrity of files uplinked to a remote vehicle. The system is configured to receive a first message authentication code (MAC) for the uplinked file, a first acknowledgement MAC for the MAC, and a first cyclic redundancy check (CRC) for the first MAC and the acknowledgement MAC. The system is also configured to compute a second MAC from the uplinked file, a second acknowledgement MAC from the second MAC and a second CRC from the second MAC and second acknowledgement MAC. Integrity of the uplinked file is verified by comparing the first CRC with the second CRC. If integrity of the uplinked file is confirmed, the uplinked file is accepted. If integrity of the uplinked file is not confirmed, the uplinked file is rejected.

Abstract: A method for providing security for a business application including receiving a request from a server including a server public key and a security token, deploying a virtual node implementing the business application in response to the request, using the security token in a bootstrap process by the virtual node to provide authentication to the server, and authenticating a message from the server using a server public key.

Abstract: A system is configured to receive a first authentication request from a first device, authenticate the first device, establish a secure connection with the first device based on authenticating the first device, and receive, via the secure connection with the first device, a set of parameters from the first device. The first device is capable of generating an encryption key for a secure message, intended for a second device, based on the set of parameters. The system is also configured to receive a second authentication request from a second device, authenticate the second device and establish a secure connection with the second device based on receiving the second authentication request, and send, via the secure connection with the second device, the set of parameters to the second device. The second user device is capable of generating a decryption key for the secure message based on the set of parameters.

Abstract: Systems and method for authenticating users are presented. A system can send a passkey to a user interface of a known device. A user can then send a messaging service message with the passkey from a second device to the system. After receiving the message from the user, the system can extract the passkey from the message, and compare the received passkey against the passkey originally sent to the user. The known device and the second device can each have separate and unique device identifiers.

Abstract: Systems and methods for authenticating playback devices using timestamp validation in accordance with embodiments of the invention are disclosed. One embodiment includes securely storing at least one timestamp in memory within a playback device in response to the occurrence of at least one predetermined event, where a stored timestamp is based on the current time of a system clock when an event occurs, generating a cryptographic key using the at least one timestamp, securing cryptographic data using the cryptographic key, receiving a request to playback encrypted content, where the encrypted content is accessible using the cryptographic data, accessing the at least one timestamp, generating the cryptographic key, accessing the cryptographic data using at least the cryptographic key, and playing back the content using the playback device.

Abstract: An apparatus and methods of securely communicating a message between a first device and a second device using a message specific identifier is disclosed. The method begins by assembling the message specific identifier from one or more attributes associated with the message and the first device. An encryption key request is transmitted to a server, wherein the encryption key request is based upon the message specific identifier. An encryption key is received from the server, wherein the encryption key is based on the message specific identifier and a random character set. The message is encrypted using the received encryption key and the encrypted message is sent to the second device.

Abstract: A public encryption method based on user ID includes: setting, by a key generation server, at least one public parameter and master key used for generating a private key; receiving, by the key generation server, an inherent ID of a user from a receiving terminal, generating a private key based on the public parameter, the master key and the ID, and transmitting the generated private key to the receiving terminal; receiving, by a transmitting terminal, the public parameter and the ID from the key generation server, encrypting a message to generate a ciphertext, and transmitting the generated ciphertext to the receiving terminal; and receiving, by the receiving terminal, the ciphertext and the private key, and decrypting the ciphertext based on the received private key to obtain a message.

Abstract: Accessory device authentication techniques are described. In one or more embodiments, connection of an accessory device to a host computing device is detected. Responsive to the detection, an authentication sequence may occur to verify an identity and/or capabilities of the accessory device. Upon successful authentication of the accessory device, the host device may authorize the accessory device for power exchange interactions with the host device. The host device may then draw supplemental power from a power source associated with the authorized accessory device, such as a battery or power adapter. The host device may also enable the accessory device to obtain and use power supplied by the host device in some scenarios. Power exchange between a host device and an authorized accessory may be managed in accordance with capabilities of the accessory device that are identified during authentication.

Abstract: A method for wireless communications and a wireless transmit/receive unit are disclosed. At least one first wireless communication link with a base station for transmitting/receiving data packets is established, which at least one first wireless communication link complies with at least a first authentication mechanism. At least one second wireless communication link with at least one user device for transmitting/receiving data packets is established, which at least one second wireless communication link complies with at least a second authentication mechanism, wherein the at least one second wireless communication link comprises a peer-to-peer wireless communication link. The at least one first wireless communication link and the at least one second wireless communication link are concurrently maintained.

Abstract: Methods, systems and communication nodes for protecting Session Initiation Protocol (SIP) message payloads are described. Different protection techniques can be used to protect SIP payloads depending upon, for example, whether a recipient client application resides in a user equipment or an application server and/or whether a recipient client application resides in a same SIP/IP domain as the target SIP application server which is sending the SIP payloads.

Abstract: A data processing system (100) comprises: a database (4); a host computer (3) and a user computer (1) capable of communicating with each other over a network (2); wherein the user computer sends a data request message (RQ) to the host computer (3), the request message containing Data information (RD), Identity information (RI), and Authenticity information (A; VI), wherein the host computer (3) checks the authentication information and only sends the required data if the Identity information (RI) defines an authorized user and the authentication information (A; VI) authenticates the user identification information. The request message further contains secondary information (RT) and the host computer (3) calculates, from the secondary-information, a reliability value (R), compares the calculated reliability value with a predefined reliability threshold, and sends the required data only if the reliability value is at least as high as the reliability threshold.

Abstract: Techniques for transmitting pilot and traffic data are described. In one aspect, a terminal may scramble its pilot with a scrambling sequence generated based on a set of static and dynamic parameters. The static parameter(s) have fixed value for an entire communication session for the terminal. The dynamic parameter(s) have variable value during the communication session. The terminal may generate a scrambling sequence by hashing the set of parameters to obtain a seed and initializing a pseudo-random number (PN) generator with the seed. The terminal may then generate the pilot based on the scrambling sequence. In another aspect, the terminal may use different scrambling sequences for pilot and traffic data. A first scrambling sequence may be generated based on a first set of parameters and used to generate the pilot. A second scrambling sequence may be generated based on a second set of parameters and used to scramble traffic data.