Abstract: A method and apparatus for providing collaborative claim verification using an identification management (IDM) system. The IDM system collaborates with at least one trusted authority that provides information to a validity database within the IDM system. The database information collected from the at least one trusted authority is used to verify a user's entered identification information i.e., a user's identity claim. Such validation through a plurality of trusted authorities can provide a statistical truth to the identity claims provided by a user.

Abstract: System and methods for access control in a Universal Plug and Play (UPnP) network are based on a user identity. A control point has an identity assertion capability for identifying a user. The control point is configured to declare a value of an attribute associated with the identity assertion capability. A device is communicatively coupled to the control point via the UPnP network. The device has a first access control list and a trusted-to-identify access control list (TIA). The device is configured to permit the user to perform one or more actions based upon whether the user identity appears as a subject in the first access control list.

Abstract: Binding a security artifact to a service provider. A method includes generating a pseudonym for a security artifact. The pseudonym is an identifier of the security artifact to the service provider that is unique to the service provider in that the pseudonym is not used to identify the security artifact to other service providers. Further, the pseudonym uniquely identifies the particular security artifact to the service provider even when a user has available a number of different security artifacts to authenticate to the same service provider to access a user account for the user. The method further includes providing the pseudonym for the security artifact to the service provider. The pseudonym for the security artifact is bound with a user account at the service provider for a user associated with the security artifact.

Abstract: A method includes receiving user input including a user password while an authentication token is retained at a first position in an authentication token receiver of an authentication token reader by an insertion force applied to the authentication token by a user. The authentication token reader includes a bias member that applies an ejection force to the authentication token while the authentication token is at the first position. The method also includes reading authentication data from a memory of the authentication token while the authentication token is retained at the first position by the insertion force applied to the authentication token by the user. The method also includes authenticating the user based on the authentication data.

Abstract: In embodiments of registration and network access control, an initially unconfigured network interface device can be registered and configured as an interface to a public network for a client device. In another embodiment, a network interface device can receive a network access request from a client device to access a secure network utilizing extensible authentication protocol (EAP), and the request is communicated to an authentication service to authenticate a user of the client device based on user credentials. In another embodiment, a network interface device can receive a network access request from a client device to access a Web site in a public network utilizing a universal access method (UAM), and the request is redirected to the authentication service to authenticate a user of the client device based on user credentials.

Abstract: According to one embodiment, an authentication method includes generating, by the memory, first authentication information by calculating secret identification information with a memory session key in one-way function operation, transmitting encrypted secret identification information, a family key block, and the first authentication information to a host, and generating, by the host, second authentication information by calculating the secret identification information generated by decrypting the encrypted secret identification information with the host session key in one-way function operation. The method further includes comparing, by the host, the first authentication information with the second authentication information.

Abstract: Systems, methods, and machine-readable media for controlling an upload of a block of data associated with an upload command are described. In certain aspects, an interface module may be configured to obtain a cryptographic checksum for the block of data associated with the upload command. A checksum module may configured to compare the cryptographic checksum for the block of data associated with the upload command to a cryptographic checksum in an index storing cryptographic checksums identifying blocks of data previously uploaded to a server. If the cryptographic checksum for the block of data associated with the upload command matches the cryptographic checksum in the index, an upload module may be configured to cancel the upload of the block of data associated with the upload command.

Abstract: Embodiments of the invention generally relate to thwarting fraud perpetrated with a computer by receiving a request from a computer to perform a transaction. Embodiments of the invention may include receiving the request together with transaction data and a cookie, where the transaction data are separate from the cookie; determining in accordance with predefined validation criteria whether the cookie includes a valid representation of the transaction data; and performing the transaction only if the cookie includes a valid representation of the transaction data.

Abstract: According to an embodiment, a system is provided comprising a memory and a processor. The memory may be operable to store a master image associated with a user account. The master image may comprise an image of a physical, non-living object. The processor may be coupled to the memory and may be operable to receive a request to perform a transaction associated with the user account. The processor may be further operable to receive an image that is scanned in real-time in conjunction with the request to perform the transaction. The processor may be further operable to compare the scanned image with the master image associated with the user account and to perform the transaction if the scanned image is substantially similar to the master image.

Abstract: A security mechanism provided by a server protects files in data storage from untrusted clients. In one embodiment, the server generates a filename in response to a request from a client for creating a filename. The filename is associated with a file to be stored in the data storage managed by the server. The server manages a directory that contains the filename, and hides the directory contents from the client. The client is granted access to the file when the client provides the filename associated with the file.

Abstract: A method, system and non-transitory computer-readable medium product are provided for functionality watermarking and management. In the context of a method, a method is provided that includes identifying a request to establish an association between a watermark template and a function of at least one user device and determining whether the request to establish the association between the watermark template and the function of the at least one user device is authorized. The method further includes authorizing the request to establish the association between the watermark template and the function of the at least one user device in response to a determination that the request to establish the association between the watermark template and the function of the at least one user device is authorized.

Abstract: Techniques are provided for the controlled scheduling of the authentication of devices in a lossy network, such as a mesh network. An authenticator device that is configured to authenticate devices in a lossy network receives an authentication start message from a particular device to be authenticated. The authenticator device determines a schedule for engaging in an authentication procedure for the particular device based on an indication of current network utilization.

Abstract: A security token includes a wireless interface to communicate with a secured device. A cryptographic module generates cryptographic information, encrypts messages to the secured device, decrypts messages from the secured device and coordinates the encryption and decryption of data on the secured device.

Abstract: A sharing service receives a request to store a media item stored on an electronic book reader device for sharing with one or more other content rendering devices. In response, the sharing service associates a pass phrase with the request. The sharing service then provides the media item to those devices (e.g., eBook reader devices) that provide the pass phrase to the sharing service within a predetermined amount of time.

Abstract: A client-side user agent operates in conjunction with an identity selector to institute and exercise privacy control management over user identities managed by the identity selector. The user agent includes the combination of a privacy enforcement engine, a storage of rulesets expressing user privacy preferences, and a preference editor. The editor enables the user to direct the composition of privacy preferences relative to user identities. The preferences can be applied to individual cards and to categorized groups of attributes. The engine evaluates the proper rulesets against the privacy policy of a service provider. The privacy preferences used by the engine are determined on the basis of specifications in a security policy indicating the attribute requirements for claims that purport to satisfy the security policy.

Abstract: In a method for activating a destination network node (SN) to be woken up in a wireless network (1), in particular a sensor network, the destination network node (SN) is woken from a sleep operating mode if the destination network node verifies a received secret wake-up token (WUT) by a predefined test function and at least one stored wake-up token reference value (WUTRV). The method protects network nodes in a wireless network (1) from attacks which reduce the lifetime of the network nodes by preventing a sleep operating mode. The method is particularly suitable for sensor networks.

Abstract: An apparatus saves first and second programs stored in a storage unit as saved information before the first and the second programs are updated. If the update of the first program is finished and then an error occurs while the second program is being updated, the information processing apparatus restores the second program which is being updated to the program yet to be updated based on the saved information and also restores the first program whose update is finished to the program yet to be updated based on the saved information.

Abstract: A computerized authorization system configured to authorize electronically-made requests to an electronic entity. The computerized authorization system comprises a store configured to store an indication of at least one predetermined electronic authorization device configured to authorize each electronically-made request. The computerized authorization system is further configured such that: in response to receiving an electronically-made request to the electronic entity, an indication of the request is output to the at least one predetermined electronic authorization device configured to authorize the request as indicated in the store; and in response to receiving an indication of authorization from the at least one predetermined electronic authorization device, an indication of authorization of the request is output to the electronic entity.

Abstract: According to an aspect of the invention, a security token for facilitating access to a remote computing service via a mobile device is conceived, said security token comprising an NFC interface, a smart card integrated circuit and a smart card applet stored in and executable by said smart card integrated circuit, wherein the smart card applet is arranged to support a cryptographic challenge-response protocol executable by the mobile device.

Abstract: A puzzle-based protocol is provided that allows a token and verifier to agree on a secure symmetric key for authentication between the token and verifier. A token stores a secret key and one or more puzzle-generating algorithms. The verifier independently obtains a plurality of puzzles associated with the token, pseudorandomly selects at least one of the puzzles, and solves it to obtain a puzzle secret and a puzzle identifier. The verifier generates a verifier key based on the puzzle secret. The verifier sends the puzzle identifier and an encoded version of the verifier key to the token. The token regenerates the puzzle secret using its puzzle-generating algorithms and the puzzle identifier. The token sends an encoded response to the verifier indicating that it knows the verifier key. The token and verifier may use the verifier key as a symmetric key for subsequent authentications.

Abstract: Systems, methods, computer programs, and devices are disclosed herein for deploying a local trusted service manager within a secure element of a contactless smart card device. The secure element is a component of a contactless smart card incorporated into a contactless smart card device. An asymmetric cryptography algorithm is used to generate public-private key pairs. The private keys are stored in the secure element and are accessible by a trusted service manager (TSM) software application or a control software application in the secure element. A non-TSM computer with access to the public key encrypts and then transmits encrypted application data or software applications to the secure element, where the TSM software application decrypts and installs the software application to the secure element for transaction purposes.

Abstract: Embodiments of the invention may provide for systems and methods for secure authentication. The systems and methods may include receiving, by a constrained device, a random string transmitted from a server; determining, by the constrained device, a responsive output by evaluating a first deterministic function based upon the received random string, a locally generated string and a first private key stored on the constrained device; and transmitting at least one portion of the responsive output and the locally generated string from the constrained device to a server.

Abstract: The invention provides a low-cost access control device for identification and authentication in both the “digital” and “physical” worlds by contact-bound respectively contact-less interfaces and where individual users of the device can securely update access control credentials and cryptographic keys from a remote system without the need for any additional hardware or specialized software. The access control credentials and the at least one cryptographic key shall be readable by an access control system via the contact-less interface of the device, thereby enabling or denying the holder of the device access.

Abstract: Described herein are systems and methods for providing software administration tools, for use in administering server configurations, such as in a traffic director or other type of server environment. In accordance with an embodiment, the system comprises a traffic director having one or more traffic director instances, which is configured to receive and communicate requests, from clients, to origin servers having one or more pools of servers. An administration server can be used to manage the traffic director, including a REpresentational State Transfer (REST) infrastructure and management service which maps REST calls to mbeans or other management components registered on the administration server, for use in managing the traffic director.

Abstract: Methods, computer-readable storage medium, and systems described herein facilitate enabling access to a virtual desktop of a host computing device. An authentication system receives one of an authentication token and a reference to the authentication token, wherein the authentication token is indicative of whether a user successfully logged in to an authentication portal using a client computing device. The authentication system generates a private key, a digital certificate, and a personal identification number (PIN) for the user in response to receiving the one of the authentication token and the reference to the authentication token. The private key, the digital certificate, and the PIN are stored in a virtual smartcard, and the client computing device is authorized to log into a virtual desktop using the virtual smartcard.

Abstract: A management site (10) generates an encrypted message by a public-key symmetrical encryption algorithm, the algorithm and the key being selected by the management site among a memorized list. The message (DKE), which includes an identifier of the encryption algorithm and key used, is transmitted to a portable device (16), which stores it. For the use, the message is transmitted to a secured module (20) that decrypts it, checks its compliance with an internal reference, and generates a digital accreditation controlling the unlocking of a lock device (18). The decryption is operated with the algorithm and the key recognized based on the identifiers of the message, selected among a list memorized by the secured module.

Abstract: An apparatus and a method for validating requests to thwart cross-site attacks is described. A user identifier token, a request identifier token, and a timestamp, are generated at a web application of a server. A Message Authentication Code (MAC) value is formed based on the user identifier token, the request identifier token, and the timestamp using a secret key of the web application. Names of the form elements are enciphered. Fake form elements can also be added to the dynamic form. The entire page also can be enciphered. The dynamic form is sent with the MAC value and the time stamp to a client. A completed form comprising a returned MAC value and a returned timestamp is received from the client. The completed form is validated at the server based on the returned MAC value and the returned timestamp.

Abstract: Responsibility can be established for specific copies or instances of copies of digitized multimedia content using digital watermarks. Management and distribution of digital watermark keys (e.g., private, semiprivate and public) and the extension of information associated with such keys is implemented to create a mechanism for the securitization of multimedia titles to which the keys apply. Bandwidth rights can be created to provide for a distributed model for digital distribution of content which combines the security of a digital watermark with efficient barter mechanisms for handling the actual delivery of digital goods. Distributed keys better define rights that are traded between transacting parties in exchanging information or content. More than one party can cooperate in adding distinguished watermarks at various stages of distribution without destroying watermarks previously placed in the content.

Abstract: In a communication network wherein a first computing device represents a resource owner and a second computing device represents a resource requestor, the resource owner detects an occurrence of an event, wherein the event occurrence represents a request to access one or more resources of the resource owner stored in a resource residence. The resource owner sends an authorization token to the resource requestor in response to the event occurrence, the authorization token serving as a proof of authorization delegated by the resource owner to be presented by the resource requestor to the resource residence so as to permit the resource requestor to access the one or more requested resources stored in the resource residence.

Abstract: A method and a device of verifying the validity a digital signature based on biometric data. A verifier attains a first biometric template of the individual to be verified, for instance by having the individual provide her fingerprint via an appropriate sensor device. Then, the verifier receives a digital signature and a second biometric template. The verifier then verifies the digital signature by using either the first or the second biometric template as a public key. The attained (first) biometric template of the individual is compared with the received (second) biometric template associated with the signature and if a match occurs, the verifier can be confident that the digital signature and the associated (second) biometric template have not been manipulated by an attacker for impersonation purposes.

Abstract: A system and method for providing a unique encryption key including a receiver, at a Voice over Internet Protocol (VoIP) adapter, configured to receive a configuration file, a processor, at the VoIP adapter, configured to decrypt the configuration file using a default key stored in the VoIP adapter, update one or more profile parameters of the configuration file, and install an encryption key at the VoIP adapter using the configuration file, and a transmitter, at the VoIP adapter, configured to register, with a network element, for network service using the updated configuration file such that the receiver is configured to receive network service from the network element when the updated configuration file is authenticated by the network element.

Abstract: A matching authentication method for wireless communication equipment comprises that: a device at the transmitting end sends a matching request (S101) to a device at the receiving end; the device at the transmitting end receives the response messages feedback from the device at the receiving end, and the response message carry with feature codes (S102); the device at the transmitting end obtains the feature codes and takes the feature codes as the authentication and authorization codes communicating with the receiving end. The invention also provides a wireless communication device with the function of matching authentication correspondingly. The wireless communication device comprises a memory unit, a communication unit, and an authentication and authorization unit and a feature code updating unit. The invention also provides a wireless communication system with the function of matching authentication correspondingly.

Abstract: A method, system and non-transitory computer-readable medium product are provided for enterprise-specific functionality watermarking and management. In the context of a method, a method is provided that includes identifying a request to perform at least one function of a user device associated with an enterprise and identifying at least one watermark template associated with an enterprise. The method further includes applying the at least one watermark template associated with the enterprise to at least one function of the user device associated with the enterprise and authorizing the request to perform the at least one function of the user device associated with the enterprise.

Abstract: Authentication devices and methods for generating dynamic credentials are disclosed. The authentication devices include a communication interface for communicating with a security device such as a smart card.

Abstract: A method for providing fast and secure access to MIFARE applications installed in a MIFARE memory being configured as a MIFARE Classic card or an emulated MIFARE Classic memory, comprises: keeping a repository of MIFARE memories and user identifications assigned to said MIFARE memories as well as of all MIFARE applications installed in the MIFARE memories, wherein, when a new MIFARE application is to be installed in a MIFARE memory identified by a user identification the present memory allocation of said MIFARE memory is retrieved, an appropriate sector of said MIFARE memory is calculated, a key is calculated for said MIFARE application and the MIFARE application together with the assigned sector and key are linked to the user identification and are stored in the repository.

Abstract: There is presented a system and method for associating a domain transcendent identification (ID) of a user and a domain specific ID of the user, the system comprising an ID association server accessible by a plurality of secure domains over a network. The system also includes an ID associator application that when executed by ID association server is configured to receive a domain specific ID that associates the user to the secure domain, enter the domain specific ID in a domain transcendent ID record created for the user, generate a unique data associated with the domain transcendent ID record and identify a network location for submission of the unique data, send the unique data and the network location to the user, and associate the domain transcendent ID and the domain specific ID.

Abstract: A full spectrum cyber identification determination process for accurately and reliably determining and reporting any identification determination from a full spectrum of possible cyber identification determinations.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for providing confidential structured data. In one aspect, a method includes creating a first data structure instance according to a protocol for creating structured and extensible data structures. The first data structure instance is serialized. The serialized first data structure instance is encrypted. A second data structure instance is created according to the protocol. The second data structure instance contains the encrypted and serialized first data structure instance. The second data structure instance is serialized.

Abstract: Embodiments of website authentication including receiving a request from a user to view a website within a graphical user interface (GUI); generating a one time password (OTP); storing the generated OTP in a database; displaying the generated OTP on the GUI; verifying an identity of the user by receiving an identification datum from a communication device; receiving an entered OTP from the user; comparing the entered OTP with the generated OTP; and communicating whether the website is authenticated.

Abstract: A method for detecting a smart key around a vehicle includes; searching a smart key around a vehicle by emitting a registration request message at each preset emission period; when a response message to the registration request message is received from the smart key, checking whether or not the reception of the response message is maintained during a predetermined time; when the reception of the response message is maintained during the predetermined time, emitting an authentication request message containing encryption information for authenticating the smart key; and when an authentication message to the authentication request message is received from the smart key, authenticating the smart key based on the authentication message.

Abstract: Provided are an authentication device using a true random number generating element or a pseudo-random number generating element, for example, a USB token, an authentication apparatus using the same, an authentication method, an authentication system and the like. In the authentication system, the authentication device is prepared on a user side, and one code generated in the authentication device is used to encrypt another code. The authentication apparatus registers the codes and decrypts the encrypted code sent from the authentication device by using the registered codes to perform an authentication.

Abstract: Techniques for sharing data between users in a manner that maintains anonymity of the users. Tokens are generated and provided to users for sharing data. A token comprises information encoding an identifier and an encryption key. A user may use a token to upload data that is to be shared. The data to be shared is encrypted using the encryption key associated with the token and the encrypted data is stored such that it can be accessed using the identifier associated with the token. A user may then use a token to access the shared data. The identifier associated with the token being used to access the shared data is used to access the data and the encryption key associated with the token is used to decrypt the data. Data is shared anonymously without revealing the identity of the users using the tokens.

Abstract: A method, system and non-transitory computer-readable medium product are provided for functionality watermarking and management. In the context of a method, a method is provided that includes identifying a request to perform at least one function of a user device and identifying at least one watermark template. The method further includes applying the at least one watermark template to at least one function of the user device and authorizing the request to perform the at least one function of the user device.

Abstract: A multi-function memory card is disclosed including: a memory card interface for coupling with a memory card connection port of a terminal device; a storage module for storing one or more specific files transmitted from the terminal device; a protocol converter for retrieving the one or more specific files from the storage module and extracting data contained in the one or more specific files; and a smart card module for conducting an operation on extracted data from the protocol converter using a private key to generate one or more response data and transmitting the one or more response data to the protocol converter; wherein the protocol converter converts the one or more response data into one or more response files and writes the one or more response files into the storage module so that the one or more response files are accessible by the terminal device.

Abstract: A method of authenticating a network client to a relying party computer via a computer server comprises the computer server receiving a transaction code from a token manager via a first communications channel. The network client is configured to communicate with a token manager which is configured to communicate with a hardware token interfaced therewith. The network client is also configured to communicate with the relying party computer and the computer server. The computer server also receives a transaction pointer from the relying party computer via a second communications channel that is distinct from the first communications channel. Preferably, the transaction pointer is unpredictable by the computer server. The computer server transmits an authorization signal to the relying party computer in accordance with a correlation between the transaction code and the transaction pointer. The authorization signal facilitates authentication of the network client to the relying party computer.

Abstract: Authentication codes associated with an entity are generated. A stored secret associated with an entity is retrieved. At a first point in time, a first dynamic value associated with a first time interval is determined. A first authentication code based on the first dynamic value is determined. At a second point in time, a second dynamic value associated with a second time interval is determined. A second authentication code based on the second dynamic value is determined. The first and second authentication codes are derived from the stored secret and the amount of time between the first and second points in time is different from the length of the first time interval.

Abstract: A processorless hardware token provides a one-time password for user authentication. The processorless hardware token contains a non-volatile memory upon which is stored a pre-produced sequence of one-time passwords. The processorless hardware token uses limited circuitry on a circuit board to read from the non-volatile memory and display a one-time password associated with a current interval. The displayed one-time password is then used for authentication by an authentication server that compares the one-time password displayed on the processorless hardware token with a one-time password retrieved from a copy of the pre-produced sequence of one-time passwords stored on the Authentication Server.

Abstract: A method of securely operating a computerized system includes forming a connection to a user-removable physical security device (PSD) which is uniquely paired with the computerized system and which stories cryptographically secured data required for performing a protected function on the computerized system. The PSD may be realized as a USB or similar peripheral device containing security-related data and potentially security processing capability as well. The protected function could be decrypting of encrypted data encryption keys used to encrypt/decrypt user data for example. A user who has an established association with the PSD (e.g. by some preceding registration process) is authenticated, resulting in activation of the PSD on the computerized system. Upon such activation of the PSD, the computerized system engages in a security operation using the cryptographically secured data from the PSD to enable the protected function to be performed under control of the user on the computerized system.

Abstract: Methods, apparatuses, and articles for receiving, by a server, a plurality of identifiers associated with a client device are described herein. The server may also encrypt a plurality of encoding values associated with the plurality of identifiers using a first key of a key pair of the server, and generate a token uniquely identifying the client device, a body of the token including the encrypted plurality of encoding values. In other embodiments, the server may receive a token along with the plurality of identifiers. In such embodiments, the server may further verify the validity of the received token, including attempting to decrypt a body of the received token with a key associated with a second server, the second server having generated the received token, and, if decryption succeeds, comparing ones of the plurality of identifiers with second identifiers found in the decrypted body to check for inconsistencies.

Abstract: Embodiments are directed towards providing interoperability by establishing a trust relationship between a provider of a media player usable by a consumer and a content provider. A trust relationship is verified through using a public-private key certification authority. When a request for content is received from a consumer, the request might indicate what content protection mechanisms are available in the consumer's device. When a trust relationship is determined to exist between the content provider and the media player providers, the content provider encrypts a license separately for each of a plurality of different content protection mechanisms available at the consumer's device. The encrypted licenses are provided to the consumer's device, where the media player may be selected to play the content based on a self integrity check the media player may perform, and its ability to use a private key associated with a corresponding public key to decrypt the license.