Abstract: A countermeasure for differential power analysis attacks on computing devices. The countermeasure includes the definition of a set of split mask values. The split mask values are applied to a key value used in conjunction with a masked table defined with reference to a table mask value. The set of n split mask values are defined by randomly generating n?1 split mask values and defining an nth split mask value by exclusive or'ing the table mask value with the n?1 randomly generated split mask values.

Abstract: Embodiments of the invention may provide for systems and methods for secure authentication. The systems and methods may include receiving, by a constrained device, a random string transmitted from a server; determining, by the constrained device, a responsive output by evaluating a first deterministic function based upon the received random string, a locally generated string and a first private key stored on the constrained device; and transmitting at least one portion of the responsive output and the locally generated string from the constrained device to a server.

Abstract: The present invention relates to methods and systems for preventing race conditions in secure token conversations. The method includes generating a message from a client application to a server application, determining that a first secure conversation token (SCT) exists, and using the first SCT to encrypt the message. The method further includes sending the encrypted message to the server, receiving an indication that the first SCT has expired, and initiating an SCT renew request. The method includes storing the first SCT, receiving a second SCT in response to the SCT renew request, and storing the second SCT in addition to the first SCT. The method further includes retrieving an encrypted message, determining that the encrypted message has been encrypted using the first SCT, in response to the determination, using the first SCT to decrypt the message, and generating a response from the server to the client.

Abstract: A methods and apparatus for providing privacy of user identity and characteristics in a communication system. A public key and a private key is generated, corresponding to a transceiver. The public key is transmitted to a wireless communication device. The wireless communication device encrypts one or more an initial messages using the public key and transmits the one or more encrypted initial messages to the transceiver. The transceiver receives the one or more encrypted initial messages and decrypts it using the private key. The transceiver may then allocate resources to initiate a desired communication between said wireless communication device and a second communication device.

Abstract: A method for authenticating a request for access comprises monitoring one or more ambient transmissions present in a local environment, analyzing the one or more ambient transmissions to create a characterization thereof, and transmitting information configured to instruct a security token regarding characteristics of an adapted transmission protocol based on the characterization. The adapted transmission protocol is configured for decreasing a likelihood of interference by the one or more ambient transmissions with reception of an authentication transmission from the security token. An authentication transmission comprising authentication information is received from the security token, and the security token is authenticated based on the authentication information. In response to a request for access, a signal is transmitted to a controller indicating the request is authentic.

Abstract: Embodiments for providing differentiated access based on authentication input attributes are disclosed. In accordance with one embodiment, a method includes receiving an authentication input at an authentication authority using an authentication protocol. The authentication input being associated with a client. The method also includes providing one or more representations for the authentication input, wherein each of the representations represents an attribute of the authentication input.

Abstract: A method of network gateway authenticating involves a network gateway receiving an authentication request from a communications terminal. The communications terminal is in communication with an identity token. The authentication request includes a token cryptogram generated from a cryptographic key stored on the identity token. The network gateway transmits the authentication request to a communications network, and receives an authentication response from the communications network in accordance with a validity of the token cryptogram. The authentication response includes a gateway authentication certificate. The gateway authentication certificate is configured to authenticate the network gateway to a network device of the communications network.

Abstract: An apparatus providing for a secure execution environment. The apparatus includes a microprocessor and a secure non-volatile memory. The microprocessor is configured to execute non-secure application programs and a secure application program, where the non-secure application programs are accessed from a system memory via a system bus. The secure non-volatile memory is coupled to the microprocessor via a private bus. The secure non-volatile memory is configured to store the secure application program, where transactions over the private bus between the microprocessor and the secure non-volatile memory are isolated from the system bus and corresponding system bus resources within the microprocessor.

Abstract: Embodiments herein provide a method, system, etc. for a sovereign information sharing service. More specifically, a method for secure distributed query processing comprises storing data tables from at least one data provider in at least one first computer comprising a sovereign server. Next, encrypted input and output of the data tables is performed between the server and a second computer. Following this, join operations are computed, comprising determining whether arbitrary join predicates yield matches within the data tables; and encrypted results of the join operations are output. The method minimizes possible information leakage from interaction between the server and the second computer by making observations and inferences from patterns of the outputting of the encrypted results.

Abstract: An end user of an enterprise is enabled to receive secure remote presentation access to the assigned virtual machines in a hosted public cloud through the cloud provider's virtualization hosts and remote presentation gateway. Thus an enterprise administrator may purchase computing capacity from the cloud provider and further sub-divide the purchased computing capacity among enterprise end users. The cloud provider need not create shadow accounts for each end user of the enterprise. The cloud provider AD and the enterprise AD do not need to trust each other. The cloud provider also need not expose host information to the tenants. Authorization may be provided by using a combination of a custom authorization plug-in at the terminal services gateway and an indirection listener component at the virtualization host.

Abstract: Generating a cryptographic key, for example using a received external key. A system to generate a cryptographic key may include a first data store which may store an authorization key. A system may include a second data store which may store a secure key and/or a public key. A system may include an access controller, which may allow access to a secure key, for example to an access request which may be accompanied by a digital signature. A system may include a key generator, which may generate a private key, for example using a received external key, a stored authorization key and/or a mapping function. A system may include an access request signal generator which may generate a digital signature and/or which may transmit an access request, for example including a generated digital signature, to an access controller to retrieve a secure key.

Abstract: Provided are a method for authenticating a user terminal in an interface server, and an interface server and a user terminal using the same. The method includes receiving authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server, authenticating the user terminal according to the authenticating request information using an authentication method selected by the interface server or a user of the user terminal, and transmitting authentication response information including an authentication result of performing the authentication method to the application service providing server. The interface server provides an interface for a network to the application service providing server.

Abstract: A method for preparing a chip card for electronic signature services. According to said method, data is exchanged between a chip card user and a signature portal, an asymmetric pair of keys and a signature PIN that is associated with the asymmetric pair of keys being generated on the chip card by means of a software application which can be executed on the chip card, and the chip card communicating the signature PIN to the user.

Abstract: A method for automatically updating access security on existing applications with multi-factor authentication, intelligent auto-login, single sign-on, proximity logout, pro-active loss prevention and real-time incident notification using a wrapping function.

Abstract: On-demand protection and authorization of playback of media assets includes receiving digital media at a server computer, storing intermediary data in a data store, and receiving a request from a client for the digital media. The method also includes generating a protected copy of the digital media from the digital media and the intermediary data. The method also includes storing a description of the protected copy in a database and sending the protected copy to the client. The method also includes receiving a request from the client to access the digital media and reading the description from the database based on information in the request. The method also includes sending a response to the client, the response indicating whether the client is authorized to access the digital media, and the response including cryptographic data to decrypt the protected digital media if the client is authorized to access the digital media.

Abstract: A method of and system for securely executing an application on a computer system such that a user of the computer system cannot access or view unauthorized content available on the computer system or accessible using the computer system. To securely execute an such method and system may terminate any unauthorized processes executing (i.e., running) on the computer system application prior to execution of the application, and may configure the application such that unauthorized content cannot be accessed, including configuring the application such that unauthorized processes cannot be initiated (i.e., launched) by the application. Further, such system and method may terminate any unauthorized processes detected during execution of the application, and may disable any functions of the computer system that are capable of accessing unauthorized content, including disabling any functions capable of initiating processes on the computer system.

Abstract: Provided are devices, methods, systems, computer readable storage media for tokenizing data. In some examples, credit card numbers are tokenized using a pre-generated token map and absent the use of a networked database that stores a relatively large quantity of credit card numbers in a central location. The token map may be generated by a token map generator such that the token map can be used by a tokenizer to replace a portion of an account number with a token, and by a detokenizer to replace the token with the original portion of the account number. A pre-parser and parser may also be used to locate an account number and/or token in a message received over a network.

Abstract: The present invention discloses a security management method and a security management system for a WAPI terminal accessing an IMS network. The method comprises: an authentication service unit (ASU) sending, under the circumstance that an access point and the WAPI terminal pass the verification of the ASU, a security information request message to a home subscriber server (HSS) (S302); the HSS setting security information corresponding to the IMS account information of the WAPI terminal as access layer security after receiving the security information request message from the ASU (S304); a proxy-call session control function (P-CSCF) receiving an IMS login request message from the WAPI terminal, inquiring about the security information of the WAPI terminal through the HSS, and allowing the WAPI terminal to execute an IMS service flow under the circumstance that the security information of the WAPI terminal is the access layer security (S306).

Abstract: Systems and methods for performing a secure transaction provided. In one embodiment, the method includes: reading data on a command token, reading data on a token; encrypting the token data with a key; encrypting an authentication data with a clear text token data; and transmitting the encrypted authentication data with the encrypted token data to a remote device.

Abstract: A method for identifying a patient for later access to an electronic patient record for the patient using a communication device belonging to an inquiring person. The patient record is stored in a database using a primary key which serves to identify the patient and which has at least one unambiguously associated secondary key, where the secondary key used to identify a patient is at least one subscriber information item which characterizes a subscriber in a wireless communication network. The secondary key for identification is transmitted between a mobile terminal used for communication in the wireless communication network and a portal via the at least one communication network.

Abstract: A method carried out by a controller is disclosed. The method includes receiving (s10) a message including a request token. A request token is a value used by a consumer (300) to request authorization from a user to access protected resources from a service provider (400). A service provider (400) is at least one of a software application and web site that is configured to provide access to protected resources. A consumer {300} is at least one of a software application and a web site that is configured to access a service provider (400) on behalf of a user. The method further includes determining (s20) whether the message meets policy settings governing the access to protected resources; and, if it is determined (s30) that the message does not meet the policy settings, preventing (s34) the request token from being forwarded to the service provider (400) associated with the request token.

Abstract: In order to limit use of content, when a source receives a request for transmitting content from a sink, the source performs an authentication process. When the authentication is successful, the source transmits to the sink key information necessary for decrypting the encryption applied to the content. The sink can receive the content by receiving the key information and by decrypting the encryption applied to the content by using the key information.

Abstract: A network helper is provided that assists verifiers in executing a puzzle-based protocol for authentication of a token. A token stores a secret key and one or more puzzle-generating algorithms. The helper stores a plurality of puzzles associated with a particular token. When requested to do so by a verifier, the helper provides a plurality of pseudorandomly selected puzzles for the token to a verifier. The puzzles are encoded with information that is used between the verifier and token to establish a secured symmetric key. The verifier selects one or a few of the encoded puzzles and breaks them by a brute force attack. Because the helper does not know which puzzles have been selected, it has to break all puzzles to attempt to figure out the symmetric key. However, if a large number of puzzles are utilized, say millions, then breaking all of them becomes a computationally prohibitive task.

Abstract: A method of securing a telecommunication terminal that is connected to a module used to identify a user of the terminal is described. The method includes a step including executing a procedure in which the terminal is matched to the identification module, consisting in: securely loading a first software program including a data matching key onto the identification module; securely loading a second software program which can operate in conjunction with the first software program onto the telecommunication terminal; transmitting a data matching key that corresponds to that of the first software program to the second software program; storing the transmitted data matching key in the secured storage zone of the telecommunication terminal; and conditionally submitting every response from the first software program to a request from the second software program upon verification at the true value of the valid possession of the data matching key by the second program.

Abstract: A method for protecting the execution of a ciphering or deciphering algorithm against the introduction of a disturbance in a step implementing one or several first values obtained from second values supposed to be invariant and stored in a non-volatile memory in which, during an execution of the algorithm: a current signature of the first values is calculated; this current signature is combined with a reference signature previously stored in a non-volatile memory; and the result of this combination is taken into account at least in the step of the algorithm implementing said first values.

Abstract: A technique for providing message authenticity includes accepting transaction information, accepting a first data item used for authenticating an originating user, cryptographically processing the transaction information using only a second data item, wherein the entropy of the first data item is less than the entropy of the second data item, and authenticating the originating user using the first data item. The first data item can be a sequence of digits corresponding to those displayed on an external device, such as, for example, an RSA authorization token, credit card, etc.

Abstract: The invention is a method of managing access to a plurality of data from a server by a client through a point-to-point link. Each of the data is reachable through a set of URIs that belongs to an index list. The method comprises the step of inserting a request to a control message in the index list. The control message applies to a data reachable through one URI belonging to the index list.

Abstract: Used in a communication involving Entity 1 and Entity 2 to authenticate Entity 1's identity, a digital identification of Entity 1 comprises an encrypted character string wherein the string is related to Entity 2 and is directly or indirectly encrypted with a key in a private/public key pair of Entity 1's. Such digital identification is dynamic and can be used as one-time or multiple-time identification. Such digital identification of an entity allows for the entity's being authenticated by another entity without the two entities having a one-to-one communication in advance. Also such a digital identification does not rely on the syntax of other messages or data as does a digital signature do and can be verified easily. The verification of such a digital identification can be easily confirmed by both human beings and machines.

Abstract: A method of establishing a communication channel between a network client and a computer server over a network is described. The network client may be configured to communicate with the computer server over the network and to communicate with a token manager. The token manager may be configured with a parent digital certificate that is associated with the token manager. The token manager or network client generates a credential from the parent digital certificate, and transmits the credential to the computer server. The credential may be associated with the computer server. The network client may establish the communications channel with the computer server in accordance with an outcome of a determination of validity of the credential by, the computer server.

Abstract: Systems and methods for authenticating defined user actions over a computer network. An authentication service receives an authentication request from an authenticating service to perform an action on behalf of a user. The authentication service then sends a permission request to a mobile device associated with the user, asking the user whether or not the action should be allowed. The user sends a permission response via the mobile device to the authentication service, granting or denying the action. The user may automate future similar responses so long as at least one automation criterion is met (e.g., the physical location of the mobile device), eliminating the need to manually provide a response to future permission requests. Information necessary to determine whether the automation criterion is met is stored locally on the mobile device.

Abstract: There are disclosed systems and methods for computing an exponentiatied message. In one embodiment blinding is maintained during the application of a Chinese Remainder Theorem (CRT) algorithm and then removed subsequent to the completion of the CRT algorithm. In another embodiment, fault injection attacks, such as the gcd attack, can be inhibited by applying and retaining blinding during the application of the CRT algorithm to yield a blinded exponentiation value, and then subsequently removing the blinding in a manner that causes an error injected into the CRT computation to cascade into the exponent of the value used to unblind the blinded exponentiated value.

Abstract: In at least one implementation a method includes receiving an identifier associated with a device, entering the identifier into a network controller device, inviting the device associated with the identifier to join a network, admitting the device associated with the identifier to the network, sending the device associated with the identifier a name of the network, and confirming that the device has joined the network as a device recognized by the network controller device.

Abstract: A system and method for allowing for distributed interaction in a computing scenario is presented. The system is powered by SandTable software. First and Second items are respectively displayed on interactive screens of first and second surface computers. A first token is configured to be placed on the interactive screen of one of the computers and that computers reads its credentials. The SandTable software determines a first access level of the first token based on the credentials of the first token when it is placed on the surface computer. The first surface computer displays an image of an add item symbol when the first token is authenticated as a valid token. The SandTable software is configured to detect when the add item symbol is selected and to generate a menu of new items. SandTable creates a new item based on the new item selected from the menu.

Abstract: Systems, methods, and technologies for configuring a conventional smart card and client machine, and for performing a smart card authorization using the configured smart card and client. Further, the combination of methods provides for mutual authentication—authentication of the client to the user, and authentication of the user to the client. The authentication methods include presenting a specified token to the user sufficient to authenticate the client to the user and thus protect the user-provided PIN. Security is strengthened by using an integrity key based on approved client system configurations. Security is further strengthened by calculating a PIN? value based on a user-specified PIN and a modifier and using the PIN? value for unlocking the smart card.

Abstract: A universal authentication token is configured to securely acquire security credentials from other authentication tokens and/or devices. In this manner, a single universal authentication token can store the authentication credentials required to access a variety of resources, services and applications for a user. The universal authentication token includes a user interface, memory for storing a plurality of authentication records for a user, and a secure processor. The secure processor provides the required cryptographic operations to encrypt, decrypt, and/or authenticate data that is sent or received by universal token. For example, secure processor may be used to generate authentication data from seed information stored in memory.

Abstract: A pluggable token provider model for message level authentication across multiple web services is provided. Web service and token provider implementations within a client application are separated from an actual component that operates the business logic to formulate and understand a web request. The web service components may request web services to be executed and supply the body for the web service message while a common framework maintains the web services metadata, which includes definitions associated with respective tokens. The framework may further maintain token provider implementations that actually fetch authentication tokens and perform the web requests.

Abstract: Methods, apparatuses and systems directed to account-based access to media services are described. A media access controller server validates a voucher for an offer of network content and issues a token permitting access to the content. A media access manager server validates the token and invokes a playlist-generation step at a publishing point, and returns the content to a user's media player. A custom plug-in on the media access manager may enforce terms of service imposed by the publisher, such as a maximum number of simultaneous streams permitted by a single voucher, or a time window for use of the voucher. Streams whose voucher's end time has expired are terminated by the plug-in.

Abstract: A system and method for facilitating payment for online purchases is disclosed. The system allows consumers/customers who shop online to select, at the time of checkout, direct payment from an account as the payment option. An electronic bill (ebill), independent of any confidential financial information pertaining to the consumer, is automatically displayed and emailed to the consumer. The consumer pays the ebill at their bank the same way they pay their utility bill, which then results in a payment confirmation sent from the bank to the payee. Payment information from the bank is sent to the system to update the purchase transactions. Once the payment information is processed, the consumer and merchant accounts are balanced and both receive automatic notification of the payment.

Abstract: A method is provided for controlling multiple access to a network service to prevent fraudulent use of the network service. The method includes identifying an account access counter for an account using identification information received from a user at a first device using a network, wherein the user is requesting access to a service provided at a second device, and further wherein the account access counter is the number of service access sessions active for the account; comparing the account access counter to a maximum account access number, wherein the maximum account access number defines a maximum number of service access sessions allowed for the account; and providing the user at the first device access to the service at the second device if the account access counter is less than the maximum account access number.

Abstract: Methods, apparatuses and systems directed to methods of controlling access to one or more items of network content referenced within a structured document such as an RSS feed. Embodiments of the invention are particularly suited to podcasting, where the access control is based on monetary payment, presentation of coupons or other promotional devices, or other forms of web commerce; or may limit the duration of accessibility of the content, the number of times it can be downloaded, or other characteristics of access.

Abstract: A method allows access to a set of secure databases and database applications over an untrusted network without replicating the secure database. The method involves authenticating a user using a first authentication application. When the user is verified, then the user's credentials are directed to a second authentication application associated with a secure database based on a first set of user settings retrieved for the user. The second authentication application, based on a second set of user settings, grants the user access to the secure database and database applications associated with the secure database.

Abstract: A storage controller and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.

Abstract: A system, method, and computer program product are provided for allowing access to data based on a recipient identifier included with the data. In use, data is received at a device of a recipient. Additionally, it is determined whether an identifier of the recipient is included with the data. Further, access to the data by the device of the recipient is conditionally allowed based on the determination.

Abstract: A secure portable electronic device for providing secure services when used in conjunction with a host computer having a central processing unit use two hardware device protocols readily supported by computer operating systems. Other systems and methods are disclosed.

Abstract: The present invention concerns a control device (1) provided for smart card readers (SCR), a smart card reading activation device (2) and associated products including a set-top box and a daisy chain. The control device comprises means for communicating (11) with at least two smart card reading devices (SCR3, SCR4, SCR5), means for processing (12) information received from those reading devices and means for activating (13) at least one of those reading devices for a current communication. The activating means are intended to send selection data (SD) towards all those reading devices, those selection data enabling each of the reading devices to determine if it is selected or not for the current communication.

Abstract: An authentication mechanism for use in network-based services generates an authentication token. The authentication token is provided to a client device as part of the code comprising a content page. The content page code is received and loaded by a browser application at the client device. When the content page code is received and loaded by the browser application, the authentication token is loaded by the browser as well. Upon receiving subsequent input, the browser application may send a content request to the server. The content request includes the authentication token maintained by the browser application in the content page. A server may validate the authentication token provided in the request using version information and one or more master authentication tokens.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: The invention enables a chip set of a receiver of a conditional access system to receive control words securely from a head-end system in the content delivery network. Hereto the chip set comprises means for processing an incoming message to obtain a virtual control word, and using the virtual control word to generate the control word used for descrambling content received from the content delivery network. The authenticity of incoming messages is verified, in the sense that content descrambling fails if an incoming message is not authentic.

Abstract: Methods and systems for using simple authenticated messages are disclosed for use with implementing (i) synchronization schemes, (ii) encoded control messaging schemes, and (iii) encrypted data communication schemes. Messages are authenticated by applying a secure hash function to one or more authentication tokens to produce hash results which are compared to stored trusted bit strings, wherein the stored trusted bit strings are replaced with the most-recently received authentication token whose corresponding hash result matched the stored bit string.

Abstract: A user authentication method and system. A computing system receives from a user, a first request for accessing specified functions executed by a specified software application. The computing system enables a security manager software application and connects the specified software application to a computing apparatus. The computing system executes first security functions associated with the computing apparatus. The computing system executes second security functions associated with additional computing apparatuses. The computing system determines if the user may access the specified functions executed by the specified software application based on results of executing the first security functions and the second security functions. The computing system generates and stores a report indicating the results.