Abstract: A system is configured to receive, by one or more servers, a request for a certificate from a user device. The request may include a first parameter, a second parameter, and a third parameter. The system is further configured to identify a key based on the first parameter, generate a fourth parameter based on the key and the third parameter, authenticate the user device based on the fourth parameter and the second parameter, generate the certificate based on authenticating the user device, store information associated with the certificate, and send the certificate to the user device. The user device may use the certificate to establish a session to interact with an application server.

Abstract: A method of establishing secure communications between a first computer, eg a client computer, and a second computer, eg a web server, whereby the client computer receives one or more security policies relating to the web server. A client application examines the client computer and preferably configures one or more aspects of the client computer in order to make it comply with the security policies. Once the web server receives the results of this examination and/or configuration process, it can determine whether the secure communications are to be established and whether any restrictions need to be placed on this communication and/or the activity conducted via the communication.

Abstract: A method, apparatus and computer program product relating to software license tokens is presented. A client system requests launching of a software application and retrieves a first software license token associated with the software application. The client system determines whether the license token associated with the software application is valid, wherein when the license token is valid, the client system launches the software application. When the license token is not valid then the client system requests a replacement license token. The client system receives the replacement license token and stores the replacement license token. The client system then retrieves the stored license token and determines whether the license token is valid. When the license token is valid, then the software application is launched, when the software license token is not valid then the client system refrains from launching of the software application.

Abstract: Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include an epoch manager that is used to generate authentication and authorization data that remain valid only for an epoch. The epoch manager can generate an epoch key pair that can be used to encrypt and decrypt the authentication and authorization data during the epoch that the key is valid. The epoch manager can also associate the contents of the data with the epoch in which it was created, so that at decrypting the epoch that the data was generated in can be identified.

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract: The invention discloses a contactless seed programming method, belonging to information security field. In the method, a seed programming device obtains a token ID of a dynamic token, obtains corresponding first seed data according to the token ID, communicates with the dynamic token contactlessly, obtains first seed data from the dynamic token, decrypts the first seed data so as to obtain second seed data, encrypts the second seed data with the first data so as to obtain third seed data and sends the third seed data to the dynamic token; and the dynamic token decrypts the seed and updates seed stored in itself. By the invention, programming operation is simplified and programming efficiency is improved by communicating with the dynamic token contactlessly and security is ensured by transferring the encrypted seed during communication between the programming device and the token.

Abstract: An information handling system analyzes secondary information captured with an image of a two-dimensional barcode to perform a function. For example, a mobile phone camera captures an image of a QR code at a product plus characters printed next to the QR code, uses optical code recognition to determine the characters, and applies information from the QR code and the characters to register the product. As another example, a security indicator is captured with an image of the QR code and applied to access information of the QR code, such as by using GPS position information, local network information, or telephone number information to encrypt and/or decrypt information stored in the QR code.

Abstract: In a first embodiment of the present invention, a method for operating a presence server in a home network is provided, the method comprising: receiving a request for presence information; sending an event notification to all subscribed control points informing them of the request for presence information; receiving an action from one of the subscribed control points accepting or rejecting the request for presence information; and if the action received from the one of the subscribed control points accepts the request for presence information, causing presence information regarding the one of the subscribed control points to be sent to the entity that sent the request for presence information.

Abstract: A method for conducting smart card transactions is provided that includes causing a computer to recognize communications from a mobile device as communications from a smart card reader containing a smart card, and conducting a smart card transaction in accordance with smart card security techniques with the mobile device.

Abstract: Systems and methods for implementing an identity assertion framework to authenticate a user in a federation of security domains are provided. A first security token service (STS) is configured to receive a request for a first token from a consumer and to issue the first token to the consumer. The first STS is associated with a first security domain, and the first token is issued according to a first issuing policy of the first security domain. A service provider within a second security domain receives the first token and makes a determination whether the first token is invalid in the second security domain. A second STS receives the first token from the service provider, determines that the first token was issued by the first STS, and validates the first token according to a federation policy between the first security domain and the second security domain.

Abstract: A digital programmable smart card terminal device and token collectively known as the token device is disclosed. The token device comprises a field programmable token device which accepts a user's smart card. The combination of token device and smart card may then be used for a variety of applications that include user authentication, secure access, encryption. One specific application is that of an electronic wallet. In one embodiment, an electronic smart card terminal includes a smart card reader adapted to receive and communicate with a smart card having smart card data stored thereon; token personality logic programmed based on the smart card data as a token personality subsequent to insertion of the smart card in the smart card reader; and a communications mechanism for communicating authentication data derived from the token personality. Since the smart card terminal only gains its token personality when a smart card is inserted, manufacture and distribution of the terminal on a wide scale is possible.

Abstract: Disclosed is a method for securely processing data in a portable data carrier. Said method is characterized by the following steps: a) the data to be processed is requested; b) the data to be processed is encoded; c) the encoded data is temporarily stored in a buffer storage zone of the data carrier; d) the temporarily stored, encoded data is decoded by means of a decoding key; and e) the decoded data is processed.

Abstract: A method of configuring a controller of a portable-computer-readable-medium for performing a cryptographic function, and a portable-computer-readable-medium configured by same, are disclosed. The portable-computer-readable-medium has memory means in which at least first and second data files are stored, each file starting at a respective Logical Block Address (LBA) of the memory means. A first code, for instance a private key, is written in the first file. A password is associated with the second file. The controller of the portable-computer-readable-medium is configured to perform a hash function upon input data to be written to the second file with the first code, write the output hash to at least the second LBA, increment the first code and write the incremented first code to the first LBA.

Abstract: A client device has one or more processors and memory. An application running on the device obtains a client certificate from a system service running on the device. The certificate includes a public key for the device. The device is authenticated to a remote server using the certificate. The application receives encrypted application identification information and an encrypted access token from the server. The application is authenticated to the device by comparing the received application identification information with corresponding application identification information from the application. The application invokes the system service to unencrypt the access token using the private key corresponding to the public key. The application sends a request for protected information to the server. The request includes the unencrypted access token.

Abstract: A system receives a request to store a document in a database, receives a user security token, analyzes the document to determine an adjudicated security level for the document, compares the user security token to the adjudicated security level, stores the document when the user security token is equal to the adjudicated security level, when the user security token is not equal to the adjudicated security level, queries the user as to whether the document should be stored with the adjudicated security level, receives a response to the query from the user, stores the document when the user agrees to store the document with the adjudicated security level, and when the user does not agree to store the document with the adjudicated security level, transmits a message to a security officer and quarantine the document.

Abstract: An embodiment generally relates to a method of managing tokens. The method includes detecting a presence of a token at a client and determining a status of the token. The method also includes formatting the token at the client in response to the status of the token being unformatted.

Abstract: Systems and methods are described herein for supporting end users of a mobile device, such as a mobile phone, to reset a secure element associated with the communication device. The reset process may include clearing the secure element, associated memories, and storage devices of any user specific or personalized information associated with the user. The reset process may also include removing or resetting keys or other identifiers within the secure element that associate the mobile device with a particular secure service provider. According to various embodiments, a computer-implemented method for resetting a secure element within a network device may include receiving an encrypted reset request message at the secure element, decrypting the encrypted reset request message using a communication key, verifying authorization for the reset request message, and atomically clearing parameters associated with the secure element.

Abstract: Systems, methods, and technologies for configuring a conventional smart card and client machine, and for performing a smart card authorization using the configured smart card and client. Further, the combination of methods provides for mutual authentication—authentication of the client to the user, and authentication of the user to the client. The authentication methods include presenting a specified token to the user sufficient to authenticate the client to the user and thus protect the user-provided PIN. Security is strengthened by using an integrity key based on approved client system configurations. Security is further strengthened by calculating a PIN? value based on a user-specified PIN and a modifier and using the PIN? value for unlocking the smart card.

Abstract: A handheld authentication device comprising a data processor and a display is adapted to: generate an input value; submit the input value to an asymmetric cryptographic operation; obtain the result of said asymmetric cryptographic operation; generate an authentication message substantially comprising the result of the asymmetric cryptographic operation; encode the authentication message into one or more images; and display these images on the display.

Abstract: Approaches are described for automatically generating new security credentials, such as security tokens, which can involve automatically re-authenticating a user (or client device) using a previous security token issued to that user (or device). The re-authentication can happen without any knowledge and/or action on the part of the user. The re-authentication mechanism can invalidate and/or keep track of the previous security token, such that when a subsequent request is received that includes the previous security token, the new security token can be invalidated, and the user caused to re-authenticate, as receiving more than one request with the previous security token can be indicative that the user's token might have been stolen.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: A computer-implemented technique is presented. The technique can include selectively initiating, at a mobile computing device including one or more processors, communication between the mobile computing device and a public computing device. The technique can include transmitting, from the mobile computing device, authentication information to the public computing device. The authentication information can indicate access privileges to a private account associated with a user of the mobile computing device. The technique can include receiving, at the mobile computing device, an access inquiry from the public computing device. The access inquiry can indicate an inquiry as to whether the user wishes to login to the private account at the public computing device. The technique can also include transmitting, from the mobile computing device, an access response to the public computing device. The access response can cause the public computing device to provide the user with access to the private account.

Abstract: In general, the invention relates to a method for performing a command on a token. The method includes receiving a first command authentication message digest (CAMD), a command, and scrambled data from a sender, and making a first determination that the sender is allowed to send commands to the token. The method further includes, based on the first determination, generating a second CAMD on the token using the command, the scrambled data, and an Administrative Command Authentication Secret (ACAS), making a second determination that the first CAMD and the second CAMD match, and based on the second determination, performing the command by the token.

Abstract: A storage controller and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.

Abstract: An information processing apparatus for executing authentication processing, characterized by comprises: storage means for storing, in association with each other, an image, region information indicating a region included in the image, and word information indicating an object linked with the region; determination means for determining an image to be used for the authentication processing among the images stored in the storage means; display means for displaying the image determined by the determination means; specification means for specifying, in a case where a user designates a position within the image displayed by the display means, word information associated with region information of a region including the position; and authentication means for executing authentication processing using the word information specified by the specification means.

Abstract: A method of generating a time managed challenge-response test is presented. The method identifies a geometric shape having a volume and generates an entry object of the time managed challenge-response test. The entry object is overlaid onto the geometric shape, such that the entry object is distributed over a surface of the geometric shape, and a portion of the entry object is hidden at any point in time. The geometric shape is rotated, which reveals the portion of the entry object that is hidden. A display region on a display is identified for rendering the geometric shape and the geometric shape is presented in the display region of the display.

Abstract: A magnetic memory device includes a main memory made of magnetic memory, the main memory and further includes a parameter area used to store parameters used to authenticate data. Further, the magnetic memory device has parameter memory that maintains a protected zone used to store protected zone parameters, and an authentication zone used to store authentication parameters, the protection zone parameters and the authentication parameters being associated with the data that requires authentication. Upon modification of any of the parameters stored in the parameter memory by a user, a corresponding location of the parameter area of the main memory is also modified.

Abstract: Generally, this disclosure describes devices, methods and systems for securely providing context sensor data to mobile platform applications. The method may include configuring sensors to provide context data, the context data associated with a mobile device; providing an application programming interface (API) to a sensor driver, the sensor driver configured to control the sensors; providing a trusted execution environment (TEE) operating on the mobile device, the TEE configured to host the sensor driver and restrict control and data access to the sensor driver and to the sensors; generating a request for the context data through the API, the request generated by an application associated with the mobile device; receiving, by the application, the requested context data and a validity indicator through the API; verifying, by the application, the requested context data based on the validity indicator; and adjusting a policy associated with the application based on the verified context data.

Abstract: Method and apparatus for distribution and synchronization of cryptographic context information is described. An aspect of the invention relates to synchronizing an encryptor and key management logic in a video distribution system. A request message is received from the encryptor. The request message includes authentication data and stream-dependent parameters associated with an internet protocol (IP) packet stream to be encrypted. Authenticity of the encryptor is verified using the authentication data. A cryptographic context for the IP packet stream is generated having the stream-dependent parameters and at least one encryption key. A reply message is sent to the encryptor having the at least one encryption key. Key stream messages having the cryptographic context are distributed towards user devices. The user devices are receiving an encrypted version of the IP packet stream generated by the encryptor.

Abstract: A method for protecting a digital document and user data typed into a digital document is presented. The method comprises computation of an authentication tag when the document is sent from a server. A similar authentication tag is computed when the document is shown on a client. When another document referenced in the document is requested by the client from the server, the authentication tag computed by the client is attached to the request for that other document. The server receiving the request compares the authentication tag it computed with the one it received to verify if the request came from an authentic copy of the document. The method is suitable for protection of online banking, online investment, online shopping, and other electronic applications.

Abstract: The invention defines a digital programmable smart card terminal device and token collectively known as the token device. The token device comprises a field programmable token device which accepts a users smart card. The combination of token device and smart card may then be used for a variety of applications that include user authentication, secure access, encryption. One specific application is that of an electronic wallet. The token device can be used both in connected and unconnected modes.

Abstract: A method of providing an authenticable time-and-location indication using a radio-navigation signal receiver comprises receiving radio-navigation signals broadcast from a plurality of radio-navigation signal sources, at least some of the radio-navigation signals containing one or more cryptographic tokens protected by encryption, the cryptographic tokens being updated from time to time. The receiver retrieves, by decryption, the cryptographic tokens from the radio-navigation signals containing them. The receiver then determines positioning data, representing its geographical position and time, based on the radio-navigation signals received. The receiver generates a digital authentication code using a cryptographic function taking as inputs at least the positioning data and the retrieved cryptographic tokens, and produces a data package including a first part containing the positioning data and a second part containing the digital authentication code.

Abstract: Registering a client computing device for online communication sessions. A registration server receives a message that has a push token that is unique to the client computing device and a phone number of the client computing device from an SMS (Short Message Service) transit device, which received an SMS message having the push token from the client computing device and determined the phone number of the client computing device from that SMS message. The registration server associates the push token and the phone number and stores it in a registration data store, which is used for inviting users for online communication sessions.

Abstract: Systems and methods are described for enabling users to model security resources and user access keys as resources in a template language. The template can be used to create and update a stack of resources that will provide a network-accessible service. The security resources and access keys can be referred to in the template during both stack creation process and the stack update process. The security resources can include users, groups and policies. Additionally, users can refer to access keys in the template as dynamic parameters without any need to refer to the access keys in plaintext. The system securely stores access keys within the system and allows for templates to refer to them once defined. These key references can then be passed within a template to resources that need them as well as passing them on securely to resources like server instances through the use of the user-data field.

Abstract: Systems and method for authenticating users are presented. A system can send a passkey to a user interface of a known device. A user can then send a messaging service message with the passkey from a second device to the system. After receiving the message from the user, the system can extract the passkey from the message, and compare the received passkey against the passkey originally sent to the user. The known device and the second device can each have separate and unique device identifiers.

Abstract: A content issuer entity designates a transport security level for each of a plurality of electronic certificates and provides the electronic certificates to a first wireless device. A second wireless device establishes a communications link to transfer electronic certificate data associated with one or more electronic certificates stored on the first wireless device to the second wireless device via a wireless transaction and determines, for each stored electronic certificate, a transport security level previously designated at the content issuer entity. At the first wireless device, a highest transport security level is determined from among the respective transport security levels associated with the stored electronic certificates. The electronic certificate data is transferred from the first wireless device to the second wireless device via the communications link in accordance with a security measure that corresponds to the highest determined transport security level.

Abstract: A method for wireless communications and a wireless transmit/receive unit are disclosed. At least one first wireless communication link with a base station for transmitting/receiving data packets is established, which at least one first wireless communication link complies with at least a first authentication mechanism. At least one second wireless communication link with at least one user device for transmitting/receiving data packets is established, which at least one second wireless communication link complies with at least a second authentication mechanism, wherein the at least one second wireless communication link comprises a peer-to-peer wireless communication link. The at least one first wireless communication link and the at least one second wireless communication link are concurrently maintained.

Abstract: Strong authentication tokens for generating dynamic security values having an acoustical input interface for acoustically receiving input data are disclosed. The tokens may also include an optical interface for receiving input data and may have a selection mechanism to select either the acoustical or the optical input interface to receive data. A communication interface may be provided to communicate with a removable security device such as a smart card and the token may be adapted to generate dynamic security values in cooperation with the removable security device. The acoustic signal received by the token may be modulated using a frequency shift keying modulation scheme using a plurality of coding frequencies to code the acoustical signal where each coding frequency may be an integer multiple of a common base frequency.

Abstract: A storage device contains a smart-card device and a memory device, which is connected to a controller. The storage device may be used in the same manner as a conventional smart-card device, or it may be used to store a relatively large amount of data. The memory device may also be used to store data or instructions for use by the smart-card device. The controller includes a security engine that uses critical security parameters stored in, and received from, the smart-card device. The critical security parameters may be sent to the controller in a manner that protects them from being discovered. The critical security parameters may be encryption and/or decryption keys that may encrypt data written to the memory device and/or decrypt data read from the memory device, respectively. Data and instructions used by the smart-card device may therefore stored in the memory device in encrypted form.

Abstract: A device includes a memory which stores a program, and a processor which executes, based on the program, a procedure comprising establishing a session with a request source when a request for a service, made to a second providing source, has been received from the request source, the second providing source providing the service based on data stored in a first providing source; and when an inquiry about whether to transmit the data to the second providing source has been received from the first providing source, notifying, so as to encrypt a mask range of the data, the first providing source of session information indicating the session established with the request source and notifying the request source of the session information so as to decrypt the encrypted mask range of data based on the session information.

Abstract: An apparatus and a method for validating requests to thwart cross-site attacks is described. A user identifier token, a request identifier token, and a timestamp, are generated at a web application of a server. A Message Authentication Code (MAC) value is formed based on the user identifier token, the request identifier token, and the timestamp using a secret key of the web application. The form is sent with the MAC value and the time stamp to a client. A completed form comprising a returned MAC value and a returned timestamp is received from the client. The completed form is validated at the server based on the returned MAC value and the returned timestamp.

Abstract: Methods and systems for third party client authentication of a client. A method includes displaying a user interface on a display of the client, the user interface including an option to select a supported credential type of a third party authentication server, receiving a command selecting the supported credential type, and sending credential information and the selected supported credential type to an authentication server for third party authentication by the third party authentication server. The third party authentication server may support a token-based authentication protocol for implementing single sign on (SSO).

Abstract: A device authentication system including one or more devices, child servers capable of communicating therewith, and a root server configured to enroll devices by: collecting device-specific tokens and creating a complete verification set (“CVS”) therefrom; creating a working verification set (“WVS”) by selecting a subset of the CVS; creating a limited verification set (“LVS”) by performing a derivation function on at least part of the WVS; and distributing part or all of the LVS to child servers. A device authentication system configured such that a PUF-containing device and a server communicating with the device can perform an extended BPV generation. A device authentication system that includes a device containing a PUF and is configured to perform error decoding on subsets of an authentication-related value multiple times.

Abstract: A computer-implemented method for facilitating access to shared resources within computer clusters may include identifying a quick response code captured by at least one computing system. The method may also include identifying information encoded in the quick response code captured by the computing system. The method may further include determining that the information encoded in the quick response code contains an activation key that facilitates activation of a software application. The method may additionally include applying, in response to this determination, the activation key to the software application in order to activate the software application without requiring a user of the software application to manually enter the activation key. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method and apparatus to provide a cryptographic protocol for secure authentication, privacy, and anonymity. The protocol, in one embodiment, is designed to be implemented in a small number of logic gates, executed quickly on simple devices, and provide military grade security.

Abstract: A method and system to generate fine granular integrity to huge volumes of data in real time at a very low computational cost. The invention proposes a scalable system that can receive different digital data from multiple sources and generates integrity streams associated to the original data. This invention provides full guarantees for data integrity: order of data logged cannot be altered and content cannot be modified neither added nor deleted without detection.

Abstract: System and method for setting up a data communication are disclosed. Method includes facilitating authenticating a module of a client computing device for the data communication. Method includes facilitating authenticating a module of a server for the data communication. Method includes authenticating an encoding for a network-based procedure call interface for the server. Method includes binding the network-based procedure call interface to a protocol for a gateway interface of the server. Method includes facilitating verifying that a message size of a message transmitted to a module of the client computing device or to a module of the server is within a message size range. Method includes facilitating creating a tunnel to a module of the server, wherein the tunnel is for the data communication. Method includes facilitating creating a channel within the tunnel, wherein the channel is for the data communication.

Abstract: A method and apparatus for automatically establishing a wired protected setup between an enrollee requesting registration and a registrar granting registration are provided. The method includes: determining whether a power line communication (PLC) between the enrollee and the registrar is possible; and if it is determined that the PLC with the registrar is possible, receiving a personal identification number (PIN) from the registrar through the power line and transmitting an acknowledgement (ACK) message to the registrar through the power line as a response to the received PIN.

Abstract: A computer-implemented method for protecting services may include (1) identifying a service control manager, the service control manager having access to modify a configuration of at least one service, (2) identifying a request from a process for permission to access the configuration of the service, and, in response to the request, (3) authenticating the process based on at least one attribute of the process, (4) providing an authentication token to the process, (5) intercepting an attempt by the process to access the configuration of the service via the service control manager, the attempt including the authentication token, and, in response to the attempt, (6) validating the authentication token, and, in response to validating the authentication token, (7) allowing the process to access the configuration of the service. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method for securing a Radio Frequency (RF) transaction using a RF identification device transaction device is provided. The invention uses the routing number and customer identifying information associated with a transaction account to secure a RF transaction. Specifically, the customer identifying information is included in an encrypted payload that is provided to a merchant point-of-sale device in a unused field of the RF data transmission. The routing number is provided in the ordinary field location of the data transmission typically reserved for the transaction account number. Additionally, the encrypted payload is provided in the unused field of the data transmission. The routing number is used to locate the corresponding encryption key for validating the RF transaction device, the transaction account and/or customer identifying information without the need for the reader to encrypt the customer identifying information before providing a transaction request to an account issuer.