Abstract: An improved technique involves dynamic generation of at least a portion of an acceleration table for use in elliptic curve cryptography. Such dynamic generation is capable of providing savings with regard to carrying out elliptic curve cryptography without an acceleration table. Furthermore, once the portion of the acceleration table is dynamically generated and stored (e.g., in a high speed cache), the portion of the acceleration table is capable of being used on subsequent elliptic curve cryptography operations as well thus enabling the cost of dynamically generating the acceleration table to be amortized across multiple elliptic curve cryptography operations.

Abstract: A home domain building method and system that allow devices to join a home domain using smart cards. In the method, a master device reads device information from a smart card having a device ID and a device key as the device information of a guest device authenticated as a legal device and transmits a challenge request signal to the guest device, the guest device randomly generates a challenge value in response to the challenge request signal, the master device encrypts the challenge value using the device key of the guest device and transmits the encrypted challenge value to the guest device, the guest device decrypts the encrypted challenge value, and if the decrypted challenge value is the same as the challenge value generated in response to the challenge request signal, the guest device allows the master device to join the guest device in the home domain.

Abstract: If a smart card is to be used for a particular purpose, and there is no certificate initialized on the smart card for this purpose, a computerized device enables a user to select one of the certificates already installed in the smart card for the particular purpose. The selected certificate may be imported into the computerized device.

Abstract: An IC card is recognized by an IC card reader. Data is obtained from the recognized IC card. Card ID included in the obtained data is compared with card ID stored in a user registration information DB. If it is determined that the same card ID exists, an IC card issue count included in the obtained data is compared with an IC card issue count stored in the user registration information DB, and it is determined whether the counts are the same. If it is determined that the issue counts are not the same, a PIN code entry window appears so that the entered PIN code is compared with a PIN code in the user registration information DB. If it is determined that the PIN codes are the same, authentication success is displayed.

Abstract: A system and method for providing an indication of randomness quality of random number data generated by a random data service. The random data service may provide random number data to one or more applications adapted to generate key pairs used in code signing applications, for example. In one aspect, the method comprises the steps of: retrieving random number data from the random data service; applying one or more randomness tests to the retrieved random number data to compute at least one indicator of the randomness quality of the random number data; associating the at least one indicator with at least one state represented by a color; and displaying the color associated with the at least one indicator to a user. The color may be displayed in a traffic light icon, for example.

Abstract: A security token includes (a) a personal data memory configured to store digital identity credentials related to personal data of a user; (b) an input appliance configured to check said personal data; (c) a key record data memory configured to store at least one identity credential of an authentication server or of an application operator; (d) a transmitter and receiver unit configured to create a secure channel directly or indirectly to said authentication server or application operator to handle said key record relating to said authentication server or application operator, respectively; (e) a control unit configured to control the transmitter and receiver unit and the key record data memory in view of said handling, wherein the control unit is configured to perform one of: interpreting, deciphering, creating, checking, renewing, withdrawing and further key record handling actions. A method for authentication of a user using the security token is also disclosed.

Abstract: A first device receives, from a second device, a first request to set up an account, where the first request includes a shared key and information associated with the second device, where the shared key is calculated based on a private key, of a private key/public key pair, and information regarding an identity selection, from user identity information, associated with a user of the second device; and store the shared key in a memory.

Abstract: Data security devices are provided which store user data and interact with terminal devices to provide information about the stored user data. Security device has memory for storing user data, an interface for transmission of data communications connectable to a data communications network, and a controller. The controller processes a request from the terminal device for information about said user data by first generating a message. The message is generated to permit verification, using secret data, that the message was generated by the controller. The controller sends the message to the terminal device for communication to a publication entity for publication of the message. The controller then receives from the terminal device a cryptographic construction. The controller checks validity of the cryptographic construction for said message, and subsequent supply of the information requested about the user data to the terminal device is then dependent on said cryptographic construction.

Abstract: A dynamic multimedia fingerprinting system is provided. A user requests multimedia content from a Web cache server that verifies that the user is authorized to download the content. A custom fingerprint specific to the user is generated and dynamically inserted into the content as the content is delivered to the user. The custom fingerprint can be generated on the Web cache server or at the content provider's server. The system allows a content provider to specify where the custom fingerprint is inserted into the content or where the fingerprint is to replace a placeholder within the content.

Abstract: An architecture, system and method for operating on encrypted and/or hidden information (e.g., code and/or data). The invention enables creators, owners and/or distributors of proprietary code to keep such code inaccessible to users and user-controlled software programs. A memory architecture includes first and second protected memory spaces, respectively storing operating system instructions and a decrypted version of the encrypted information. The first protected memory space may further store a table linking the locations of the encrypted and/or hidden, decrypted information with a decryption and/or authorization key. The system includes the memory architecture and a processor for executing instructions, and the method loads, stores and operates on the encrypted and/or hidden information according to the memory architecture functionality and/or constraints.

Abstract: A computer-implemented method for using reputation data to detect packed malware may include: 1) identifying a file downloaded from a portal, 2) determining that the file has been packed, 3) obtaining community-based reputation data for the file, 4) determining, by analyzing the reputation data, that instances of the file have been encountered infrequently (or have never been encountered) within the community, and then 5) performing a security operation on the file (by, for example, quarantining or deleting the file).

Abstract: Access to secured services may be controlled based on the proximity of a wireless token to a computing device through which access to the secured services is obtained. An authorized user may be provided access to a service only when a wireless token assigned to the user is in the proximity of the computing device. A user's credential may be stored on an RFID token and an RFID reader may be implemented within a security boundary on the computing device. Thus, the credential may be passed to the security boundary without passing through the computing device via software messages or applications. The security boundary may be provided, in part, by incorporating the RFID reader onto the same chip as a cryptographic processing component. Once the information is received by the RFID reader it may be encrypted within the chip. As a result, the information may never be presented in the clear outside of the chip.

Abstract: Systems, methods, computer programs, and devices are disclosed herein for deploying a local trusted service manager within a secure element of a contactless smart card device. The secure element is a component of a contactless smart card incorporated into a contactless smart card device. An asymmetric cryptography algorithm is used to generate public-private key pairs. The private keys are stored in the secure element and are accessible by a trusted service manager (TSM) software application or a control software application in the secure element. A non-TSM computer with access to the public key encrypts and then transmits encrypted application data or software applications to the secure element, where the TSM software application decrypts and installs the software application to the secure element for transaction purposes.

Abstract: A web server that can be flexibly changed may include storage for a session state; a reception unit for receiving the session state while associating it with a primary HTTP request, from a terminal; storage for the received session state which is accessed as an HTTP session object by a processing program for responsive to the received primary HTTP request; a unit for accessing the stored session state responsive to executing an access instruction contained in the processing program; and a return unit for reading the session state from the storage unit responsive to executing an instruction generating an HTTP response contained in the processing program, setting the session state to the primary HTTP response as a parameter to be transmitted by the terminal in association with a secondary HTTP request, and returning the set primary HTTP response to the terminal.

Abstract: A method and apparatus for repeated communication sessions between a sender (e.g., RFID tag) and a receiver (RFID reader) that employs a proactive information security scheme is based on the assumption that the information exchanged during at least one of every n successive communication sessions is not exposed to an adversary. The sender and the receiver maintain a vector of n entries that is repeatedly refreshed by pairwise XORING entries, with a new vector of n entries that is randomly chosen by the sender and sent to the receiver as a part of each communication session. Also, a computational secure scheme based on the information secure scheme is employed to ensure that even in the case that the adversary listens to all the information exchanges, the communication between the sender and the receiver is secure. In particular, the scheme can be used in the domain of remote controls (e.g., for cars).

Abstract: Disclosure is a method and system for delivering a reusable framework. The disclosure invokes an interface to define an information service within the reusable framework. The defined information service is stored in a repository. The method further includes outputting a service request as an address for invoking the defined information service and establishing a data connection after receiving the service request wherein the defined information service can be invoked.

Abstract: A method and communications system for generating and using compact digital certificates for secure wireless communication. Each compact certificate includes a digital signature and only a portion of the data used in generating the signature. The remaining certificate data is pre-stored on one or more wireless devices for which secure communication is desired. Upon receiving a compact certificate, the wireless device authenticates the certificate using its digital signature along with both the data contained in the certificate and the data pre-stored on the wireless device. This approach permits secure connections to be established between wireless devices using relatively small digital certificates.

Abstract: System and method for transparent single sign-on authentication on computers in a networked environment. A preferred embodiment comprises receiving an authentication request from an operating system of a first computer, requesting credentials of an application making the authentication request, authenticating the credentials, storing the credentials if the authentication is successful, and transmitting the credentials to a second computer. On subsequent access requests made by the user on the second computer, the credentials can be retrieved from the secure store, eliminating the need to prompt the user to re-enter authentication information.

Abstract: A system, method and program product for checking the revocation status of a biometric reference template. The method includes creating a revocation object for a reference template generated for an individual, where the revocation object contains first plaintext data providing a location for checking revocation status of the reference template and containing ciphertext data identifying the unique reference template identifier and a hash of the reference template. The method further includes providing the revocation object to a relying party requesting revocation status and sending a request to an issuer of the reference template for checking the revocation status of the reference template, without revealing identity of the individual. The method further includes returning results of the revocation status check to the relying party. In an embodiment, a random value is added to the ciphertext data for preserving privacy of the reference template holder.

Abstract: A countermeasure for differential power analysis attacks on computing devices. The countermeasure includes the definition of a set of split mask values. The split mask values are applied to a key value used in conjunction with a masked table defined with reference to a table mask value. The set of n split mask values are defined by randomly generating n?1 split mask values and defining an nth split mask value by exclusive or'ing the table mask value with the n?1 randomly generated split mask values.

Abstract: An image forming system includes a terminal apparatus and an image forming apparatus executing a process in response to a request from the terminal apparatus. The terminal apparatus sends user identification information to the image forming apparatus, receives from the image forming apparatus a token issued to a user logging into the image forming apparatus, and sends a service request associated with the token to the image forming apparatus. The image forming apparatus includes a network processing unit that communicates data using a predetermined protocol with the terminal apparatus; a login processing unit that permits the user to log in when the user identification information is valid and sends the token to the terminal apparatus; a determination unit that determines whether the token is valid upon receipt of the service request; and a service providing unit that executes a process designated by the service request when the token is valid.

Abstract: The present invention provides a method for protecting software based on network, which combines a client program that communicates with a server in C/S (or B/S) architecture with a key device, the client program authenticates a user using the key device for protecting software, the method includes the steps of: running the client program; authenticating the user using the key device by the client program; and continuing to run the client program with a server if the user has passed the authentication. In the prior art, the username and password are easy to intercept in transmission as plain text over network. In the method, the client program is combined with a key device. In addition, the complete client program cannot be executed without involving the server. Therefore, the strength of software protection is increased.

Abstract: The invention is a method and apparatus for managing the secure acquisition, storage and disclosure of confidential information using biometric keys to lock data storage devices, a secure data input/output device and authorization procedures to facilitate identity rights management; and/or data querying techniques to preserve the anonymity of disclosed personal data.

Abstract: Secure information is managed for each host or machine in an electronic environment using a series of key identifiers that each represent one or more secure keys, passwords, or other secure information. Applications and services needing access to the secure information can specify the key identifier, for example, and the secure information currently associated with that identifier can be determined without any change to the code or manual input or exposure of the secure information on the respective device. Functionality such as encryption key management and rotation are inaccessible and transparent to the user. In a networked or distributed environment, the key identifiers can be associated with host classes such that at startup any host in a class can obtain the necessary secure information. Updates and key rotation can be performed in a similar fashion by pushing updates to host classes transparent to a user, application, or service.

Abstract: Embodiments describe a system and/or method for multiple party digital signatures. According to a first aspect a method comprises establishing a first validity range for a first key, establishing a first validity range for at least a second key, and determining if the validity range of the first key overlaps the first validity range of the at least a second key. A certificate is signed with the first validity range of the first key and the first validity range of the at least a second key if the validity ranges overlap. According to another embodiment, signage of the certificate is refused if the first validity range of the first key does not overlap with the first validity range of the at least a second key.

Abstract: A method of and system for securely executing an application on a computer system such that a user of the computer system cannot access or view unauthorized content available on the computer system or accessible using the computer system. To securely execute an such method and system may terminate any unauthorized processes executing (i.e., running) on the computer system application prior to execution of the application, and may configure the application such that unauthorized content cannot be accessed, including configuring the application such that unauthorized processes cannot be initiated (i.e., launched) by the application. Further, such system and method may terminate any unauthorized processes detected during execution of the application, and may disable any functions of the computer system that are capable of accessing unauthorized content, including disabling any functions capable of initiating processes on the computer system.

Abstract: The invention relates to an authentication and/or rights containing retrievable token such as an IC card comprising at least one physical channel of communication to at least one apparatus and at least two logical channels of communication with said at least one apparatus wherein each logical channel of communication is associated with a different execution environment.

Abstract: A secure communication system wherein message decryption may be performed while off-line, or optionally while on-line. A sender encrypts a message based on the message key and sends it to the recipient. An envelope containing a message key is created by encrypting the message key based on a verifier, where the verifier is based on a secret of the recipient. The recipient is provided the envelope, along with the message or separately, from the sender or from another party, contemporaneous with receipt of the message or otherwise. The recipient can then open the envelope while off-line, based on their secret, and retrieve the message key from the envelope to decrypt the message. In the event the recipient cannot open the envelope, optional on-line access permits obtaining assistance that may include obtaining an alternate envelope that the recipient can open.

Abstract: The invention provides an external in-line device (“Subnet Box”) placed between a network and an access point to achieve secure Wi-Fi communications without needing to modify the access point. The Subnet Box comprises an embedded token and will authenticate users based on pre-stored access rights. In at least one embodiment of the invention, the Subnet Box comprises: a first communications port for intercepting data packets communicated to and from a wired communications network; a second communications port for intercepting data packets communicated to and from a wireless access point, wherein the wireless access point is an edge device of the wired communications network; a database comprising a number of serial numbers each associated with a client token and a secret cryptographic key; and a processor for determining whether a computing device having a client token can access the wired communications network via the wireless access point.

Abstract: A method and a system for personalizing electronic elements, by replacing, in a non-volatile memory of each of the electronic elements a first secret key with a second secret key, by a secure authentication module automatically generating the second key after having restored the first one from an identifier of the element being personalized, including conditioning, on the authentication module side, the provision of the second key to a current element to the reception of a message confirming the key replacement of at least one preceding element.

Abstract: A profile management method and system. The method includes retrieving by a computer processor from a user of social network, a user request for generating a profile. The computer processor retrieves user data and an encrypted master security token comprising an identifier associated with the user. The computer processor generates the profile with the user data and associates the profile with the encrypted master security token. The computer processor receives from the social network a request associated with a membership to the social network. The computer system adds communication data to the encrypted master security token and enables access to the profile based on the encrypted master security token. The computer processor transmits to said first social network, a copy of the profile.

Abstract: A biometric user authentication method, includes enrolling a user based on user's biometric samples to generate user's reference data; and authenticating the user based on a user's live biometric sample and the user's reference data; wherein enrolling a user includes acquiring the user's biometric samples; extracting an enrollment feature vector from each user's biometric sample; computing a biometric reference template vector as a mean vector based on the enrollment feature vectors; computing a variation vector based on the enrollment feature vectors and the mean vector; randomly generating an enrollment secret vector; computing an enrollment code vector based on the enrollment secret vector and the variation vector; computing a difference vector as a wrap-around difference between the enrollment code vector and the mean vector; computing an error correction vector based on the enrollment secret vector to enable error correction during the user authentication phase according to a given error tolerance level,

Abstract: A handheld wireless communication device includes features to send and receive text messages. The handheld wireless communication device is further equipped with a microprocessor configured to run software programs on the device such as text message management program. The text message management program displays a listing of a plurality of received text messages on a display screen and differentiates at least a portion of the display-listed plurality of received text messages using an icon associated with at least one text message and wherein said icon corresponds to a domain address of the associated text message.

Abstract: Described herein are methods and devices of securing data. For example, a method of securing data comprises receiving, by a secure storage device, unsecure data from a source. The secure storage device is removably attached to the source. The method further comprises securing the unsecure data within the secure storage device by performing digital processing related to the unsecure data to create secure data. The secure storage device is responsive to the same protocol as an unsecure storage device and as a result the secure storage device is transparent to the source. The source responds to the secure storage device as if it were an unsecure storage device.

Abstract: A network reputation system and its controlling method are provided. A credential and exchange component permits a user to generate credentials and exchange matching items with those persons having a social relationship with the user. A reputation evaluation component enables other users to make evaluations about an estimatee via the sharing of social network information. A query and response component receives a query from a person having a social relationship with the user for requesting an evaluation about the estimatee, and responds with an associated evaluation result to the person having a social relationship with the user, via the sharing of social network information and the evaluations made by the other users about the estimatee.

Abstract: The invention relates to a personal token (10) for authentication in a network comprising a piece of software for initiating an SSL connection by generating a message authenticating said token to a remote server (30) characterized in that the piece of software controls the processing of the message so as to use of a data (12) which is prestored in the token (10) and which is specifically associated with the remote server (30) so that the message can be interpreted only by the specific remote server (30).

Abstract: A method for validating a cryptographic token includes (a) operating the cryptographic token to generate a pseudo-random number for authentication purposes by using a cryptographic seed uniquely associated with the cryptographic token, the cryptographic seed having been cryptographically generated using a precursor value, (b) receiving a first value from the cryptographic token, the first value being the pseudo-random number generated by the cryptographic token, (c) inputting the first value and the precursor value into a trusted computing platform, and (d) operating the trusted computing platform to generate a validation signal if the first value can be derived using a specified algorithm from the precursor value, but to generate a failure signal if the first value cannot be derived using the specified algorithm from the precursor value. Accompanying methods and apparatus are also provided.

Abstract: A method allows access to a set of secure databases and database applications over an untrusted network without replicating the secure database. The method involves authenticating a user using a first authentication application. When the user is verified, then the user's credentials are directed to a second authentication application associated with a secure database based on a first set of user settings retrieved for the user. The second authentication application, based on a second set of user settings, grants the user access to the secure database and database applications associated with the secure database.

Abstract: A method and apparatus for compressing signal samples uses block floating point representations where the number of bits per mantissa is determined by the maximum magnitude sample in the group. The compressor defines groups of signal samples having a fixed number of samples per group. The maximum magnitude sample in the group determines an exponent value corresponding to the number of bits for representing the maximum sample value. The exponent values are encoded to form exponent tokens. Exponent differences between consecutive exponent values may be encoded individually or jointly. The samples in the group are mapped to corresponding mantissas, each mantissa having a number of bits based on the exponent value. Removing LSBs depending on the exponent value produces mantissas having fewer bits. Feedback control monitors the compressed bit rate and/or a quality metric. This abstract does not limit the scope of the invention as described in the claims.

Abstract: An information processing apparatus includes a user authentication unit that authenticates a user in a condition where an authentication medium used for authenticating the user is inserted, the authentication medium storing personal identification information of the user, a private key, and a software program for using the private key and including a processor for running the software program, to thereby establish a verified state in which the user is allowed to use the apparatus, a data processor that performs data processing including private key processing, a processing completion detector that detects completion of the private key processing performed by the data processor, and a verification state changing unit that changes, the verified state of the user having been established as a result of authenticating the user to a user unverified state based on detection of the completion of the private key processing in the processing completion detector.

Abstract: A method of processing programming instructions may include identifying an instruction to be fetched; determining if the identified instruction is protected; if the identified instruction is protected, selecting an alternate instruction from a plurality of alternate instructions corresponding to the identified protected instruction, and fetching the selected alternate instruction; and if the identified instruction is not protected, fetching the identified instruction. Identifying the instruction to be fetched may include identifying an address stored in a program address pointer. Determining if the identified instruction is protected may include comparing the address stored in the program address pointer to one or more addresses stored in a first memory portion, and determining if there is a correspondence.

Abstract: The invention provides a secure Wi-Fi communications method and system. In an embodiment of the invention, unique physical keys, or tokens, are installed at an access point and each client device of the network. Each key comprises a unique serial number and a common network send cryptographic key and a common network receive cryptographic key used only during the authentication phase by all components on the LAN. Each client key further includes a secret cryptographic key unique to each client device. During authentication, two random numbers are generated per communications session and are known by both sides of the wireless channel. Only the random numbers are sent across the wireless channel and in each case these numbers are encrypted. A transposed cryptographic key is derived from the unique secret cryptographic key using the random numbers generated during authentication. Thus, both sides of the wireless channel know the transposed cryptographic key without it ever being transmitted between the two.

Abstract: A cryptanalysis method comprising: (A) Performing a ciphertext-only direct cryptanalysis of A5/1 and (B) Using results of Step (A) to facilitate the decryption and/or encryption of further communications that are consistent with encryption using the session key and/or decryption using the session key, wherein the cryptanalysis considers part of the bits of the session key to have a known fixed value, and wherein the cryptanalysis finds the session key. An efficient known plaintext attack on AS/2 comprises trying all the possible values for R4, and for each such value solving the linearized system of equations that describe the output; The solution of the equations gives the internal state of RI, R2, and R3; Together with R4, this gives the full internal state which gives a suggestion for the key.

Abstract: Interoperability of protected content items between computing devices is facilitated by providing content items having a standard representation, and media players having support for the content item representations. The representation of the content item may be limited by a profile as to the elements it contains. The elements allowed in the content item may also be limited.

Abstract: To provide external access to a specification file stored in at least one memory unit, which is associated with at least one electronic control unit which may be in a vehicle, a computer is connected to a first communication bus in the vehicle. A first module in the computer is adapted to communicate with the at least one electronic control unit over the first communication bus. Provided that a user-unique key is connected to a port of the computer and a software component of this key is set to an active authorization state, the computer is enabled to communicate with the at least one electronic control unit. Thus, the computer may read out the specification file as well as update the specification file.

Abstract: An arithmetic circuit capable of Montgomery multiplication using only a one-port RAM is disclosed. In a first read process, b[i] is read from a memory M2 of a sync one-port RAM for storing a[s?1: 0] and b[s?1: 0] and stored in a register R1. In a second read process, a[j] is read from the memory M2, t[j] from a memory M1 of a sync one-port RAM for storing t[s?1: 0], b[i] from the register R1, and a value RC from a register R2, and input to a sum-of-products calculation circuit for calculating t[j]+a[j]*b[i]+RC. In a write process, the calculation result data FH is written in the register R2, and the calculation result data FL in the memory M1 as t[j]. A first subloop process for repeating the second read process, the sum-of-products calculation process and the write process is executed after the first read process.

Abstract: A system and method for processing certificates located in a certificate search. Certificates located in a certificate search are processed at a data server (e.g. a mobile data server) coupled to a computing device (e.g. a mobile device) to determine status data that can be used to indicate the status of those certificates to a user of the computing device, without having to download those certificates to the computing device in their entirety. The data server is further adapted to transmit the status data to the computing device. In one embodiment, at least one status property of the certificates is verified at the data server in determining the status data. In another embodiment, additional certificate data is determined and transmitted to the computing device, which can be used by the computing device to verify, at the computing device, at least one other status property of the certificates.

Abstract: Security is optimized in the context of a credential transformation service (CTS) by utilizing a web services client runtime to gather information for determining whether or not a target web service is hosted in a security domain used by a client application and for determining whether or not the target web service uses an authentication mechanism substantially identical to that used by the client application. The gathered information is carried in an endpoint reference (EPR) of the target web service. In response to the client receiving the EPR, the client applies an optimization process to eliminate a possible unnecessary invocation of the CTS, wherein the target web service is an authoritative manageable resource having minimal or no responsibility for providing its identity, and having minimal or no responsibility for advertising any creation and destruction lifecycle related events.

Abstract: Methods, systems, and computer program products are provided for token-based content subscription. Embodiments include receiving a request for content subscription; receiving from a user a subscription token; and delivering content to a device associated with the subscription token.

Abstract: An authentication program on a network authenticator establishes a secure communication channel with an embedded device. The authentication program receives security credentials from an embedded device. The authentication program receives from the embedded device via the secure communication channel either a secret for the embedded device or a request to generate the secret for the embedded device. The authentication program registers the secret for the embedded device.