Abstract: A cryptographic hash of content (e.g., applications, documents, widgets, software, music, videos, etc.) is created and made available for distribution over a network (or by other means) as part of a ticket file. The ticket file can be cryptographically signed to ensure its authenticity. The ticket file and content can be downloaded separately (e.g., from different websites) to a user system (e.g., a computer, mobile phone, media player/recorder, personal digital assistant (PDA), etc.). The user system verifies the signature of the ticket file and the content hash to ensure that the content has not been compromised. The ticket file can include information relating to downloading the content (e.g., a Uniform Resource Identifier (URI)) and other meta-data (e.g., hash type, content information, public key, size, version, etc.).

Abstract: A secure mechanism for performing a network boot sequence and provisioning a remote device may use a private key of a public key/private key encryption mechanism to generate a command by a server and have the command executed by the device. The command may be used to verify the authenticity of the remote device, and may be used to establish ownership of the device. After authenticity and, in some cases ownership is established, bootable software may be downloaded and executed. The remote device may be provisioned with software applications. One mechanism for performing the initial encrypted commands is through a Trusted Platform Module. In many embodiments, the public key for the initial encrypted communication may be provided through a trusted second channel.

Abstract: The invention discloses a system for enhancing trust in transactions, most particularly in remote transactions between a plurality of transactional parties, for instance a seller and buyer(s) of goods and/or services over a public computer network such as the internet. Trust is disclosed to be a multivalent commodity, in that the trust that is to be enhanced relates to information about the subject matter of the transactions (e.g., the suitability of the goods and services sold), the bona fides of the supplier of the goods and services, the appropriateness of a pricing structure for a particular transaction or series of transactions, a quantum of additional transactional value that may be imparted to the transactional relationship, security of information exchange, etc.

Abstract: A scalable architecture is disclosed for delivery of real-time information over a communications network. Embedded into the architecture is a control mechanism that provides for the management and administration of users who are to receive the real-time information. In the preferred embodiment, the information being delivered is high-quality audio. However, it could also be video, graphics, text or any other type of information that can be transmitted over a digital network. Preferably, there are multiple channels of information available simultaneously to be delivered to users, each channel consisting of an independent stream of information. A user chooses to tune in or tune out a particular channel, but does not choose the time at which the channel distributes its information.

Abstract: A wireless device includes a nonvolatile memory that handles the task of securely performing integrity checks that do not expose the authentication private key externally. The system security architecture installs and associates private keys with the nonvolatile memory to create a secure execution environment resistant to virus attack. The nonvolatile memory provides integrity checks of nonvolatile memory data and generates signatures for data provided by the memory.

Abstract: An image processing apparatus capable of managing easily secret information even with detachably attaching an external memorizing device, includes an ID (plug and play ID) retrieving unit for retrieving ID from the connected memory, a user information storing unit for storing user information, an active memory information storing unit for storing the retrieved ID with corresponding to the respective users, a memory use judging unit for judging as to whether the memory is usable based on the ID retrieved from the connected memory and on the ID stored in the active memory information storing unit, and a data writing controlling unit for writing data to the memory judged as usable.

Abstract: In general, the subject matter described in this specification can be embodied in methods, systems, and program products for providing access to secured resources. A token providing system stores a primary authentication token that is used to obtain temporary authentication tokens. The token providing system provides, to application programs that are unable to access the primary authentication token, the temporary authentication tokens. The token providing system receives, from a first application program of the application programs, a first request to obtain a first temporary authentication token. The first request does not include the primary authentication token. The token providing system transmits a second request to obtain the first temporary authentication token. The second request includes the primary authentication token. The token providing system receives the first temporary authentication token.

Abstract: A printing system and printer with an electronic signature capability, and a method thereof are provided. To print security documents using an electronic signature stored in a portable memory, the printing system of the invention includes a portable memory for storing an electronic signature. A memory interface connects detachably to the portable memory. A printer receives the electronic signature from the memory interface, composes the received electronic signature with print data, and executes a print operation. Accordingly, a stamping or signature process on numerous documents can be facilitated, and excessive stamping or signature execution can be prevented. Moreover, the electronic signature of the invention can be executed on various types of forms or documents.

Abstract: A method and system of securing content is described, the method including establishing communication between a secure module source and a content rendering device, loading a dynamically generated pseudo-unique secure module to the content rendering device from the secure module source, establishing communication between the secure module source and the dynamically generated pseudo-unique secure module, and transferring a decryption key from the secure module source to the dynamically generated pseudo-unique secure module, thereby enabling decryption of encrypted content, the encrypted content being encrypted according to the decryption key. Related methods and apparatus are also described.

Abstract: Systems and method for producing, validating, and registering authentic verification tokens are disclosed. Such systems and methods include generating verification token specific key pairs. The key pairs can be signed by a verification token manufacturer master key or public key certificate for an additional level of authenticity. Related methods and systems for authenticating and registering authorized verification token manufacturers are also disclosed. Once a verification token manufacturer is authenticated, it can be assigned a manufacturer-specific key pair or certificate and in some cases, a predetermined set of serial numbers to assign to the verification tokens it produces. Each serial number can be used to generate a verification token specific key pair specific to the associated verification token. One component of the verification token key pair can be stored to the verification token.

Abstract: A method for implementing a mobile trusted platform module includes establishing a connection with a first remote host device via a remote interface. The method also includes authenticating the connection. The method further includes, upon authenticating the connection, allowing the first remote host device to access a securely stored first application within a mobile trusted platform module.

Abstract: A device for maintaining an address translation table, placed in series between a user terminal and a third-party entity of a telecommunications network, is disclosed. The device is adapted to verify the existence in the address translation table of an entry specific to the exchange of application signaling messages using said protocol between the terminal and the third-party entity and, if there is no entry specific to the exchange of application signaling messages using said protocol between the terminal and the third-party entity, to create a specific entry in the address translation table associating with a private address and a private port of the terminal in a private network connecting it to said device a public address and a public port of the terminal in the telecommunications network and an indication of the validity of the entry, this validity indication taking into account the first reception time.

Abstract: A method and apparatus that enables secure communications from a wireless communication device is disclosed. The method may include receiving a signal to transmit data, wherein the data is at least one of voice, text, image, and video, applying a first layer of encryption to the data, applying a second layer of encryption to the data, applying a third layer of encryption to the data, and sending the encrypted data over a communications network.

Abstract: A first virtualization layer is inserted between (i) an operating system of a computer system, and (ii) at least first and second hardware devices of the computer system. Data is communicated between the first hardware device and the second hardware device, via the first virtualization layer, without exposing the data to the operating system.

Abstract: An IC chip, an information processing apparatus, system, method, and program are provided. An IC chip includes an authentication control unit configured to authenticate a request using authentication information. The request and/or the authentication information is received from outside the IC chip.

Abstract: Systems and methods are provided for securing at least one mobile device. A server includes a controller and a non-transitory computer readable medium storing instructions executable by the controller. The executable instructions are configured to perform a method in which a secure communications session is established with a user and the user is allowed to input a list of a plurality of security actions to be performed at a mobile device associated with the user. A secure communications session is established with the mobile device, and the list of the plurality of security actions is provided to the mobile device simultaneously as a single instruction set.

Abstract: Systems, methods, and technologies for configuring a conventional smart card and a client machine, and for performing a smart card authorization using the configured smart card and client. Further, the combination of methods provides for mutual authentication—authentication of the client to the user, and authentication of the user to the client. The authentication methods include presenting a specified token to the user sufficient to authenticate the client to the user and thus protect the user-provided PIN. Security is strengthened by using an integrity key based on approved client system configurations. Security is further strengthened by calculating a PIN? value based on a user-specified PIN and a modifier and using the PIN? value for unlocking the smart card.

Abstract: Systems and/or methods are described relating to a security model that provides interoperability with foreign security domains while remaining scalable to small embedded devices. A security token service is provided, which is configured to issue, renew, and/or validate security tokens in response to a token request. A communication protocol, corresponding message structures, and the security tokens are defined in accordance with protocol buffer definitions.

Abstract: A handheld authentication device comprising a data processor and a display is adapted to: generate an input value; submit the input value to an asymmetric cryptographic operation; obtain the result of said asymmetric cryptographic operation; generate an authentication message substantially comprising the result of the asymmetric cryptographic operation; encode the authentication message into one or more images; and display these images on the display.

Abstract: The invention discloses a method for implementing encryption and transmission of information and system thereof. The method comprises the following steps when a sender sends information to a receiver: a client of the sender encrypts the information by using a unique identifier of a receiver identity as a public key; the sender sends the encrypted information to the receiver; the receiver receives the encrypted information, and a client of the receiver performs decryption by using a user private key; wherein the client of the receiver obtains the user private key by one-off registration and the user private key matches with the unique identifier of the receiver identity. The system comprises an information transmission platform, a sender and a receiver connected to each other by the information transmission platform, clients provided in the sender and the receiver, and a registration component.

Abstract: A method, integrated circuit chip, and computer program product for cryptographically processing an input value with Elliptic Curve Cryptography (ECC) using ECC scalar multiplication are provided. The ECC scalar multiplication is performed with the use of an enhanced acceleration table (EAT). The EAT uses multiple running totals with multiples above 2. The EAT, in some embodiments, uses reference values other than 0 and 2^window size.

Abstract: A method of reading a readable element, such as a two dimensional bar code or an RFID chip, that has encrypted information with a portable device, such as a digital media device or RFID reader, includes storing a decryption key in the portable device, and scanning the readable element with the portable device. The method further includes communicating with a remote server storing a decryption key database, validating the decryption key stored in the portable device, and decrypting information from the readable element using the portable device. The decrypted information may then be displayed.

Abstract: In one aspect, a first processing device, which may be an authentication token, establishes a shared key through a pairing protocol carried out between the first processing device and a second processing device. The pairing protocol also involves communication between the second processing device and an authentication server. As part of the pairing protocol, the first processing device sends identifying information to the second processing device, and the second processing device utilizes the identifying information to obtain the shared key from the authentication server. The first processing device encrypts authentication information utilizing the shared key, and transmits the encrypted authentication information from the first processing device to the second processing device. The second processing device utilizes the shared key to decrypt the encrypted authentication information.

Abstract: Systems, methods, and technologies for configuring a conventional smart card and a client machine, and for performing a smart card authorization using the configured smart card and client. Further, the combination of methods provides for mutual authentication—authentication of the client to the user, and authentication of the user to the client. The authentication methods include presenting a specified token to the user sufficient to authenticate the client to the user and thus protect the user-provided PIN. Security is strengthened by using an integrity key based on approved client system configurations. Security is further strengthened by calculating a PIN? value based on a user-specified PIN and a modifier and using the PIN? value for unlocking the smart card.

Abstract: The present invention allows trading partners to be matched with each other based on the proximity of their locations and their capability to complete a desired transaction. Specifically, under the present invention a requestor will issue a transaction request seeking to exchange goods, services and/or information. A trading partner who can fulfill the transaction request will be identified based on a proximity of location of the trading partner to the requestor, as well as the capability of the trading partner to fulfill the transaction.

Abstract: This invention provides a simple and secure PIN unblock mechanism for use with a security token. A set of one or more passphrases are stored on a remote server during personalization. Likewise, the answers to the passphrases are hashed and stored inside the security token for future comparison. A local client program provides the user input and display dialogs and ensures a secure communications channel is provided before passphrases are retrieved from the remote server. Retrieval of passphrases and an administrative unblock secret from the remote server are accomplished using a unique identifier associated with the security token, typically the token's serial number. A PIN unblock applet provides the administrative mechanism to unblock the security token upon receipt of an administrative unblock shared secret. The remote server releases the administrative unblock shared secret only after a non-forgeable confirmatory message is received from the security token that the user has been properly authenticated.

Abstract: A reference token service (RTS) is disclosed. Generally, the RTS receives sensitive data items from trusted source applications associated with particular merchants. Upon receipt of a particular sensitive data item from a particular merchant, the RTS identifies one or more reference token pools corresponding to the merchant. Each reference token pool includes a plurality of reference tokens comprising formats and data structures corresponding to sensitive data items and compatible with the merchant. The RTS receives a crypto token associated with the sensitive data item which may not conform to the merchant's formatting or data requirements. The RTS associates the crypto token with a reference token corresponding to the merchant, which is provided to the merchant for sharing and retrieval of the sensitive data item amongst the merchant's various applications.

Abstract: Communication across domains is described. In at least one implementation, a determination is made that an amount of data to be communicated via an Iframe exceeds a threshold amount. The data is divided into a plurality of portions that do not exceed the threshold amount. A plurality of messages is formed to communicate the divided data across domains.

Abstract: A method, data processing system and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.

Abstract: Provisioning VLAN services in a network patching system includes receiving a request to provide a VLAN service to an individual communication channel, determining whether a switch connector port connected to the individual communication channel via a patch cord is configured to provide the requested VLAN service, and initiating the requested VLAN service to the individual communication channel in response to determining that the switch connector port is configured to provide the requested VLAN service. Verification that a user associated with the individual communication channel is authorized to access the requested VLAN service may be performed prior to initiating the requested VLAN service. An administrator may be notified that a VLAN service has been requested and/or initiated. The user associated with the communication channel may be notified when the requested VLAN service has been initiated.

Abstract: A method for granting secure network access comprising requesting, by a mobile device, access to a network via an access point; receiving a passcode from the access point; sending a message including the passcode and an indicia back to the access point; and generating, by the access point, a secure key based on the indicia, the secure key providing network access to the mobile device.

Abstract: A mobile node and its home system generate synchronized time-based codes at periodic time intervals. Each time-based code is valid for a predetermined time period. To facilitate anonymous operation when roaming, the mobile node identifies itself with a coded identifier instead of a public identifier. The coded identifier used at a given time includes the time-based code that is valid for that given time. To authenticate the mobile node, a serving system receives authentication information from the mobile node and forwards the authentication information to a home system. The authentication information includes the current time-based code and a timestamp. The home system identifies the mobile node from the current time-based code and the timestamp. The home system then uses the authentication information to authenticate the mobile node.

Abstract: A method, reader, and system are provided for performing group authentication processes. In particular, a group access decision can be made upon the analysis of a group rule. The group rule may contain a Boolean expression including one or more Boolean conditions. If an appropriate group of credentials are presented to a reader such that the Boolean expression is satisfied, then the group of credentials and the holders thereof are allowed access to a protected asset.

Abstract: A method of controlling access to computing resources, comprising providing a first computing device with access to a database containing data indicative of computing resources access to which is controlled by the first computing device and a minimum security capability that a second computing device must possess to access the respective resources, assigning the second computing device a security capability, providing the second computing device with data indicative of the security capability, configuring the first computing device to respond to data indicative of the security capability and data indicative of a desired access from the second computing device by ascertaining the minimum required security capability corresponding to the desired access and by comparing the minimum required security capability with the security capability of the second computing device, and providing the desired access if the security capability of the second computing device meets the minimum security capability for the desired

Abstract: A method for using multiple channels to access a resource, wherein a first user requests a resource that requires an indication of approval from a second user, a token value is transmitted to the first user on the first channel, and the second user transmits the token value and a second authentication parameter over a second channel. The token value is used to associate the first authentication parameter to the second authentication parameter, whereby the first user is allowed access to the resource on the first. The first and second user may be independently authenticated in some implementations and not independently authenticated in other implementations.

Abstract: An authentication token using a smart card that an organisation would issue to its customer, the smart card having a processor for executing a software application that is responsive to a user input to generate a one-time password as an output. The smart card co-operates with an interface device for inputting the user input and displaying the one-time password. The authentication token may be used in combination with a remote authentication server for validation of the password and hence authentication of the user.

Abstract: A method of issuing electronic vouchers (Vi) which a user (U) may submit to a merchant (M) in exchange for goods or services comprises the steps of: an issuer (I) receiving an electronic declaration (Di?1) from the user (U), the issuer verifying the electronic declaration (Di?1), and the issuer issuing a new electronic voucher (Vi) for use with the merchant (M) only if the electronic declaration comprises a signature (SM) of a merchant on a previous electronic voucher (Vi?1). The vouchers (Vi) and declarations (Di?1) are preferably blinded by the user such that the user remains anonymous. However, the electronic vouchers (Vi) may contain the identity (Q) of the user (U), which identity may be revealed when a voucher is submitted more than once.

Abstract: Accelerated computation of combinations of group operations in a finite field is provided by arranging for at least one of the operands to have a relatively small bit length. For example, a technique for verifying a signature of a message can include applying a first mathematical function to a combination of the first signature component and the second message portion to obtain an intermediate component, using the intermediate component to generate a first value and a second value, where a second mathematical function applied to the first value and the second value obtains the intermediate component, and determining the ephemeral public key based on the first value, the second value, the second signature component, the base point of the elliptic curve, and a long-term public key of the long-term private-public key pair. The technique can include verifying whether a representation of the first message portion satisfies a predetermined characteristic.

Abstract: A method for protecting a digital document and user data typed into a digital document is presented. The method comprises computation of an authentication tag when the document is sent from a server. A similar authentication tag is computed when the document is shown on a client. When another document referenced in the document is requested by the client from the server, the authentication tag computed by the client is attached to the request for that other document. The server receiving the request compares the authentication tag it computed with the one it received to verify if the request came from an authentic copy of the document. The method is suitable for protection of online banking, online investment, online shopping, and other electronic applications.

Abstract: A system and method that regulates the various operations between computing stations and storage or content. Any operation that involves or may lead to the exchange or accessing of content (data) between storage or hosting content container and computing station may be regulated by means of a policy which comprise a set of rules. Rules may be defined according to specific criteria, including the type of storage, the type of content, the attributes of the content, and other attributes associated with the storage device and/or the content. The policy will be dynamically installed/updated upon a computing station for specific User(s) and will regulate the data operations that may take place between the computing stations and storage or content based on evaluation of the policy. Based on the evaluation of the policy, the requested operation is permitted, restricted in some areas, or denied.

Abstract: An authentication method authenticates between subscribers of a communications system using an asymmetric elliptic curve encryption algorithm. The method involves providing a first and at least one second subscriber having a first or second secret key known only to the respective subscriber and a public key; authenticating an inquiry transmitted by the first subscriber with respect to the validity of the first certificate contained therein and associated with the first subscriber; calculating the response of the second subscriber associated with the inquiry; randomized encryption of the calculated response and a second certificate associated with the second subscriber using the public key; decryption and authentication of the response transmitted by the second subscriber with respect to the validity of the second certificate contained therein.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens. The apparatus may receive a subject token indicating an attempt to authenticate a user. The apparatus may determine at least one token-based rule based at least in part upon a token in the plurality of tokens and the subject token. The at least one token-based rule may indicate a plurality of attributes required to access a resource. The apparatus may determine a second plurality of attributes represented by the plurality of tokens and the subject token. The apparatus may determine at least one missing attribute, which may be in the plurality of attributes but not in the second plurality of attributes. The apparatus may then request the at least one missing attribute, and in response, receive at least one token representing the at least one missing attribute.

Abstract: Portable telecommunications apparatus having one or more functionalities including providing user access to a telecommunications network, the portable telecommunications apparatus comprising integrated circuit card (ICC) reader circuitry, storage circuitry and processing circuitry, wherein the ICC reader circuitry is configured to communicate with one or more network-access ICCs; the storage circuitry is arranged to comprise a list of at least one network-access ICC authorised for use with the apparatus; and wherein the processing circuitry is arranged to undertake an authentication process on removable storage circuitry in communication with the apparatus to determine whether or not the security circuitry is authenticated for use with the apparatus; to allow the authorisation of network-access ICCs in the storage circuitry according to whether authenticated security circuitry is in communication with the apparatus; and to permit a user access to the one or more functionalities of the apparatus according to w

Abstract: A technique of protecting a datum within a set of sensitive data is presented. In this technique, the datum includes a first set of bits satisfying a first set of constraints, and a computer receives the set of sensitive data from an authorized client. The technique involves producing a token corresponding to the datum, the token including a second set of bits distinct from the first set of bits, the second set of bits satisfying a second set of constraints, the second set of constraints being a superset of the first set of constraints. The technique further involves storing the datum and the corresponding token. The technique further involves sending the token to the authorized client, the authorized client enabled to perform, using the second set of bits, a verification that the token satisfies the second set of constraints, the verification being performed apart from the database.

Abstract: A value is associated with a token within a trust zone. The token is used in place of the value in operations executed within the trust zone. A key is defined for an entity outside of the trust zone. A processor encrypts the token using the key to form an encrypted token that cannot be decrypted by entities outside of the trust zone. The encrypted token is provided to the entity outside of the trust zone.

Abstract: A system and method for performing a security check may include using at least one processor to periodically check a status of a flag, generate and store a baseline representation of modules stored on the device where the flag is determined to be set to a first state, and, where the flag is determined to be set to a second state, generate an active representation of modules stored on the first device, compare the active representation of modules to the baseline representation of modules, and, responsive to a determination in the comparing step of a difference between the baseline and active representations of modules, output an alert. The flag status may depend on an association of the device with one of a plurality of authorization policies, each mapped to one of the two states. Results of the comparison may be appended to an activity log of the device.

Abstract: A method for calibrating a temperature float of a one time password token and a device thereof are provided in the invention relating to the information security field. The method includes steps: the one time password token measures a current ambient temperature at intervals of a first predetermined time, retrieves a data table for a characteristic value relating to the measured temperature, and calibrates a current time value inside the token according to the characteristic value at intervals of a second predetermined time. The one time password token includes a timer module, a measuring module, a retrieving module, a table storing module, a calibrating module, a triggering module, a generating module and a displaying module. The invention calibrates time differentiation of the one time password token caused by the temperature float.

Abstract: This invention provides a system, method and computer program product to allow a user to access administrative security features associated with the use of a security token. The administrative security features provide the user the ability to unlock a locked security token, diagnose a security token, activate and deactivate a security token, request a replacement security token or temporary password or report the loss of a security token. The invention comprises a client application which integrates into the standard user login dialog associated with an operating system. A portion of the user dialog is linked to a remote server to access the administrative services.

Abstract: A method, device and system for securely managing debugging processes within a communication device, such as a set top box or other multimedia processing device. For example, a security processor (SP) within the communication device manages the lifetime (LT) of any access token issued for use in activating debugging privileges within the communication device. The security processor authenticates an issued access token and securely delivers appropriate debug authorization information to the device controller. The security processor uses its secure, internal timer to count down the lifetime and update the remaining lifetime of the issued access token during the processing of each command by the security processor. In addition to securely managing the issuance of the access token and it's remaining lifetime, the updating process reduces any impact on the normal communications within the device. The method overcomes the issue of the communication device not having a secure internal clock.

Abstract: A method and apparatus for distributing Certificate Revocation List (CRL) information in an ad hoc network are provided. Ad hoc nodes in an ad hoc network can each transmit one or more certificate revocation list advertisement message(s) (CRLAM(s)). Each CRLAM includes an issuer certification authority (CA) field that identifies a certification authority (CA) that issued a particular certificate revocation list (CRL), a certificate revocation list (CRL) sequence number field that specifies a number that specifies the version of the particular certificate revocation list (CRL) that was issued by the issuer certification authority (CA). Nodes that receive the CRLAMs can then use the CRL information provided in the CRLAM to determine whether to retrieve the particular certificate revocation list (CRL).