Abstract: A system for authenticating a customer is disclosed. The customer may attempt to access protected resources located at an authentication server. The customer may log in to the authentication server's website, thereby submitting an authentication request. The authentication request may comprise attributes of the device the customer uses to log in. The authentication server may generate a device ID using the received device attributes and generate an authentication token that is signed with the device ID. The authentication server may transmit the authentication token to the client device. Subsequent requests to access protected resources from the client device may include the authentication token that is signed with the device ID.

Abstract: Systems and methods for strong user authentication for accessing protected applications by mobile computing devices. An example method may comprise: receiving, by a mobile computing device, a cryptographic nonce via a first communication interface; transmitting, via a second communication interface, an authentication request using the cryptographic nonce, to an authentication server via an HTTP proxy server; receiving a resource access token from the authentication server; and transmitting a computing resource access request using the resource access token.

Abstract: Devices, systems, and methods are disclosed which relate to provisioning a universal integrated circuit card (UICC) with multiple services. The UICC enables a wireless communication device to communicate through multiple carriers by using a unique virtual subscriber identity module (SIM) to register with each carrier. The unique virtual SIM is one of a plurality of virtual SIMs stored on and managed by the UICC. A carrier network includes a server for provisioning a new virtual SIM on a UICC over-the-air (OTA) when a new customer requests a service such as voice, data, or other type of service. These UICCs may also include logic to automatically select the best carrier for a voice call depending on the user settings.

Abstract: Bifurcated authentication token techniques are described in which sign-on credentials are separated from corresponding privilege data for resources. During client authentication, a determination is made regarding whether a service provider is configured to support bifurcated authentication token techniques. If the techniques are supported, a lightweight token is issued to the client and corresponding privilege data is stored separately from the token in a centralized authentication database. If a service provider does not support bifurcated authentication token techniques, a traditional, combined authentication token that includes privilege data is issued to the client. The lightweight token contains identity information and a reference to the privilege data, but does not contain the actual privilege data. Therefore, the lightweight cookie token alone is not sufficient to gain access to corresponding resources.

Abstract: A method and system for delivering a command to a mobile device is provided. A one-time password is generated using a token shared with a mobile device and one of a challenge and an input string. The one-time password and a command are transmitted, along with the challenge or the input string, to the mobile device for execution thereon.

Abstract: According to one embodiment, a memory system, such as a SDIO card, includes a nonvolatile semiconductor memory device, a control section, a memory, an extended function section, and an extension register. The extended function section is controlled by the control section. A first command reads data from the extension register in units of given data lengths. A second command writes data to the extension register in units of given data lengths. A extension register includes a first area, and second area different from the first area, information configured to specify a type of the extended function and controllable driver, and address information indicating a place to which the extended function is assigned, the place being on the extension register, are recorded in the first area, and the second area includes the extended function.

Abstract: A controller is provided with a controller key and a first controller identification information unique to the controller. The controller generates a controller unique key unique to a respective controller based on the controller key and the first controller identification information, and a second controller identification information based on the first controller identification information. A decryptor decrypts the encrypted medium device key using the controller unique key to obtain a medium device key. An authentication/key exchange process unit performs authentication/key exchange process with the host device through an interface unit using the medium device key, the medium device key certificate and the second controller identification information to establish a secure channel.

Abstract: A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications.

Abstract: Program code generates on a first computer within a computer system a unique key for a computer software application, wherein the computer software application is on a second computer within the computer system. The program code generates on the first computer an authorization code that grants a designated end user access to implement a change to a configuration item on a second computer during a configurable time period. The program code verifies the authorization code inputted into the second computer to determine if the end user has authority to implement the change on second computer, wherein the authorization code is separated into a first string and a second string each having a fixed number of bits. The program code grants access to the end user to implement the change to the configuration item on the second computer if the end user has the authority to implement the change.

Abstract: A nonvolatile memory device includes a data generating unit for generating a first reference value randomly or pseudo-randomly according to a first program request to program data in a memory cell, a seed selecting unit for selecting at least one of a plurality of seeds using the first reference value, and a randomizer for generating randomized data by using the selected seed. The data generating unit regenerates the first reference value as a second reference value different from the first reference value when a second program request is made, and the seed selecting unit selects another seed using the second reference value.

Abstract: An end-to-end client server system and related method for use in conjunction with mobile terminals. A client application on a mobile terminal is configured to remotely access a backend server via a gateway system. The mobile terminal includes a client application configured to generate a one time password using secret information and a password library, both known only to the client application and a verification component of the gateway system. The one time password provides an additional level of security, which is user dependent and not network dependent.

Abstract: Techniques for conducting secure online transactions are provided. Some techniques utilize a trusted, secure device that is distributed to a human user, and which only the user can access, a device reader, and a one-time secret valid only to authenticate a single transaction to improve on the traditional transaction model by isolating elements of the transaction with the user on the user's trusted, secure device. Isolating elements of the transaction on the trusted, secure device facilitates a secure transaction on an untrusted machine and over an untrusted network.

Abstract: An integrated circuit is provisioned after the integrated circuit has been sold and integrated into a customer's product. During provisioning, the integrated circuit is booted in a secure manner using a security value, such as a cryptographic key, owned by a manufacturer of the integrated circuit, or by a purchaser of the integrated circuit, to establish a secure communications channel with a provisioning server. Once the secure communications channel is established, the integrated circuit can be provisioned with a security value that is owned by the purchaser of the integrated circuit and the manufacturer's security value is disabled.

Abstract: A canary value is used to validate a message from a non-web browser client application to a web server providing web services to mitigate cross-site forgery attacks. The canary value is generated by the server in party by applying a hash function to a user identifier and a time stamp. The server provides the canary value to the client application in response to receiving a message that does not have a canary or has an expired canary. The client application upon receiving an error message with a canary message will resend the prior message with the canary value present. The client application caches the canary value for subsequent messages until a new canary value is received. The canary value allows the server to ignore messages generated by the client application under control of an attacker.

Abstract: A system and method for accessing secured resources using a portable device. When a user with such a portable device is within close proximity to a locked door or other secured resource, a verification process can be automatically initiated on the device. The user verification could utilize all the input and sensor methods on the device. Once the identification process has successfully completed, an access code can be transmitted to the locked door or device via wired or wireless network. This allows for reduced electronics required at these locked doors and allows for more dynamic security measures.

Abstract: Various embodiments of the invention provide a strong logical link between a SAM and a secure terminal to combat SAM counterfeiting and misuse. The link is based on mutual validation methods using firmware and cryptographic protocols. Once the SAM is removed from a terminal that it has been tied to, or the link is broken by a tampering attempt of a potential intruder, the SAM and/or the terminal are disabled.

Abstract: Systems and methods for establishing a security-related mode of operation for computing devices. A policy data store contains security mode configuration data related to the computing devices. Security mode configuration data is used in establishing a security-related mode of operation for the computing devices.

Abstract: In one embodiment, a portable, networked, computing device comprises a processor, a plurality of radios, and a memory. The device may be operable to pair, by at least one of the radios, with a device associated with a user. The device may then monitor, by one of the radios, a signal for a connection established with a first network. When the device determines that the signal for the first network has dropped below a threshold level of quality, it may enable access point mode for at least one of the paired devices by turning on a radio to establish a connection with a second network and thereby providing connectivity to the second network for the at least one of the paired devices. If multiple networks are available, the device may select an optimal network based on an assessment of one or more factors.

Abstract: The claimed subject matter provides systems and/or methods that effectuates and establishes mobile device security. The system can include devices that detect point of sale mechanisms or secure token devices and based at least in part on the detection of secure token devices the system effectuates release of electronic funds persisted on a mobile device in order to satisfy a debt accrued at the point of sale mechanism.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for user confirmation of actions to be performed by a web application hosted on one or more servers. Actions can include receiving user input indicating a request directed to the web application, the user input being received through a mobile web browser, determining that the user input is requesting execution of an authorized action, and in response, providing data associated with the request for processing by a mobile authenticator application, providing a user interface generated by the mobile authenticator application based on the data, and receiving user confirmation of the authorized action through the user interface, and in response: providing a signed response by the mobile authenticator application, and transmitting the signed response to the one or more servers to initiate execution of the authorized action.

Abstract: An information processing apparatus to be used in a printing system having a client apparatus connected to an image forming apparatus via a network, and a server apparatus that manages setting parameters of printing conditions that can be set up on said client apparatus, said information processing apparatus being able to serve as the client apparatus and comprising: a judgment unit for judging whether said information processing apparatus is a client apparatus or not, with reference to identification information concerning said image forming apparatus stored inside said information processing apparatus; and a setting screen control unit for providing a setting screen that allows a user to select said setting parameters if it is judged that said information processing apparatus is not a client apparatus, and for providing a setting screen that allows a user to modify setting values of said selected setting parameters and prevents the user from modifying setting values of the remaining setting parameters if it

Abstract: Techniques are presented for establishing context awareness during first negotiation of secure key exchange. These techniques may be embodied as a method, apparatus or instructions in a computer-readable storage media. At a first network device, a message is received from a second network device as part of an initial exchange of information of a secure key exchange, the message containing information indicating one or more secure key exchange policies acceptable to the second network device and defining one or more associated security parameters. The message further contains context-specific information identifying a context of the second network device. The first network device selects a secure key exchange policy for communicating with the second network device based upon the context-specific information and sends a response message to the second network device containing the selected secure key exchange policy. If the context was understood, the response message also includes context-specific information.

Abstract: According to one embodiment, a memory system, such as a SDIO card, includes a nonvolatile semiconductor memory device, a control section, a memory, an extended function section, and an extension register. The extended function section is controlled by the control section. A first command reads data from the extension register in units of given data lengths. A second command writes data to the extension register in units of given data lengths. A extension register includes a first area, and second area different from the first area, information configured to specify a type of the extended function and controllable driver, and address information indicating a place to which the extended function is assigned, the place being on the extension register, are recorded in the first area, and the second area includes the extended function.

Abstract: Secret information, such as seeds, codes, and keys, can be automatically renegotiated between at least one sender and at least one recipient. Various mechanisms, such as counters, events, or challenges, can be used to trigger automatic renegotiations through various requests or communications. These changes can cause the current secret information to diverge from older copies of the secret information that might have been obtained by unintended third parties. In some embodiments, a secret can be configured to “decay” over time, or have small changes periodically introduced that can be determined to be valid by an authorized party, but can reduce the effectiveness of prior versions of the secret information.

Abstract: Different network segments can have overlapping address spaces. In one embodiment, the present invention includes a distributed agent of a security system receiving a security event from a network device monitored by the agent. In one embodiment, the agent normalizes the security event into an event schema including one or more zone fields. In one embodiment, the agent also determines one or more zones associated with the received security event, the one or more zones each describing a part of a network, and populates the one or more zone fields using the determined one or more zones.

Abstract: A system and method for enabling the sharing of content between secure applications and unsecure applications are described herein. Content requests can be received from secure applications and unsecure applications. In response to the content requests, listings of options can be returned that have the ability to satisfy the content requests from the requesting secure applications or the requesting unsecure applications. In addition, selections of the options of the listings of options can be received through the requesting secure applications or the requesting unsecure applications. Content locations that are to be returned to the secure applications can be selectively modified such that subsequent content requests that involve the modified content locations are identified as being associated with an unsecure option.

Abstract: The invention relates to a method and system for the user-specific initialization of identification devices in the field, particularly on-board units in road toll systems, based on a central facility, whereby each identification device, when delivered, has a unique device identification to which, in the central facility, a unique user identification is assigned, and in the central facility, an initialization PIN is generated from the device identification and from the user identification and is transmitted to the identification device from which the identification device, based on its device identification, computes the user identification for the user-specific initialization.

Abstract: An architecture for multi-core and many-core processor systems includes a set of resource managers having a hierarchy of at least one level. The resource managers act as trusted proxies for the operating system (OS) kernel to manage resources for applications. The application may include a trusted secure specification defining resource and access privileges of the associated application.

Abstract: A controller is provided with a controller key and a first controller identification information unique to the controller. The controller generates a controller unique key unique to a respective controller based on the controller key and the first controller identification information, and a second controller identification information based on the first controller identification information. A decryptor decrypts the encrypted medium device key using the controller unique key to obtain a medium device key. An authentication/key exchange process unit performs authentication/key exchange process with the host device through an interface unit using the medium device key and the medium device key certificate to establish the secure channel.

Abstract: A method begins by a computing device determining that data is stored in dispersed storage network (DSN) memory and sending a data retrieval request to a DSN access token module regarding the data. The method continues with the DSN access token module generating a plurality of sets of data slice read requests and sending the plurality of sets of data slices read requests to the computing device. The method continues with, for a set of data slices read requests, the computing device sending the set of data slices read requests to the DSN memory, receiving data slices from the DSN memory, and sending the data slices to the DSN access token module. The method continues with the DSN access token module decoding the data slices to produce a decoded data segment and sending the decoded data segment to the computing device.

Abstract: A memory device memorizes, in association, possessor identification information, which is recorded at recording mediums carried by authorized users of an image forming device, and inputter identification information corresponding to the possessor identification information. An information retention device memorizes image information and inputter identification information transmitted from an image formation instruction device. A reading device reads possessor identification information from a recording medium. If it is determined that this possessor identification information has been memorized at the memory device, an image formation section reads image information that is associated with inputter identification information that is associated with the possessor identification information, and implements image formation. If not, an output section outputs the possessor identification information.

Abstract: One embodiment is directed to a method performed by a computing device. The method includes (a) engaging in a handshake procedure with a remote second computing device to establish a secure channel, (b) generating a first encryption key using a first token having a secret seed, the first encryption key being the same as a second encryption key generated by the second computing device using a second token having the same secret seed, and (c) using the first encryption key to engage in encrypted communications with the second computing device. Other embodiments are directed to a computerized apparatus and a computer program product for performing a method similar to that described above.

Abstract: A system and method for generating a secret key to facilitate secure communications between users. A first and second and a function between the two monoids are selected, the function being a monoid homomorphism. A group and a group action of the group on the first monoid is selected. Each user is assigned a submonoid of the first monoid so that these submonoids satisfy a special symmetry property determined by the function, a structure of the first and second monoids, and the action of the group. A multiplication of an element in the second monoid and an element in the first monoid is obtained by combining the group action and the monoid homomorphism. First and second users choose private keys which are sequences of elements in their respective submonoids. A first result is obtained by multiplying an identity element by the first element of the sequence in a respective submonoid.

Abstract: A server receives encrypted information for an intended recipient. The server determines, based on recipient information, whether the recipient's device is able to decrypt the encrypted information. If so, the encrypted information is provided to the device. Upon determining that the device is unable to decrypt the encrypted information, the server sends a notification message to the device. The notification message indicates that the encrypted message has been received. In response to the notification message, the server receives a response from the device. If the device is successfully authenticated, based on the response, the server decrypts the encrypted information and provides the decrypted information to the device for presentation to the recipient.

Abstract: Systems, methods, and technologies for configuring a conventional smart card and client machine, and for performing a smart card authorization using the configured smart card and client. Further, the combination of methods provides for mutual authentication—authentication of the client to the user, and authentication of the user to the client. The authentication methods include presenting a specified token to the user sufficient to authenticate the client to the user and thus protect the user-provided PIN. Security is strengthened by using an integrity key based on approved client system configurations. Security is further strengthened by calculating a PIN? value based on a user-specified PIN and a modifier and using the PIN? value for unlocking the smart card.

Abstract: Systems and/or methods are described relating to a security model that provides interoperability with foreign security domains while remaining scalable to small embedded devices. A security token service is provided, which is configured to issue, renew, and/or validate security tokens in response to a token request. A communication protocol, corresponding message structures, and the security tokens are defined in accordance with protocol buffer definitions.

Abstract: A cryptanalysis method comprising: (A) Performing a ciphertext-only direct cryptanalysis of A5/1 and (B) Using results of Step (A) to facilitate the decryption and/or encryption of further communications that are consistent with encryption using the session key and/or decryption using the session key, wherein the cryptanalysis considers part of the bits of the session key to have a known fixed value, and wherein the cryptanalysis finds the session key. An efficient known plaintext attack on AS/2 comprises trying all the possible values for R4, and for each such value solving the linearized system of equations that describe the output; The solution of the equations gives the internal state of RI, R2, and R3; Together with R4, this gives the full internal state which gives a suggestion for the key.

Abstract: In a method of provisioning a virtual machine (VM) to a computing network (401), a VM manager or provisioner (403, 408) encrypts a virtual machine using a key bound to at least one security profile indicative of one or more security requirements that a computing resource (402) of the computing network (401) must satisfy in order to be able to decrypt the VM. A key for use in decrypting the VM has previously been sealed into multiple (and preferably into all) computing resources (402) in the network into which the VM is to be provisioned, and has been sealed such that a computing resource can obtain the key only if it is in a state that satisfies the security profile, or at least one security profile, to which the key is bound The VM manager or provisioner (403, 408) creates a VM launch package that includes the encrypted VM and that also includes a key that may be used in decrypting the encrypted VM.

Abstract: The invention relates to a method for configuring a mobile device capable of reproducing, for a user, multimedia content previously provided by a remote content server. The invention relates to using a client installed on said electronic device to relay authentication requests between a card, preferably complying with the provisions of the Mobile Commerce Extension standard, and an authentication server that is accessible via an access point.

Abstract: The present invention relates to the field of information security. Disclosed are a system and method for communication between a dynamic token and a tool, the system comprising a tool part and a dynamic token part; the tool part comprises a control module and a tool radio frequency communication module; the dynamic token part comprises an MCU and liquid crystal module and an OTP radio frequency communication module. The method comprises: the tool part transmits a modulated wake-up command signal to the dynamic token part in the form of an electromagnetic wave; when a wake-up response command signal returned by the dynamic token part is correctly received, the tool part transmits the modulated command signal to the dynamic token part in the form of an electromagnetic wave; and the tool part detects the amplitude variation of the generated carrier signal, judges whether the response signal is correctly received, and operates correspondingly.

Abstract: A mobile access terminal providing access to data in a secure element of the mobile access terminal is provided. The mobile access terminal comprises the secure element; a web browser; a near field communications system; an over-the-air proxy; an application programming interface layer; and a web server residing on a secure storage area of the mobile access terminal, wherein the web browser is provided with exclusive access to the web server.

Abstract: A web server authenticates a user with a web client using a database user table and provides a list of new applications, suspended application sessions, and running application sessions. In response to a request for a new application session, a connection is made from an agent server to an application server hosting the requested application, and connection information including a unique session_ID is added to a database session table such that the client can send a user selection for a session_ID to the web server, which associates the requested session_ID to an existing suspended or running application session using the connection database. For additional security, the client is determined to be trusted or untrusted, and if untrusted, connections to the client are made through a forwarding host, which makes connections to the agent server, and the agent server maintains persistent connections from the agent server to the application server.

Abstract: A system and method for realizing specific security features for a mobile device that may store sensitive and private data by providing secured communications to a paired remote device. In this respect, both the mobile device (which may be a mobile phone, for example) and the paired remote device (which may be a keychain, for example) include a SIM card that may have identification data stored therein. Once paired, the two devices may communicate encrypted security messages back and forth in order to implement various security measures to protect data and wireless communications. Such messages may be generated from initial information known only to each respective device such as a randomly generated offset number and a common time reference.

Abstract: Methods, apparatus and articles of manufacture for implementing cryptographic devices operable in a challenge-response mode are provided herein. A method includes storing a set of authentication information in a first cryptographic device associated with a user, receiving a challenge in the first cryptographic device in connection with a user authentication request responsive to a request from the user to access a protected resource, wherein the challenge comprises an index of at least one non-sequential portion of the authentication information stored in the first cryptographic device, and outputting a non-sequential portion of the authentication information from the set of authentication information stored in the first cryptographic device in response to the challenge for use in authenticating the user.

Abstract: Systems and methods for authenticating a request submitted from a client device through a third party content provider to an electronic entity are described. In one embodiment, a method includes providing a trusted script to the third party content provider, passing a trust token to the third party content provider and to the client device, and, in response to a request submitted from the client device through the third party content provider, validating the trust token associated with the request with the token passed to the client device, and processing the request. The trusted script is configured to create a trusted window on the third party Web page displayed on the client computing device, receive a trust token from the electronic entity through the trusted window, and associate the trust token with requests submitted from the client computing device through the third party content provider to the electronic entity.

Abstract: An apparatus, and an associated method, for providing secured effectuation of a communication service at a substitute mobile station. A user desiring temporarily to use a substitute mobile station to carry out the communication service initiates a request at the mobile station for its use. The communication service is available to be performed at the substitute mobile station for a selected period. Upon termination of the selected period, the communication service session ends, and data associated with the communication service session is deleted from the substitute mobile station.

Abstract: In one embodiment, receiving a notice from a first user associated with a first mobile device indicating that the first user wishes to share information of the first user with one or more second users respectively associated with one or more second mobile devices; accessing information known about one or more users and one or more mobile devices respectively associated with the one or more users; identifying at least one candidate for the first user based on the information known about the one or more users and the one or more mobile devices; and confirming one or more of the at least one candidate as the one or more second users.

Abstract: A user authentication method and system. A computing system receives from a user, a first request for accessing specified functions executed by a specified software application. The computing system enables a security manager software application and connects the specified software application to a computing apparatus. The computing system executes first security functions associated with the computing apparatus. The computing system executes second security functions associated with additional computing apparatuses. The computing system determines if the user may access the specified functions executed by the specified software application based on results of executing the first security functions and the second security functions. The computing system generates and stores a report indicating the results.

Abstract: A computer system receives a request to access a server. The request includes a first device tag set. When the first device tag set matches a previously assigned device tag set, the computer system allows access to the server without requesting full access credentials of a user. The computer system invalidates the first device tag set, and sends a second device tag set. When the first device tag set does not match the previously assigned device tag set, the computer system requests full access credentials from the user.

Abstract: A mobile terminal for use with a cellular or mobile telecommunications network includes a normal execution environment and a secure execution environment The mobile terminal enables the software of the terminal in the secure execution environment to be updated. The terminal may be provided with minimal software initially in the secure execution environment, and is operable to subsequently update the software by over the air transmission of software. Also disclosed is a method for managing rights in respect of broadcast, multicast and/or unicast (downloaded) data. The method defines a service protection platform implemented on mobile terminals having both normal execution environment and secure execution environment. Service protection is provided by separating the operation of service protection application components into those that operate in the normal environment and those that are adapted to execute only in the secure execution environment.