Abstract: A method, system, and computer-readable storage medium containing instructions for controlling access to data stored on a plurality of storage devices associated with a first platform. The method includes authenticating a user to access the first platform, wherein the first platform includes first and second storage devices, chipset encryption hardware, and a memory. Data stored on the storage devices are encrypted, with first data on the first storage device being encrypted by the chipset encryption hardware and second data stored on the second storage device being encrypted by another encryption mechanism. The data are decrypted and the user is allowed to access the first data and the second data.

Abstract: Techniques for key distribution used with encrypted communications are provided. A shared secret associated with a principal is maintained securely and separately from the principal. If a principal is authenticated, then the shared secret is acquired from secure data store and used to encrypt a session key. An encrypted authentication token is also generated. The session key is used by the principal to encrypt communications with services and the authentication token vouches for an identity of the principal.

Abstract: A client apparatus transmits environmental information acquired from an environmental information acquisition device as well as a biometric authentication information matching result to a server apparatus. The server apparatus verifies the validity of the environmental information such as a luminance as well as the validity of the biometric authentication information matching result. If an environment is problematic, the server apparatus notifies the client apparatus that the environmental information is problematic. The client apparatus overcomes the problem of the environment such as the luminance based on the notification from the server apparatus and then retries a biometric authentication. The possibility of re-failure due to the environmental problem can be reduced during a retry of the biometric authentication.

Abstract: Disclosed is a system managing usage authorizations, comprising a central computer system, field devices and smart cards, wherein the system maintains databases containing all information relating to the users, user accounts, user smart cards, field devices and products, establishes and maintains at least at times communication with the field devices, issues instructions based on the available information and transmits to a plurality of field devices, with the field devices maintaining information relating to the smart cards and products so that communication between a field device and a smart card allows at least a portion of the smart card-related instructions to be processed from the instruction list and stored on the field device and to be transmitted to the computer system during the next communication, and wherein the smart cards carry to allow exchange of information with a field device and store instructions.

Abstract: A method is provided for controlling multiple access to a network service to prevent fraudulent use of the network service. The method includes identifying an account access counter for an account using identification information received from a user at a first device using a network, wherein the user is requesting access to a service provided at a second device, and further wherein the account access counter is the number of service access sessions active for the account; comparing the account access counter to a maximum account access number, wherein the maximum account access number defines a maximum number of service access sessions allowed for the account; and providing the user at the first device access to the service at the second device if the account access counter is less than the maximum account access number.

Abstract: An information processing system is supplied capable of holding a security; and transferring an output authority which is had by a transfer source portability terminal to a transfer destination portability terminal.

Abstract: There is provided a method for authenticating a mobile device user against an authenticating system connected to a client computer accessible to said user. The authenticating system uses a communication channel to send to the client computer a logon screen. This logon screen contains a 2D-code embedding, a URL of the authenticating system and a challenge generated by the authenticating system. With a 2D-code reader in the user's mobile device the URL and the challenge are decoded. The user then inputs a password and a response to the challenge is computed. The response is sent together with the user ID to the authenticating system. The authenticating system is able to ascertain that the response to the challenge necessarily comes from the user thereby verifying his identity. Once the user is authenticated, the authenticating system pushes to the client computer (identified by the challenge) a welcome screen.

Abstract: Aspects of the present invention include a method and system for generating a secure access code at a remote device in communication with a computer system having a secure storage device; conveying the secure access code to the system secure storage device; receiving the secure access code at the system secure storage device with unique data characteristics associated with remote device; and, securely providing content to the remote device.

Abstract: A biometrics authentication system using biometrics media simplifies the process, and reduces the costs, of issuing a portable communication terminal having biometrics functions. A biometrics application program is downloaded from a server to a portable communication terminal, an area for authenticated biometrics information is caused to be created, and biometrics information on an individual card of the user is stored in a common area of the portable communication terminal. Thus, the portable communication terminal has the functions of an individual card storing biometrics information, and the portable communication terminal can be used as an individual card for biometrics authentication.

Abstract: Provided are a digital rights management (DRM) method and apparatus, and more particularly, a DRM method and apparatus which can support different DRMs and use various digital content. The DRM method includes receiving a hello message request from a host device; comparing information included in the hello message request to information stored in advance; generating an error code when the hello message request contains unsupported information; and generating a hello message response that contains the error code.

Abstract: Strong authentication tokens for generating dynamic security values having an acoustical input interface for acoustically receiving input data are disclosed. The tokens may also include an optical interface for receiving input data and may have a selection mechanism to select either the acoustical or the optical input interface to receive data. A communication interface may be provided to communicate with a removable security device such as a smart card and the token may be adapted to generate dynamic security values in cooperation with the removable security device. The acoustic signal received by the token may be modulated using a frequency shift keying modulation scheme using a plurality of coding frequencies to code the acoustical signal where each coding frequency may be an integer multiple of a common base frequency.

Abstract: Methods and apparatus for encoding and decoding data transmitted acoustically and/or optically to strong authentication tokens to generate dynamic security values are disclosed. The tokens may also include a selection mechanism to select either an acoustical or an optical input interface to receive data. A communication interface may be provided to communicate with a removable security device such as a smart card and the token may be adapted to generate dynamic security values in cooperation with the removable security device.

Abstract: In various embodiments, techniques for flexible resource authentication are provided. A principal attempts to login to a target resource using first credentials. The target resource does not recognize the first credentials and in response thereto forwards the first credentials to an identity service. The identity service authenticates the principal via the first credentials and supplies second credentials to the target resource. The target resource recognizes and authenticates the second credentials and grants access to the principal.

Abstract: A method, system, and medium are provided for forcing a mobile device to request online content using a proxy server. In one embodiment, the mobile device sends a request to the content provider directly. The content provider may respond to the requesting browser with an instruction to request the content through a proxy server. The requesting mobile device may then send a second request for the content to the proxy server. The proxy server then sends a request to the content provider on behalf of the requesting mobile device.

Abstract: A method for controlling a digital television (DTV) includes receiving independent space identification information recorded in a storage area of a compact wireless device and a wired equivalent privacy (WEP) key value of an access point (AP) card, receiving the WEP key value corresponding to the AP card of the DTV from a management server, and comparing the WEP key value received from the compact wireless device with the WEP key value received from the management server. If the WEP key values are identical to each other, receiving first checklist information associated with the use of the independent space from the management server, displaying the received first checklist information, and transmitting second checklist information, in which one or more elements of the displayed first checklist information is marked, to the management server.

Abstract: Apparatus, systems, and methods may operate to invoke multiple authentication mechanisms, by a client node, to encrypt N split-keys using credentials associated with corresponding ones of the authentication mechanisms. Further activity may include transforming the split-keys to provide N encrypted split-keys, and storing each of the encrypted split-keys with an associated local user identity and an identity of corresponding ones of the authentication mechanisms. Additional apparatus, systems, and methods are disclosed.

Abstract: A method and apparatus of using a token comprises receiving an indication of a presence of a nearby short-range terminal and waking up the token in response to receiving the indication. The method further comprises performing authentication between the token and the terminal, without requiring a user to directly interact with the token.

Abstract: Systems and methods directed at enhancing the capability of a federated authentication system by configuring the system with extensibility points for adding new account stores and customizing claim transformations. The federated authentication system includes accounts stores, a security token service (STS), and custom claim transformation modules. The account stores are configured to maintain data associated with accounts and to provide security claims in an intermediate format. The STS is configured to retrieve the security claims provided by the account stores and includes built-in transformations for transforming each security claim from the intermediate format to formats associated with resource providers. The STS is further configured to provide extensibility points for custom claim transformations that are not available from the built-in transformations. The custom claim transformation modules are configured to perform at least one custom claim transformation.

Abstract: Methods and systems are provided for non-cryptographic capabilities of a token such as a smartcard to be used as an additional authentication factor when multi-factor authentication is required. Smartcards are configured to generate a transaction code each time a transaction is attempted by the smartcard. The transaction code is dynamic, changing with each transaction, and therefore is used as a one-time password. When a user attempts to access a service or application requiring at least two authentication factors, a secure processor is used to read transaction code from the smartcard. The secure processor establishes a secure communication with the remote computer hosting the service or application. The transaction code can then be encrypted prior to transmission over the public Internet, providing an additional layer of security.

Abstract: An authenticated apparatus generates scrambled data from key data and authentication data, such that another key data, which configures the product data, or authentication data is obtained through back-calculation of the product data by using the authentication data or key data, the scrambled data including the product data and the like generated by multiplying the authentication data indicative of the authenticated apparatus's or a user's authenticity by the key data. The authenticated apparatus generates verification data through an operation of the authentication data, key data, or scrambled data, and transmits the verification data and scrambled data to an authenticating apparatus. The authenticating apparatus then verifies authenticity of the authenticated apparatus based on the verification data and scrambled data received from the authenticated apparatus and each authenticated apparatus's or each user's authentication data stored in the authenticating apparatus.

Abstract: A mobile electronic security device may include a biometric sensor to measure a physical characteristic of a user, an interface component to operatively couple the electronic security device with another device, and a control circuit that are assembled as a single portable unit. Other components, such as a battery, a display, and a memory may be included in the security device. The security device authenticates the identity of a user using output data from the biometric sensor and, in some embodiments, using data from an environmental sensor. Once validated, an encrypted authentication certificate may be output to another device. The security device provides a trusted platform that enables a user to verify his or her identity, show proof of presence of the user, control access to data, etc., and may operate in a standalone manner and/or in conjunction with another device.

Abstract: Disclosed relates to an access control system and method based on hierarchical keys. The system comprises an access control server (ACS), a home gateway, and a plurality of sensor devices disposed on a home network. The ACS sets up user's access limits of authority and authorization verifier, and saves the related data of user's password and the user's access limits of authority. The gateway records the authority limits' level and the authority limits' key which are constructed based on a hierarchical key structure. When a user logs in the ACS to request access, an one-time communication key between the user and the home gateway is established by exchanging the ticket and the token that are issued by the ACS. This allows the user to access the information of the sensor devices.

Abstract: A method of establishing secure communications between a first computer, eg a client computer (20), and a second computer, eg a web server (70), whereby the client computer (20) receives one or more security policies (85) relating to the web server (70). A client application (10) examines the client computer (20) and preferably configures one or more aspects of the client computer (20) in order to make it comply with the security policies (85). Once the web server (70) receives the results of this examination and/or configuration process, it can determine whether the secure communications are to be established and whether any restrictions need to be placed on this communication and/or the activity conducted via the communication.

Abstract: A method and apparatus are provided for network security based on a security status of a device. A security update status of a device is evaluated; and one or more of a plurality of security policies are selected to apply to the device based on the security update status. The available security philosophies may include, for example, a “protect the good” philosophy, an “encourage the busy” philosophy and a “shut off the non-compliant” philosophy. The security update status can evaluate, for example, a version level of one or more security features installed on the device or can be based on a flag indicating whether the device satisfies predefined criteria for maintaining one or more computer security protection features up-to-date.

Abstract: A computerized device can implement a content player to access a content stream using a network interface, the content stream comprising encrypted content and an embedded license comprising a content key encrypted according to a global key accessible by the content player. The content player determines whether a token meeting an authorization condition is present and uses the global key to decrypt the content key only if such a token is present. The authorization condition may be evaluated at least in part based on data included in the content stream. The authorization condition can include presence of a token having a content ID matching a corresponding ID in the license; presence of a token with a correct device ID; presence of a token signed according to a digital signature identified in the licenses; and/or presence of a token that is unexpired, with expiration evaluated based on a time-to-live indicator in the token.

Abstract: An access authentication method includes pre-establishing a security channel between the authentication server of the access point and the authentication server of the user terminal and performing the authentication process at user terminal and access point. The authentication process includes 1) the access point sending the authentication_activating message; 2) the user terminal sending the authentication server of user terminal request message; 3) the authentication server of the user terminal sending to the user terminal response message; and 4) completing the authentication.

Abstract: A token representing encrypted data is used to initiate a call routing strategy based on receipt of the token. The call routing strategy is configured to initiate a query. Decrypted data associated with the encrypted data may be accessed to determine a data relationship based on the query.

Abstract: Techniques are provided for securely managing, using smart cards, the usage of a peripheral device. In one embodiment, both the peripheral device and the smart card have digital certificates and a means for authenticating each other. Each device requires authentication of the other device before access to the device's resources is granted. In one embodiment of the invention, the smart card executes a local Java application for managing usage data. The application provides quota and prior usage data to the peripheral device, and updates on the smart card usage data provided by the peripheral device. The usage data on the smart card is used to limit, audit, or track access to resources and operations on the peripheral device. In another embodiment, the authentication and usage management functions of the smart card is implemented on a remote server.

Abstract: The invention relates to a method for distribution of a set of credentials from a credential issuer to a credential user. The credential user is provided with a user device. A first channel and a second channel are provided for communication between the user device and the credential issuer. A shared key is distributed between the user device and the credential issuer by means of the second channel. A binary representation of the set of credentials with a predefined maximum level of deviation from a uniform distribution is generated. The binary representation of the set of credentials is encrypted by means of the shared key. The encrypted set of credentials is distributed via the first channel from the credential issuer to the user device. The encrypted set of credentials is decrypted by the user device by means of the shared key.

Abstract: A system for enforcing policy in a communication network includes a policy server which is operable to receive a request to invoke an application, receive a policy profile for a network user, and decide a proper allocation of network users based on the policy profile, the application, and available network resources. The policy server is further operable to communicate with a non-SIP application. The system also includes a network resource manager operably associated with the policy server and operable to monitor available network in the resources in the communication network. In addition, the network resource manager is functional to allocate network resource amongst a plurality of network users. The system also contains an application control point which is operably associated with the policy server and operable to communicate with a SIP application. The system is operable to use policy peering between the home and visited network to enable user-specific policies to be enforced while roaming.

Abstract: There is disclosed a method for verifying a first identity and a second identity of an entity, said method comprising: receiving a first and second identity of said entity at a checking entity; sending information relating to at least one of the first and second identities to a home subscriber entity; and verifying that said first and second identities both belong to the entity from which said first and second identities have been received.

Abstract: A method, device and system for controlling JTAG interface enablement within a communication device. The JTAG interface can be selectively enabled based on the receipt of an encrypted access token generated by an access token server. The access token server generates the access token in response to an end user providing appropriate device-specific information. The access token includes appropriate information that, upon appropriate authentication and decryption, can temporarily device bind the boot code image of the device in a manner that enables the JTAG interface. Alternatively, the access token includes appropriate information that instructs the general purpose processor to choose between JTAG interface enablement information and JTAG interface disablement information for use with the boot code image of the device. The access token can include expiration information that causes an enabled JTAG interface to revert back to its disabled status upon expiration of the access token.

Abstract: Mobile device assisted secure computer network communications embodiments are presented that employ a mobile device (e.g., a mobile phone, personal digital assistant (PDA), and the like) to assist in user authentication. In general, this is accomplished by having a user enter a password into a client computer which is in contact with a server associated with a secure Web site. This password is integrated with a secret value, which is generated in real time by the mobile device. The secret value is bound to both the mobile device's hardware and the secure Web site being accessed, such that it is unique to both. In this way, a different secret value is generated for each secure Web site accessed, and another user cannot impersonate the user and log into a secure Web site unless he or she knows the password and possesses the user's mobile device simultaneously.

Abstract: An anonymous secure messaging method, system and computer program product for implementation over a wireless connection. The invention allows the securely exchange of information between a security token enabled computer system and an intelligent remote device having an operatively coupled security token thereto over the wireless connection. The invention establishes an anonymous secure messaging channel between the security token and the security token enabled computer system, which allows the intelligent remote device to emulate a locally connected security token peripheral device without requiring a physical connection. A dedicated wireless communications channel is incorporated to prevent several concurrent wireless connections from being established with the security token and potentially compromising the security of the information being sent on concurrent wireless connections.

Abstract: A secure NFC apparatus includes a plug-in socket, an NFC unit, and a protocol matching unit. A security module is inserted in the plug-in socket. The NFC unit communicates with the outside via non-contact NFC using signals based on an S2C protocol. The protocol matching unit determines the type of chip in the inserted security module, generates a chip identification signal according to results of the identification, and matches the protocol of the signals based on the S2C protocol, which are input to and output from the NFC unit, with the protocol of the signals, which are input to and output from the security module, according to the chip identification signal.

Abstract: A system for providing program information has a user terminal, a recording medium capable of reading information therefrom and writing information thereto through a command issued by the user terminal, and a server connected to the user terminal via a network, and provides program information from the server to the recording medium. The recording medium has a first control unit that performs a first mutual authentication operation with a first storage unit capable of writing program information thereto and the user terminal, and that executes a command to write program information to the first storage unit only if the first mutual authentication operation is successful. The user terminal performs a second mutual authentication operation with the server, obtains program information transmitted from the server if the second mutual authentication operation is successful, and issues a command to write the program information to the first storage unit of the recording medium.

Abstract: A method of putting a first gateway device into service, the first gateway device having an application service module and a network module enabling communications between the first gateway device and the activation manager, the application service module residing on a user premises side of a network service provider demarcation. The method comprises identifying, at the first gateway device disposed at a user premises, an activation manager in communication with the first gateway device, transmitting, from the first gateway device, an activation certificate to the activation manager for verification and authentication, generating a service authentication key associated with the first gateway device, storing the service authentication key and an indication that the associated gateway device status is activated in a database, determining the services available to the first gateway device, and transmitting the service authentication key and an identification of the available services to the first gateway device.

Abstract: Accelerated computation of combinations of group operations in a finite field is provided by arranging for at least one of the operands to have a relatively small bit length. In a elliptic curve group, verification that a value representative of a point R corresponds the sum of two other points uG and vG is obtained by deriving integers w,z of reduced bit length and so that v=w/z. The verification equality R=uG+vQ may then be computed as ?zR+(uz mod n) G+wQ=O with z and w of reduced bit length. This is beneficial in digital signature verification where increased verification can be attained.

Abstract: A two-varying-password generator having two varying passwords of different digit lengths and different time intervals is disclosed. A two-varying-password generator has a printed circuit board where a processor is soldered onto, a battery, a display window and an on/off key and code key. The processor is loaded with two predetermined programs that can produce two passwords (or more than two passwords) of different digit length and different time interval. Meanwhile, the host computer also stores these two programs in the customer's account. As the clocks of both two-varying-password generator and host computer work in synchronously, both of them can produce two identical passwords of the same moment. Application of two-varying-password generator can counter phishing sites, fight credit card forgery and unauthorized transaction, tackle cloned ATM card.

Abstract: An intelligent remote device equipped with a security token operatively coupled thereto is processing communications with a security token enabled computer system over a wireless private network. The intelligent remote device is adapted to emulate a local security device peripheral connected to the computer system. Multiple computer systems may be authenticated to using the intelligent remote device. Additionally, various secure communications connections mechanisms are described which are intended to augment existing security protocols available using wireless network equipment. Authentication of a user supplied critical security parameter is performed by the security token. The critical security parameter may be provided locally via the intelligent remote device or received from the wireless network and routed to the security token. Aural, visual or vibratory feedback may be provided to the user to signal a successful authentication transaction.

Abstract: A method and a system for unlocking a storage device that has become locked or cannot be unlocked are disclosed. A hint is generated from a key by removing bits and adding bits. A position of removed bits, a position of added bits, the number of removed bits and the number of added bits are stored and known securely. When the key cannot unlock a storage device corresponding to the key, the position of removed bits, the position of added bits, the number of removed bits (N) and the number of added bits are retrieved. Then, the added bits are removed in the hint. Each possible N bits are placed in the hint at the position of removed bits to generate 2N possible keys. Then, each of 2N possible key are tried to unlock the storage device.

Abstract: Secure element authentication techniques are described. In implementations, a confirmation is received that an identity of a user has been physically verified using one or more physical documents. One or more credentials that are usable to authenticate the user are caused to be stored in a secure element of a mobile communication device of the user, the secure element implemented using tamper-resistant hardware.

Abstract: Techniques for deriving temporary identifiers (IDs) used to address specific user equipments (UEs) in a wireless communication network are described. At a network entity, a first ID assigned to a UE and additional information such as, e.g., a salt value and/or shared secret data for the UE, are transformed to obtain a second ID for the UE. The first ID and/or the shared secret data may be updated, e.g., whenever a signaling message is sent to the UE. A signaling message directed to the UE is generated based on the second ID and sent via a common channel. At the UE, a message is received via the common channel. The first ID and additional information such as, e.g., a salt value obtained from the received message and/or shared secret data for the UE, are transformed to obtain the second ID, which is used to determine whether the received message is intended for the UE.

Abstract: Methods and devices for allowing a wireless communication device (1301) initially unauthorized for communication with a network to obtain persistent soft network subscription credential information (1303) from a wireless communication device (1401) initially authorized for communication with the network are disclosed. In performing the persistent transfer of the soft network subscription credential information (1303), one of a token management module (1312), a session initiation protocol communication module (1408), or a electronic rights manager (1406) may be used to ensure that only one communication device is capable of communicating with a network at any one time.

Abstract: System and method for establishing a remote connection over a network with a personal security device connected to a local client without using a local APDU interface or local cryptography.

Abstract: A technique for providing message authenticity includes accepting transaction information, accepting a first data item used for authenticating an originating user, cryptographically processing the transaction information using only a second data item, wherein the entropy of the first data item is less than the entropy of the second data item, and authenticating the originating user using the first data item. The first data item can be a sequence of digits corresponding to those displayed on an external device, such as, for example, an RSA authorization token, credit card, etc. In general, the first data item will be a short alphanumeric string and the second data item will generally be much larger, e.g., a 128 bit sequence to be used principally for data authentication. According to another aspect of the present invention, consequential evidence of the transaction may be secured to provide after-the-fact evidence of the transaction.

Abstract: A communications protocol is used to provide data privacy, message integrity, message freshness, and user authentication to telemetric traffic, such as to and from implantable medical devices in a body area network. In certain embodiments, encryption, message integrity, and message freshness are provided through use of token-like nonces and ephemeral session-keys derived from device identification numbers and pseudorandom numbers.

Abstract: Described are techniques for providing a host identifier for a host. A first portion including a first identifier associated with a system for the host is received. A second portion including a second identifier generated in accordance with a hardware property of the host is received. The host identifier is formed using the first and second portions. The host identifier is used to uniquely identify the host in a storage area network.

Abstract: Communication across domains is described. In at least one implementation, a determination is made that an amount of data to be communicated via an Iframe exceeds a threshold amount. The data is divided into a plurality of portions that do not exceed the threshold amount. A plurality of messages is formed to communicate the divided data across domains.

Abstract: An information forming apparatus includes: a communication unit that carries out data communication with an authentication card inserted into a card slot; an authentication unit that authenticates that a user who attempts to operate the apparatus is an authorized user by sending entered authenticating information to the authentication card; a storing unit that stores the entered authenticating information; and a process execution unit that, when a process is invoked that requires input of authenticating information to the authentication card, executes the process using the authenticating information stored in the storing unit.