Abstract: Communication across domains is described. In at least one implementation, a determination is made that an amount of data to be communicated via an Iframe exceeds a threshold amount. The data is divided into a plurality of portions that do not exceed the threshold amount. A plurality of messages is formed to communicate the divided data across domains.

Abstract: An information forming apparatus includes: a communication unit that carries out data communication with an authentication card inserted into a card slot; an authentication unit that authenticates that a user who attempts to operate the apparatus is an authorized user by sending entered authenticating information to the authentication card; a storing unit that stores the entered authenticating information; and a process execution unit that, when a process is invoked that requires input of authenticating information to the authentication card, executes the process using the authenticating information stored in the storing unit.

Abstract: A method and medium are provided for automatically updating user profiles based on authentication failures associated with network-access requests from mobile communications devices. A mobile communications device requests access to a mobile network and the access is rejected due to an authentication failure. Upon communicating a rejection message to the mobile communications device, the authentication server communicates a network-access rejection notification to a user-profile updating server that resets network-generated authentication credentials and provides updated profiles containing reset credentials to a provisioning server. Subsequent access requests from the mobile device are handled through a dedicated profile-provisioning home agent until the device is updated, at which time network access can be granted through a more conventional home agent.

Abstract: A method for personal identity authentication utilizing a personal cryptographic device initially provides a personal cryptographic device storing a client key from a host system and a device serial number. Next, the personal cryptographic device is connected to the host system. Thereafter, unique user information is inputted via the personal cryptographic device. Then, the unique user information and the device serial number are encrypted and sent to the host system for authentication and for requesting key information. The personal cryptographic device receives and decrypts encrypted key information with the client key, and changes the client key using the key information.

Abstract: The present invention advantageously provides a flexible system and method for a security system having a control panel with control information for performing security operations, and a token having its own control information, such that the panel reads control information from the token and determines if the token is authentic, and, if it is, the panel updates its control information in accordance with the token's control information and performs the security operations based on its updated control information, and the updated control information is copied from the panel to the token.

Abstract: A method, system and computer readable medium for protecting a communications device connected to a communications system against an unauthorized intrusion, including providing a variable identifier to the communications device and entities authorized access thereto. The variable identifier is provided to a user address book and assigned with a permanent identifier and the permanent identifier, but not the variable identifier, is available to a user. The presence or absence of the correct variable identifier is sensed during an attempt to access the communications device for granting or denying access to the communications device. A new variable identifier is periodically provided to the communications device and to the authorized entities and to the user address book and assigned with the permanent identifier, wherein the permanent identifier, but not the new variable identifier, is available to the user.

Abstract: A method is provided for auditing compliance of an electronic platform, referred to as the platform being tested, and/or a computer program being tested, which is present on the platform being tested. The method includes the following steps: transmitting the same data set, via an auditing device, to the platform being tested, on the one hand, and, on the other hand, to a compliant reference platform present in the auditing device; and deciding upon the compliance of the platform being tested and/or the computer program being tested, based on an analysis of the respective behaviors of the platform being tested and the reference platform. The auditing device then issues a compliance decision.

Abstract: A method and apparatus to provide a cryptographic protocol for secure authentication, privacy, and anonymity. The protocol, in one embodiment, is designed to be implemented in a small number of logic gates, executed quickly on simple devices, and provide military grade security.

Abstract: A cryptographically signed filesystem provides a central database resident on a server that contains database objects. The server creates startup software to be installed in a client system's read only memory. The startup software contains a hash value for a second stage loader. The server also creates software for a bootstrap loader object which typically contains the operating system for a client system and also the bootstrap loader's hash value and a digital signature that is unique to the server. The startup software and objects created by the server are initially installed on a client device at the time of manufacture. The server can update a client's bootstrap loader and root filesystem at any time through the transmission of slices.

Abstract: Program obfuscation is accomplished with tamper proof token including an embedded oracle. A public obfuscation function can be applied to any program/circuit to produce a new obfuscated program/circuit that makes calls to the corresponding oracle to facilitate program execution. A universal circuit representation can be employ with respect to obfuscation to hide circuit wiring and allow the whole circuit to be public. Furthermore, the token or embedded oracle can be universal and stateless to enable a single token to be employed with respect to many programs.

Abstract: A universal authentication token is configured to securely acquire security credentials from other authentication tokens and/or devices. In this manner, a single universal authentication token can store the authentication credentials required to access a variety of resources, services and applications for a user. The universal authentication token includes a user interface, memory for storing a plurality of authentication records for a user, and a secure processor. The secure processor provides the required cryptographic operations to encrypt, decrypt, and/or authenticate data that is sent or received by universal token. For example, secure processor may be used to generate authentication data from seed information stored in memory.

Abstract: An end user of an enterprise is enabled to receive secure remote presentation access to the assigned virtual machines in a hosted public cloud through the cloud provider's virtualization hosts and remote presentation gateway. Thus an enterprise administrator may purchase computing capacity from the cloud provider and further sub-divide the purchased computing capacity among enterprise end users. The cloud provider need not create shadow accounts for each end user of the enterprise. The cloud provider AD and the enterprise AD do not need to trust each other. The cloud provider also need not expose host information to the tenants. Authorization may be provided by using a combination of a custom authorization plug-in at the terminal services gateway and an indirection listener component at the virtualization host.

Abstract: A security management system of a home network is provided. The home network includes a home gateway and one or more user devices connected to the home gateway. The security management system further includes a security management server adapted to provide a security management service for the home network. Within the home network, a security management module is disposed to provide a security service for the user devices within the home network. The user devices and a device where the security management module locates have unique device identifications, and the home network has a unique network identification. By the home gateway, the security management server communicates with the security management module. With the network identification and the device identification, the security management server and the security management module achieve a security management for the home network through a registration of the home network and a registration of the user device.

Abstract: In one embodiment, a host entity may create a trusted connection with a guest entity. The host entity may encrypt a trusted connection invitation for an external guest entity using a proof of possession of a trusted token for the external guest entity. The host entity may transmit the encrypted trusted connection invitation to the external guest entity. A guest entity may decrypt the trusted token, and then use the proof of possession to decrypt the trusted connection invitation.

Abstract: An audio stream is divided into a plurality of audio object (AOB) files that are recorded having each been encrypted using a different encryption key. At least one piece of track management information (TKI) is provided corresponding to each track. Playlist information (PLI) assigns a playback position in a playback order to each track when a plurality of tracks are to be played back one after the other.

Abstract: In one embodiment, a method for establishing a session between a first party and a second party in a communication network comprises issuing a request to establish the session with the second party, the request containing a first security level associated with the first party. A response is received to the request from the second party, the response containing a second security level associated with the second party. A security level for the session is identified from the first security level and the second security level and the session established at the identified security level.

Abstract: A storage device contains a smart-card device and a memory device, which is connected to a controller. The storage device may be used in the same manner as a conventional smart-card device, or it may be used to store a relatively large amount of data. The memory device may also be used to store data or instructions for use by the smart-card device. The controller includes a security engine that uses critical security parameters stored in, and received from, the smart-card device. The critical security parameters may be sent to the controller in a manner that protects them from being discovered. The critical security parameters may be encryption and/or decryption keys that may encrypt data written to the memory device and/or decrypt data read from the memory device, respectively. Data and instructions used by the smart-card device may therefore stored in the memory device in encrypted form.

Abstract: One embodiment of the invention is directed to a method including receiving an alias identifier associated with an account associated with a presenter, determining an associated trusted party using the alias identifier, sending a verification request message to the trusted party after determining the associated trusted party, and receiving a verification response message.

Abstract: A token value is generated for a user to submit to an authentication service of an electronic system. The token value represents that the user is in possession of an electronic item known to the authentication service, where the electronic item is capable of two-way communications with the authentication service and has thereon an authenticator application transmitted from the authentication service to the electronic item. The authenticator application obtains a current time value from a clock of the electronic item or an authentication value from the authentication service, retrieves predetermined indicia of the electronic item from a location thereon, and combines the obtained value and the retrieved indicia of the electronic item to generate the token value. The authentication service essentially performs the same steps based on information already available at such authentication service to generate a verification token value, and compares the submitted token value to the verification token value.

Abstract: Binding a security artifact to a service provider. A method includes generating a pseudonym for a security artifact. The pseudonym is an identifier of the security artifact to the service provider that is unique to the service provider in that the pseudonym is not used to identify the security artifact to other service providers. Further, the pseudonym uniquely identifies the particular security artifact to the service provider even when a user has available a number of different security artifacts to authenticate to the same service provider to access a user account for the user. The method further includes providing the pseudonym for the security artifact to the service provider. The pseudonym for the security artifact is bound with a user account at the service provider for a user associated with the security artifact.

Abstract: An accessor function interfaces among a client, a relying party, and an identity provider. The identity provider can “manage” personal (i.e., self-asserted) information cards on behalf of a user, making the personal information cards available on clients on which the personal information cards are not installed. The client can be an untrusted client, vulnerable to attacks such as key logging, screen capture, and memory interrogation. The accessor function can also asked as a proxy for the relying party in terms of invoking and using the information cards system, for use with legacy relying parties.

Abstract: One embodiment provides a system that uses an authenticated channel to authenticate a user. The system can register a user by storing an association between a username, a password, and a unique identifier. The system can then present a login screen to the user which includes a username field and a password field, wherein the username field is enabled and the password field is disabled. Next, the system can receive the username via the username field and receive the unique identifier over the authenticated channel. The system can then enable the password field in response to determining that the unique identifier is associated with the username. Next, the system can receive the password via the enabled password field. The system can then authenticate the user in response to determining that the password is associated with the username.

Abstract: Method and system for implementing a virtual automated teller machine (“VATM”) system are described. In one embodiment, the system includes a VATM host connectable to each of a plurality of disbursement entities (“DEs”) via a secure connection. The system further includes an accessing computer connectable to the VATM host via a secure connection, the accessing computer comprising a device for acquiring user account information and having installed thereon VATM client software executable by the accessing computer to interact with the VATM host to validate the acquired user account information and an associated PIN provided by the user. Responsive to the validation, the user is presented with a list of DEs and prompted to select one DE from the list of DEs from which funds are to be disbursed to the user and specify an amount of funds to be disbursed. The VATM host sends a disbursement order to the selected DE indicating the specified amount of funds to be disbursed.

Abstract: A method and apparatus of encouraging distribution, registration, and purchase of free copyable software and other digital information which is accessed on a User's System via a Programmer's Program. Software tools which can be incorporated into a Programmer's Program allow the User to access Advanced Features of the Programmer's Program only in the presence of a valid Password which is unique to a particular Target ID generated on an ID-Target such as the User's System. Advanced features will thus relock if the Password is copied to another ID-target. If a valid Password is not present, the User is invited to obtain one, and provided with the means of doing so, and of installing that Password in a place accessible to the User's System on subsequent occasions. The present invention also provides Programmers with means to invoke business operations as well as computational operations with their programs, and thus to automatically obtain payment from Users who elect to obtain passwords.

Abstract: Approaches are disclosed for switching transport protocol connection keys. A method of automatically changing a message authentication key at each of two endpoints of a connection in a telecommunications network comprises testing a date-time value received in each of a plurality of data segments on the connection; and selecting a next message authentication key, from among a plurality of stored message authentication keys, for use in authenticating subsequently received data segments, when the date-time value matches a specified characteristic.

Abstract: Authentication of a subscriber identity module issued by IMT-2000 network operator is performed with no decrease in the confidentiality of calculation processing, even in cases such as when a roaming network is a GSM network. An HLR of an IMT-2000 mobile communication network comprises an algorithm information attachment unit for attaching, to a RAND field of an authentication vector used to authenticate a USIM, information specifying an algorithm to be used in the authentication calculation.

Abstract: A method and a circuit for protecting a numerical quantity contained in an integrated circuit on a first number of bits, in a modular exponentiation computing of a data by the numerical quantity, including: selecting at least one second number included between the unit and said first number minus two; dividing the numerical quantity into at least two parts, a first part including, from the bit of rank null, a number of bits equal to the second number, a second part including the remaining bits; for each part of the quantity, computing a first modular exponentiation of said data by the part concerned and a second modular exponentiation of the result of the first by the FIG. 2 exponentiated to the power of the rank of the first bit of the part concerned; and computing the product of the results of the first and second modular exponentiations.

Abstract: In an authentication server, information representing a first part of a response to a challenge is received during the authentication preparation phase. The challenge and the first part of the response are stored for further use. The challenge is resent and information representing a second part of the response to the challenge is received during a modified authentication phase. The first and second parts of the response are checked against the challenge for authenticating the user. In a smartcard reader, the response received from the smartcard is sent to a computing device, when the smartcard reader received the challenge via an interface to the computing device during normal authentication. In response to the smartcard reader having received the challenge via the interface to the computing device during an authentication preparation phase, the smartcard reader sends the first part of the response to the computing device.

Abstract: An archiver system for tracking the exchange of personally identifiable information in document production systems includes a document production device and a media writer. When a document processing job is initiated, a digital image of the document is prepared, the document digital image is encrypted with a session key, and the encrypted document digital image and job data associated with the document processing job are stored in a job record of a database on a storage media by the media writer.

Abstract: An apparatus, system method and computer program product configured to transmit data over a broadcast network. The data is encrypted and decoded using a decryption key available to terminals in combination with a digital rights object. A media guide is broadcast to the terminals. Information from the media guide is also stored by a request handling means in order to ensure that information, such as pricing information, broadcast to the terminals is synchronized with information used to register a terminal as a subscriber. A request is sent from a terminal to the broadcast network through a second network. Authentication information identifying the terminal may be included in the request without manual input from a user of the terminal. Authentication information is extracted from a component or added to the message by a component of the second network. The digital rights object is then sent to the terminal via the second network.

Abstract: A method for providing attribute data. A request is received from a user device for a virtual ID token relating to attribute information pertaining to a subscriber associated with the user device. Responsive to the request for the virtual ID token, a data record is read from a database. The data record includes L attributes of the subscriber. L is at least 2. The data record is provided to the user device. A selection of M attributes of the L attributes is received from the user device. M is less than L. A virtual record including the M attributes selected from the data record is generated. The virtual record includes a virtual ID (VID) for identifying the virtual record. The generated virtual record is stored in the database. The virtual ID token is provided to the user device. The virtual ID token includes the VID.

Abstract: A method and a system of customization and authentication of an electronic circuit for an application implementing an asymmetrical algorithm and using a certification authority, including use of an authentication channel of another application implementing the same asymmetrical algorithm and using another certification authority.

Abstract: A method for detecting a communication relay attack involves the steps of counting a number of clock cycles occurring in a clock signal between transmission of two predetermined elements of data with a data transmission device, counting a number of clock cycles occurring in the clock signal between receipt of the two predefined elements of data and comparing the number of clock cycles counted by the data transmission device with the number of clock cycles counted by the data receiving device.

Abstract: A programmable smartcard device (10) carries a file system (22, 24) and operating software enabling the on-device file system to interface with at least one off-device file and/or application. It also has a script engine (32) capable of running one or more Application Protocol Data Units (1APDUs') associated with a particular form of transaction so as to modify the structure and/or content of the file system, or the commands to be used for accessing the file system or any security conditions associated therewith. The smartcard device (10) is provided with comparator means (34) configurable by a security APDU run by the script engine (32) so that it operates in use to compare the commands carried out in implementing the transaction with one or more reference commands and to restrict or prevent further access or modifications to the on-device data, file system, commands or security conditions in dependence on the outcome of the comparison carried out by the comparator means (34).

Abstract: An image forming system includes a client apparatus and an image forming apparatus. The client apparatus includes an authentication data storing area defining section that produces an authentication data storing area in an external storage medium; a writing section that writes authentication data into the authentication data storing area; and an image data storing section that stores image data into the external storage medium. The image forming apparatus includes a searching section, an input section, an authenticating section, and an image processing section. The searching section reads authentication data from the external storage medium. Identification information is received from a user through the input section. The authenticating section performs authentication based on the identification information and the authentication data. The image processing section processes the image data. When the authentication has been established, the searching section reads image data from the external storage medium.

Abstract: The invention that addresses the problem of authentication of the transport packet stream (which constitutes a flow within a session), which has been admitted into a managed packet network. Authentication and the subsequent policing of the flows supporting an identified client's authorized service prevent a large class of denial of service attacks described below. Specifically, the invention addresses two different matters: 1) key distribution and management 2) various forms of using a shared key for the authentication of transport packets on the user-to-network-interface (UNI).

Abstract: A processor, connected to a non-volatile memory storing first memory authentication information for authentication of the non-volatile memory, the processor includes an operation unit configured to perform an operation utilizing information stored in the non-volatile memory; an authentication memory formed integrally with the operation unit, and storing second memory authentication information for authentication of the non-volatile memory; an authentication information acquiring unit configured to acquire the first memory authentication information from the non-volatile memory; a memory authenticating unit configured to compare the first memory authentication information and the second memory authentication information to authenticate the non-volatile memory; and a memory access controlling unit configured to permit an access to the non-volatile memory when the memory authenticating unit succeeds in authentication.

Abstract: A method of verification of rights is disclosed, contained in a security module associated to an apparatus processing broadcasted digital data. The apparatus is connected to a management center transmitting encrypted rights messages for accessing the digital data. The method includes reception and reading by the security module of all or part of a rights message including at least one right and means for verifying the right, decryption and verification of the rights message and updating of a rights memory, and storage of all or part of the rights message in a messages memory. During a further verification step, the method includes identification of at least one right present in the rights memory, search of the corresponding stored rights message and verification of the rights message, comparison of the right contained in the rights message with the corresponding right stored in the rights memory, and determination of a default state when the result of the comparison indicates a difference.

Abstract: Methods and apparatuses for increasing the leak-resistance of cryptographic systems are disclosed. A cryptographic token maintains secret key data based on a top-level key. The token can produce updated secret key data using an update process that makes partial information that might have previously leaked to attackers about the secret key data no longer usefully describe the new updated secret key data. By repeatedly applying the update process, information leaking during cryptographic operations that is collected by attackers rapidly becomes obsolete. Thus, such a system can remain secure against attacks involving analysis of measurements of the device's power consumption, electromagnetic characteristics, or other information leaked during transactions. Transactions with a server can be secured with the token.

Abstract: The present invention discloses a security flash memory which includes a flash memory chip with a plurality of data transmission terminals, and a data encryption device. The data encryption device includes a verifier module with default pass code, a secret key module and a switching module. The verifier module compares a pass code with the default pass code for outputting a control signal. The secret key module is used for data encryption and data decryption. The switching module is connected to the verifier module, the data transmission terminals of the flash memory chip and the secret key module, and may connect or disconnect the data transmission terminals of the flash chip and the secret key module in response to the control signal.

Abstract: Techniques for supporting concurrent data services with different credentials are described. A wireless communication network authenticates a user/device whenever new credentials are used. An access terminal sends first credentials via a Point-to-Point Protocol (PPP) link to a Packet Data Serving Node (PDSN) and receives an indication of successful authentication for a first data service based on the first credentials. The access terminal may receive a request for a second data service and second credentials from an internal application or a terminal device coupled to the access terminal. The access terminal then sends the second credentials via the PPP link to the PDSN while the first data service is ongoing. The access terminal receives from the PDSN an indication of successful authentication for the second data service based on the second credentials.

Abstract: A multi-factor remote user authentication card-device has innovative features that enable this one card-device itself to function and accomplish a multi-factor remote user authentication of “what you know”, “what you have”, “where you are” and “what you are”, to a network. In one embodiments of the card-device, one card-device enables two-factor authentication of “what you have” and “what you are”. In another embodiment, one card-device enables two-factor authentication of “what you know” and “what you have”. In yet another embodiment, one card-device enables three-factor authentication of “what you know”, “what you have”, and “what you are”. In yet another embodiment, one card-device enables four-factor authentication of “what you know”, “what you have”, “where you are”, and “what you are”.

Abstract: Apparatus and article of manufacture for disabling on-demand access to computerized resources on a computerized apparatus are disclosed. The method comprises receiving a disablement code; validating the disablement code; and disabling an on-demand resource if the validating is successful, thereby rendering the disabled on-demand resource unavailable for use by users of the computerized apparatus, wherein the disabled on-demand resource is a hardware resource of the computerized apparatus. Another embodiment includes receiving a disablement code comprising encrypted data, validating the disablement code, disabling at least one on-demand resource if the validating is successful.

Abstract: A token calculates a one time password by generating a HMAC-SHA-1 value based upon a key K and a counter value C, truncating the generated HMAC-SHA-1 value modulo 10^Digit, where Digit is the number of digits in the one time password. The one time password can be validated by a validation server that calculates its own version of the password using K and its own counter value C?. If there is an initial mismatch, the validation server compensate for a lack of synchronization between counters C and C? within a look-ahead window, whose size can be set by a parameter s.

Abstract: Disclosed is a circuit, system, device and method for authentication and/or encryption, which is based on the characteristics and/or management of One Time Programming (OTP) Non Volatile Memory (NVM) that may prevent the ability to alter, modify, mimic or otherwise use an identification string/code for attaining false authentication and/or falsely decrypting encrypted data.

Abstract: Disclosed herein are a secure Near Field Communication (NFC) apparatus and method for supporting various security modules. The NFC apparatus includes an NFC unit, a protocol conversion unit and a security module. The NFC unit transmits information corresponding to a first signal based on a first protocol via non-contact NFC and generates a second signal based on the first protocol from information received via non-contact NFC. The protocol conversion unit converts a signal based on a second protocol into a first signal based on the first protocol and converts the second signal based on the first protocol into a signal based on the second protocol. The security module receives and outputs signals based on the second protocol.

Abstract: In general, the invention relates to a method for performing a command on a token. The method includes receiving a first command authentication message digest (CAMD), a command, and scrambled data from a sender, and making a first determination that the sender is allowed to send commands to the token. The method further includes, based on the first determination, generating a second CAMD on the token using the command, the scrambled data, and an Administrative Command Authentication Secret (ACAS), making a second determination that the first CAMD and the second CAMD match, and based on the second determination, performing the command by the token.

Abstract: According to the present invention, a subscriber identity module in a wireless local area network is authenticated using an authentication vector with no decrease in the confidentiality of the calculation processing, even when a triplet is employed as the authentication vector. An HLR of a mobile communication network comprises an attachment unit for attaching to a RAND field of an authentication vector, which is used to authenticate an SIM in a wireless local area network, information specifying calculation information that is constituted by at least one of an algorithm and secret information for use in the authentication calculation.

Abstract: A data storage device includes a plurality of data storage units, a physical random number generator with a noise source based on a physical noise process, for generating a random number, and a replacer for selecting a data storage unit wherein data is to be stored, depending on the random number. Selecting, on the basis of genuine random numbers, data storage units and/or lines to be replaced in the cache.

Abstract: A user engages in a transaction with a relying party. The relying party requests identity information from the user in a security policy and identifies transaction elements for an on-line business transaction. Typically, the security policy and transaction elements are transmitted together; the security policy can be as little as a request to conduct the on-line business transaction. The user identifies an information card that satisfies the security policy. The computer system requests a security token from the identity provider managing the information card, which can include requesting a transaction receipt for the transaction elements. The computer system then returns the security token (and the transaction receipt) to the relying party, to complete the transaction.