Abstract: A method and an apparatus for controlling a lock state of an electronic device, and a system therefor are provided. The method includes signing a lock state update request by using a unique key loaded in a confidence region of the electronic device when a lock state change is requested, generating a lock state control request message including the lock state update request, the signed lock state update request, and a certificate of the electronic device, transmitting the generated lock state control request message to a service provider server, and authenticating a lock state update command in a communication processor of the electronic device and updating a state of the communication processor according to the lock state update command when the lock state update command is received from the service provider server.

Abstract: A web server authenticates a user with a web client using a database user table and provides a list of new applications, suspended application sessions, and running application sessions. In response to a request for a new application session, a connection is made from an agent server to an application server hosting the requested application, and connection information including a unique session_ID is added to a database session table such that the client can send a user selection for a session_ID to the web server, which associates the requested session_ID to an existing suspended or running application session using the connection database. For additional security, the client is determined to be trusted or untrusted, and if untrusted, connections to the client are made through a forwarding host, which makes connections to the agent server, and the agent server maintains persistent connections from the agent server to the application server.

Abstract: A method of anonymous access to a service, comprising the allocation, by at least one certifying entity, of a plurality of certificates to a user entity, the certificates being calculated on the basis of at least one attribute associated with the user entity, the calculation, by the user entity, of an aggregated certificate on the basis of a plurality of certificates among the certificates allocated to the user entity, the calculation, by the user entity, of a proof of knowledge of the aggregated certificate and a verification, performed by a verifying entity, of at least one of these certificates by means of said proof of knowledge, the access to the service being provided by the verifying entity to the user entity as a function of the result of this verification.

Abstract: A computer system receives a request to access a server. The request includes a first device tag set. When the first device tag set matches a previously assigned device tag set, the computer system allows access to the server without requesting full access credentials of a user. The computer system invalidates the first device tag set, and sends a second device tag set. When the first device tag set does not match the previously assigned device tag set, the computer system requests full access credentials from the user.

Abstract: A user authentication method and system. A computing system receives from a user, a first request for accessing specified functions executed by a specified software application. The computing system enables a security manager software application and connects the specified software application to a computing apparatus. The computing system executes first security functions associated with the computing apparatus. The computing system executes second security functions associated with additional computing apparatuses. The computing system determines if the user may access the specified functions executed by the specified software application based on results of executing the first security functions and the second security functions. The computing system generates and stores a report indicating the results.

Abstract: A secure processor such as a TPM generates one-time-passwords used to authenticate a communication device to a service provider. In some embodiments the TPM maintains one-time-password data and performs the one-time-password algorithm within a secure boundary associated with the TPM. In some embodiments the TPM generates one-time-password data structures and associated parent keys and manages the parent keys in the same manner it manages standard TPM keys.

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract: Embodiments of the invention relate to collecting keystroke timing data of samples of a phrase input by a user on an input device during different user sessions, and creating a biometric user template based on the timing data collected during the different sessions. Once a sufficient number of samples are collected, the template may be used to authenticate the user.

Abstract: In a first embodiment of the present invention, a method for operating a presence server in a home network is provided, the method comprising: receiving a request for presence information; sending an event notification to all subscribed control points informing them of the request for presence information; receiving an action from one of the subscribed control points accepting or rejecting the request for presence information; and if the action received from the one of the subscribed control points accepts the request for presence information, causing presence information regarding the one of the subscribed control points to be sent to the entity that sent the request for presence information.

Abstract: Embodiments of the present invention provide for a method, system, and apparatus for creating a policy compliant environment on a computer. In an embodiment of the invention, an encrypted file can be loaded into memory of a computing. The encrypted file can define a security policy for the computing device. The method can further include validating the encrypted file to ensure an authenticity of the encrypted file and updating the security policy of a target computing device in response to a successful validation of the encrypted file according to the validated encrypted file.

Abstract: An embodiment generally relates to a method of managing tokens. The method includes detecting a presence of a token at a client and determining a status of the token. The method also includes formatting the token at the client in response to the status of the token being unformatted.

Abstract: A client device has one or more processors and memory. An application running on the device obtains a client certificate from a system service running on the device. The certificate includes a public key for the device. The device is authenticated to a remote server using the certificate. The application receives encrypted application identification information and an encrypted access token from the server. The application is authenticated to the device by comparing the received application identification information with corresponding application identification information from the application. The application invokes the system service to unencrypt the access token using the private key corresponding to the public key. The application sends a request for protected information to the server. The request includes the unencrypted access token.

Abstract: A method for downloading software from a host device to an electronic device through a communication line, which, even when the download is interrupted, can simplify the procedure to restart the download while maintaining security. In the method, a certificate of authenticity data, which the card reader has obtained from the HOST computer, is stored in the non volatile memory. The download of the software from the HOST computer to the card reader is executed. The verification of authenticity data is obtained by calculation with respect to the downloaded software. This verification of authenticity data is then compared with the certificate of authenticity data obtained from the HOST computer, and the downloaded software is run when the certificate of authenticity data matches the verification of authenticity data.

Abstract: A two-factor network authentication system uses “something you know” in the form of a password/Pin and “something you have” in the form of a key token. The password is encrypted in a secure area of the USB device and is protected from brute force attacks. The key token includes authentication credentials. Users cannot authenticate without the key token. Four distinct authentication elements that the must be present. The first element is a global unique identifier that is unique to each key. The second is a private credential generated from the online service provider that is stored in a secure area of the USB device. The third element is a connection profile that is generated from the online service provider. The fourth element is a credential that is securely stored with the online service provider. The first two elements create a unique user identity. The second two elements create mutual authentication.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: A storage controller and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.

Abstract: Generally, this disclosure describes devices, methods and systems for securely providing context sensor data to mobile platform applications. The method may include configuring sensors to provide context data, the context data associated with a mobile device; providing an application programming interface (API) to a sensor driver, the sensor driver configured to control the sensors; providing a trusted execution environment (TEE) operating on the mobile device, the TEE configured to host the sensor driver and restrict control and data access to the sensor driver and to the sensors; generating a request for the context data through the API, the request generated by an application associated with the mobile device; receiving, by the application, the requested context data and a validity indicator through the API; verifying, by the application, the requested context data based on the validity indicator; and adjusting a policy associated with the application based on the verified context data.

Abstract: An information processing apparatus for executing authentication processing, characterized by comprises: storage means for storing, in association with each other, an image, region information indicating a region included in the image, and word information indicating an object linked with the region; determination means for determining an image to be used for the authentication processing among the images stored in the storage means; display means for displaying the image determined by the determination means; specification means for specifying, in a case where a user designates a position within the image displayed by the display means, word information associated with region information of a region including the position; and authentication means for executing authentication processing using the word information specified by the specification means.

Abstract: A magnetic memory device includes a main memory made of magnetic memory, the main memory and further includes a parameter area used to store parameters used to authenticate data. Further, the magnetic memory device has parameter memory that maintains a protected zone used to store protected zone parameters, and an authentication zone used to store authentication parameters, the protection zone parameters and the authentication parameters being associated with the data that requires authentication. Upon modification of any of the parameters stored in the parameter memory by a user, a corresponding location of the parameter area of the main memory is also modified.

Abstract: A method of generating a time managed challenge-response test is presented. The method identifies a geometric shape having a volume and generates an entry object of the time managed challenge-response test. The entry object is overlaid onto the geometric shape, such that the entry object is distributed over a surface of the geometric shape, and a portion of the entry object is hidden at any point in time. The geometric shape is rotated, which reveals the portion of the entry object that is hidden. A display region on a display is identified for rendering the geometric shape and the geometric shape is presented in the display region of the display.

Abstract: A device includes a memory which stores a program, and a processor which executes, based on the program, a procedure comprising establishing a session with a request source when a request for a service, made to a second providing source, has been received from the request source, the second providing source providing the service based on data stored in a first providing source; and when an inquiry about whether to transmit the data to the second providing source has been received from the first providing source, notifying, so as to encrypt a mask range of the data, the first providing source of session information indicating the session established with the request source and notifying the request source of the session information so as to decrypt the encrypted mask range of data based on the session information.

Abstract: Methods and systems for third party client authentication of a client. A method includes displaying a user interface on a display of the client, the user interface including an option to select a supported credential type of a third party authentication server, receiving a command selecting the supported credential type, and sending credential information and the selected supported credential type to an authentication server for third party authentication by the third party authentication server. The third party authentication server may support a token-based authentication protocol for implementing single sign on (SSO).

Abstract: A trusted device, such as a wristwatch 2, is provided with authentication circuitry 26, used to perform an authentication operation to switch the trusted device into an authenticated state. Retention monitoring circuitry 32 monitors the physical possession of the trusted device by the user following the authentication operation and switches the trusted device out of an authenticated state if the trusted device does not remain in the physical possession of the user. While the trusted device remains in the physical possession of the user, communication triggering circuitry 38 is used to detect a request to establish communication with a target device that is one of a plurality of different target devices and communication circuitry 40 is used to communicate with that target device using an authenticated identity of the user.

Abstract: A method is provided for transferring control of a security module from a first entity to a second entity. The security module has a first security domain controlled by the first entity by at least one first secret control key specific to the first entity, and a second security domain, the second domain containing a private key and a certificate of a public key of a controlling authority. The method includes: receiving a request to obtain the certificate; sending the certificate; receiving data encrypted by the public key of the certificate, the data including at least one second secret control key specific to the second entity; decrypting the data; verifying the data; and if the verification is positive, replacing the at least one first secret control key by the at least one second secret control key.

Abstract: Systems, software, and methods are provided for configurable, encrypted, secure QR code creation and use. Furthermore, these codes can be used by many entities to provide improved monitoring for a variety of systems.

Abstract: A method for operating a security device includes a microcontroller, a protected memory area, in which at least one item of protection-worthy information is stored, and a unit, the microcontroller being connected to the protected memory area via the unit, the at least one item of protection-worthy information being accessed by the microcontroller via the unit when the method is carried out.

Abstract: A method and apparatus for directing a client to establish a secure connection with a server across a public network. The server and the client exchange a Server Authentication Public Key, a Client Authentication Public Key, and a Remote Service Unique Identifier (RSUID) during a registration process. In one embodiment, the method includes the client transmitting to the server a client information package having the RSUID and a client challenge information package encrypted with the Server Authentication Public Key, the client receiving from the server a server information package having the RSUID and a server challenge information package and a portion of the received client challenge information encrypted with the Client Authentication Public Key, the client decrypting and verifying the server challenge information package with the Client Authentication Private Key, and, the client transmitting to the server an encrypted portion of the received client challenge information.

Abstract: A method includes receiving at a first computer a new certificate which is to replace an old certificate associated with the first computer and associating by the first computer the new certificate with the first computer. In response to the first computer associating the new certificate with the first computer, the first computer accesses an email address book of the first computer having information identifying a second computer as having received the old certificate to determine from the information that the second computer is to associate the new certificate in place of the old certificate with the first computer. In turn, the first computer transmits the new certificate to the second computer for the second computer to associate the new certificate with the first computer.

Abstract: A method for conditionally allowing fruition of broadcast contents, broadcast by a contents broadcaster and received by a user by means of a receiving equipment, includes: performing, locally at the receiving equipment of the user, a first fruition entitlement check based on first fruition entitlement data available locally at the receiving equipment; having the receiving equipment provide to the contents broadcaster the first fruition entitlement data exploiting a return communications channel of the receiving equipment; having the contents broadcaster perform a second fruition entitlement check based on a comparison between the received first fruition entitlement data and second fruition entitlement data available locally to the contents broadcaster; and conditioned on a result of the second check, having the contents broadcaster provide to the receiving equipment, exploiting the return communications channel, a fruition entitlement confirmation notification; at the receiving equipment, conditioning the fru

Abstract: A program execution device capable of protecting a program against unauthorized analysis and alteration is provided. The program execution device includes an execution unit, a first protection unit, and a second protection unit. The execution unit executes a first program and a second program, and is connected with an external device that is capable of controlling the execution. The first protection unit disconnects the execution unit from the external device while the execution unit is executing the first program. The second protection unit protects the first program while the execution unit is executing the second program.

Abstract: The present invention includes a system for monitoring the transmission of digital files across a secured boundary of a private ecosystem. Because an application programming interface making calls to a web application platform controls the placement of security tokens, distinct programs on devices from which transmissions originate, or are bound, to place and update tokens is generally obviated.

Abstract: A renewed digital certificate is obtained within an asynchronous messaging environment from a certificate server of an issuer of an existing digital certificate to replace the existing digital certificate. The renewed digital certificate includes an extended attribute that stores a serial number value of the existing digital certificate. A message is received with a symmetric key that is encrypted using the existing digital certificate. The symmetric key is identified within the message by the serial number value of the existing digital certificate. The message is processed using the renewed digital certificate.

Abstract: Methods, computer program products, and systems are provided for using a single shared secured connection among all servers in a cluster by efficiently establishing and securely disseminating a shared key between the servers. In particular, this is done by using a Diffie-Hellman key agreement scheme among the servers using an ordered list of servers generated on-the-fly.

Abstract: A mechanism is provided for enhancing password protection. a combination password that comprises dynamic text interspersed within a static user password is received from a user. A determination is made as to whether the combination password is to be verified without the dynamic text. Responsive to identifying that the combination password is to be verified without the dynamic text, the dynamic text is filtered from the combination password based on an identified dynamic suggestion issued to the user prior to the combination password being received thereby forming a filtered password. The filtered password is then authenticated using information stored for the user. Responsive to validating the filtered password, access is granted by the user to a secured system.

Abstract: A method for verifying the integrity of a key implemented in a symmetrical ciphering or deciphering algorithm, including the steps of complementing to one at least the key; and verifying the coherence between two executions of the algorithm, respectively with the key and with the key complemented to one.

Abstract: Providing revocation status of at least one associated credential includes providing a primary credential that is at least initially independent of the associated credential, binding the at least one associated credential to the primary credential, and deeming the at least one associated credential to be revoked if the primary credential is revoked. Providing revocation status of at least one associated credential may also include deeming the at least one associated credential to be not revoked if the primary credential is not revoked. Binding may be independent of the contents of the credentials and may be independent of whether any of the credentials authenticate any other ones of the credentials. The at least one associated credential may be provided on an integrated circuit card (ICC). The ICC may be part of a mobile phone or a smart card.

Abstract: A portable digital vault and related methods are disclosed that can provide a digital equivalent to the physical act of lending copyrighted content (such as a book or CD) while also providing security to prevent copying of the content. The vault acts as a self-contained authority that contains permissions relating to actions that can be taken with respect to the vault and vault contents. Vault contents can be moved between vaults, vaults can be moved between computing devices, and a vault and its contents can be moved together as a single unit. A vault can store any type of content, such as digital books, audio and video. In some embodiments, the vault can be issued by a government authority and contain currency note information that allows the vault to be used as cash. A vault can also serve as a receipt of a digital legal contract.

Abstract: A secure communication kit is disclosed. The secure communication kit may include a plurality of tangible security tokens; each security token storing one or more cryptographic keys and a group identifier. A first cryptographic key stored on each security token may correspond to one of the cryptographic key(s) stored on every of the other security tokens. The group identifier stored on each security token may correspond to each group identifier stored on every of the other security tokens. A client device for securely communicating using the secure communication kit is also disclosed.

Abstract: A method for producing an electro-biometric signature allowing legal interaction between and the identification of persons utilizing biometric features. The method includes inputting a user's biometric features in a pre-determined sequence and checking that no feature is entered repeatedly.

Abstract: Techniques are provided for the controlled scheduling of the authentication of devices in a lossy network, such as a mesh network. An authenticator device that is configured to authenticate devices in a lossy network receives an authentication start message from a particular device to be authenticated. The authenticator device determines a schedule for engaging in an authentication procedure for the particular device based on an indication of current network utilization.

Abstract: A computer readable medium stores a program causing a computer to execute a key generating processing. The computer generates a signatory private key which is used in an electronic signature, a signatory public key, a signatory public key certificate, a certification public key which is used when recording the signatory private key in a PKI card and a certification private key, transmits the certification private key to the PKI card via a secure communication path, and transmits an encoded signatory key obtained by encoding the signatory public key certificate and the signatory private key using the certification public key to the PKI card via the secure communication path or a non-secure communication path.

Abstract: A method and system for communicating between a user network device and a server includes a first server and a user network device that requests an electronic token (eToken) from the first server. The first server communicates the eToken, a signature key, and a server time. The user network device determines a signature using the server time and signature key and communicates a request for data to a second server. The request for data includes a signature. The second server communicates data to a user network device.

Abstract: A computerized authorization system configured to authorize electronically-made requests to an electronic entity. The computerized authorization system comprises a store configured to store an indication of at least one predetermined electronic authorization device configured to authorize each electronically-made request. The computerized authorization system is further configured such that: in response to receiving an electronically-made request to the electronic entity, an indication of the request is output to the at least one predetermined electronic authorization device configured to authorize the request as indicated in the store; and in response to receiving an indication of authorization from the at least one predetermined electronic authorization device, an indication of authorization of the request is output to the electronic entity.

Abstract: In general, techniques are described for seamlessly migrating a secure session established between a first computing device and a secure access appliance to a second computing device. In one example, a client computing device establishes a secure session with a secure access appliance. The client computing device receives a request via a communication channel from a second client computing device for secure session data for the first secure session usable by the second client computing device to establish a second secure session with the secure access appliance. The client computing device generates a message that includes the secure session data for the first secure session and sends the message to the second client computing device. Responsive to receiving the message, the second client computing device establishes a new secure session with the secure access appliance.

Abstract: A public key infrastructure comprising a participant that issues digital certificates. Each digital certificate can be relied upon in at least two different trust domains. The public key infrastructure does not employ policy mapping between or among the trust domains. Furthermore, the public key infrastructure does not link any pair of trust domains via cross-certificates. Just one trust domain is bound to the digital certificate at any given moment. The current trust domain that is to be bound to the digital certificate is elected by a relying party at the time of reliance, based upon a specific certificate validation methodology selected by the relying party.

Abstract: The limiting of data exposure in authenticated multi-system transactions is disclosed. A client system authenticates and requests secured data and unsecured data with an initial system. The initial system transmits to an external system a token request that corresponds to the request for the secured data. A token is generated and passed to the initial system, which relays the same to the client system. The client system uses the token to access the secured data on the external system, while also retrieving the unsecured data on the initial system. The initial system thus does not have access to the secured data, while the request therefor is known.

Abstract: In a method of temporarily registering a second device with a first device, in which the first device includes a temporary registration mode, the temporary registration mode in the first device is activated, a temporary registration operation in the first device is initiated from the second device, a determination as to whether the second device is authorized to register with the first device is made, and the second device is temporarily registered with the first device in response to a determination that the second device is authorized to register with the first device, in which the temporary registration requires that at least one of the second device and the first device delete information required for the temporary registration following at least one of a determination of a network connection between the first device and the second device and a powering off of at least one of the first device and the second device.

Abstract: A method and system for server-side key generation for non-token clients is described.

Abstract: Various embodiments for providing an update to at least one storage facility in a computing storage environment are provided. In one embodiment, media is received in one or more updatable elements of one or more components of the at least one storage facility, each of the one or more updatable elements including one or more unique update images and one or more unique update commands, a security verification is performed on the update via a certificate authentication mechanism to confirm a validity of the update, a safety verification is performed on the update to confirm a suitability of the update to the at least one storage facility, the update is installed in the at least one storage facility, and the update in the at least one storage facility is processed by traversing a fixed state machine for each updatable element.

Abstract: A matching authentication method for wireless communication equipment comprises that: a device at the transmitting end sends a matching request (S101) to a device at the receiving end; the device at the transmitting end receives the response messages feedback from the device at the receiving end, and the response message carry with feature codes (S102); the device at the transmitting end obtains the feature codes and takes the feature codes as the authentication and authorization codes communicating with the receiving end. The invention also provides a wireless communication device with the function of matching authentication correspondingly. The wireless communication device comprises a memory unit, a communication unit, and an authentication and authorization unit and a feature code updating unit. The invention also provides a wireless communication system with the function of matching authentication correspondingly.