Abstract: Various techniques for software license inventory and asset management are disclosed. A fingerprint may be generated and associated with various copies of software applications installed on a software licensee's computer systems. Upon generation, each fingerprint may be stored in a license information database system along with relevant license information for that copy of the software application. A software inventory tool may then be used to collect fingerprints on installed copies of software applications and provide these fingerprints to the license information database system to obtain the corresponding license information. The output of the software inventory tool may be used by a licensee to comply with software license agreements and/or efficiently allocate information technology resources. Methods and systems that provide and process secured, dynamic and persistent tagging of software deployments and usage are also disclosed.

Abstract: A method is provided for enhancing security of a communication session between first and second endpoints which employs a key management protocol. The method includes sending a first message to a first end point over a communications network requesting a secure communication session therewith. The message includes an identity of a second end point requesting the authenticated communication session. A digital certificate is received from the first endpoint over the communications network. The digital certificate is issued by a certifying source verifying information contained in the digital certificate. The digital certificate includes a plurality of fields, one or more of which are transformed in accordance with a transformation algorithm. A reverse transform is applied to the one or more transformed fields to obtain the one or more fields. The digital certificate is validated and a second message is sent to the first endpoint indicating that validation is complete.

Abstract: Embodiments describe a system and/or method for multiple party digital signatures. According to a first aspect a method comprises establishing a first validity range for a first key, establishing a first validity range for at least a second key, and determining if the validity range of the first key overlaps the first validity range of the at least a second key. A certificate is signed with the first validity range of the first key and the first validity range of the at least a second key if the validity ranges overlap. According to another embodiment, signage of the certificate is refused if the first validity range of the first key does not overlap with the first validity range of the at least a second key.

Abstract: If a smart card is to be used for a particular purpose, and there is no certificate initialized on the smart card for this purpose, a computerized device enables a user to select one of the certificates already installed in the smart card for the particular purpose. The selected certificate may be imported into the computerized device.

Abstract: A method allows access to a set of secure databases and database applications over an untrusted network without replicating the secure database. The method involves authenticating a user using a first authentication application. When the user is verified, then the user's credentials are directed to a second authentication application associated with a secure database based on a first set of user settings retrieved for the user. The second authentication application, based on a second set of user settings, grants the user access to the secure database and database applications associated with the secure database.

Abstract: The invention relates to a personal token (10) for authentication in a network comprising a piece of software for initiating an SSL connection by generating a message authenticating said token to a remote server (30) characterized in that the piece of software controls the processing of the message so as to use of a data (12) which is prestored in the token (10) and which is specifically associated with the remote server (30) so that the message can be interpreted only by the specific remote server (30).

Abstract: A user authorization system, a user authorization apparatus, a smart card, and a user authorization method for ubiquitous authorization management are disclosed.

Abstract: An information processing apparatus includes a user authentication unit that authenticates a user in a condition where an authentication medium used for authenticating the user is inserted, the authentication medium storing personal identification information of the user, a private key, and a software program for using the private key and including a processor for running the software program, to thereby establish a verified state in which the user is allowed to use the apparatus, a data processor that performs data processing including private key processing, a processing completion detector that detects completion of the private key processing performed by the data processor, and a verification state changing unit that changes, the verified state of the user having been established as a result of authenticating the user to a user unverified state based on detection of the completion of the private key processing in the processing completion detector.

Abstract: An apparatus in a system which includes at least a high-level apparatus and a plurality of low-level apparatuses, said apparatus being one of the low-level apparatuses. The apparatus includes a storage unit configured to store an individual certificate set and a common certificate set and a communication unit configured to transmit own authentication information to the high level apparatus to allow the high level apparatus to perform decryption to authenticate the validity of the apparatus.

Abstract: An electronic signature device includes a processor, a memory, a user input device including a first biometric input device, and a device interface, all communicatively connected by at least one bus. A method of personalizing the electronic signature device to a user includes receiving a digitized biometric signature of the user via the first biometric input device. A cryptographic key is generated. A biometric electronic template is generated based on the digitized biometric signature. The cryptographic key and the biometric electronic template are stored in the memory.

Abstract: The invention described herein is generally directed to a method and apparatus for creating and retrieving audio data. In one implementation the invention comprises an annotation system configured to record, store, and retrieve media. The annotation system contains a set of client-processing devices configured to capture media for subsequent playback. Each client-processing device typically contains a record button to initiate the capture and is configured upon performing the capture operation to trigger an association of a unique ID with the media. The client-processing devices are further configured to upload the media and a unique ID to a server for purposes of storage. The server obtains the media and unique ID for subsequent retrieval and provides the media and the unique ID to at least one client-processing device from the set of client processing devices.

Abstract: A method of providing access to a dataset in a type-safe manner includes storing a dataset including a plurality of data elements and a corresponding plurality of order keys for indicating an ordering of the data elements. Each order key is associated with one of the data elements. An interface to the dataset is generated that is parameterized by an element type parameter and a key type parameter. The interface is configured to provide access to the data elements and the order keys in the dataset in a type-safe manner.

Abstract: An information processing apparatus not having an input device for receiving biometric information can access another information processing apparatus requiring the specific biometric information. A control method for controlling the information processing apparatus includes authenticating a user using biometric information, receiving an access request from an external apparatus, and requesting the external apparatus to send the biometric information in response to reception of the access request from the information processing apparatus. When the information processing apparatus does not have an inputting unit for inputting the requested biometric information, the requesting step includes requesting a predetermined substitute apparatus having the inputting unit to send the biometric information. The authenticating step includes authenticating the user based on the biometric information sent from the predetermined substitute apparatus in response to the request made at the requesting step.

Abstract: A method for creating a digital certificate for a user issued by a reliant party, where the reliant party relies on an established cryptographic infrastructure by a registration or certificate authority is described. The registration authority, typically a large financial or credit institution, has already performed the initial overhead steps necessary for a digital authentication system using a chip card. These steps include minting and distributing the chip card, establishing that the key pair and card are given to the right person, and creating the certificate library. The reliant party leverages this cryptographic infrastructure to issue its own digital certificate and certificate chain to a user already having a chip card from the registration authority. Consequently, a user can have additional digital certificates issued to him and stored at a user-specific memory in a remote certificate library without having the chip card modified.

Abstract: An information processing device creates a hash value from an event log every time the event occurs. The information processing device generates a digital signature by encrypting the hash value with its own private key. The device transmits the signature-bound event log obtained by binding the digital signature with the event log to a log management apparatus. The log management apparatus decrypts the hash value from the event log of the received signature-bound log information using a device public key. The apparatus also generates a new hash value from the event log verifies the coincidence of the decrypted hash value and the new hash value, and authenticates signature-bound event logs for which this coincidence has been verified. The apparatus stores signature-bound event logs that have been authenticated. Every time an event occurs, the device transmits an event log bound with a digital signature that is created using its private key.

Abstract: In a private network setting in which various computers can be attached, the confidential or sensitive data within the various devices on the private network is vulnerable. The ability to copy such confidential or sensitive data to a storage device communicatively coupled to a client computer on the network is governed and controlled. Only devices that include an authentic stamp or digital certificate can be accessed by client computers. If a device does not have a valid stamp or the stamp has been black listed, then the access to the device can be prevented or greatly limited.

Abstract: The subject matter of the invention relates to a system (1) and to a method for securely processing information, particularly sensitive information by means of a signature and/or encryption principle, comprising at least the following: a mobile passive first storage unit (1) for retrievably storing first information, a processing device (3) which is adapted for interacting with the first storage unit (2) in order to process information, comprising: a decryption-protected second storage unit (6) for retrievably storing second information corresponding to the first information, a computer unit (5) for (cryptographically) processing information, an information transmission unit (4), for transmitting the information of the first and/or the second storage unit (2, 6) to the computer unit (5).

Abstract: Embodiments of the present invention enable a user to engage in secure communications using digital certificates and other cryptographic technologies in an easy way with a minimum of distracting interaction. In some embodiments of the present invention, webmail is enabled to allow users to obtain and use S/MIME certificates to secure his or her e-mails. Embodiments of the present invention can also be implemented to other forms of messaging, such as text messages, instant messages, etc.

Abstract: Aspects of the present invention include a method and system for generating a secure access code at a remote device in communication with a computer system having a secure storage device; conveying the secure access code to the system secure storage device; receiving the secure access code at the system secure storage device with unique data characteristics associated with remote device; and, securely providing content to the remote device.

Abstract: A system and method authenticates a user if the user is associated with a certificate on a device the user is using to communicate, even if other users are also associated with the same certificate and/or the user is associated with other certificates on other devices.

Abstract: Provided are a digital rights management (DRM) method and apparatus, and more particularly, a DRM method and apparatus which can support different DRMs and use various digital content. The DRM method includes receiving a hello message request from a host device; comparing information included in the hello message request to information stored in advance; generating an error code when the hello message request contains unsupported information; and generating a hello message response that contains the error code.

Abstract: A media package storing program code, the media package comprising a medium storing a first part of the program code intended to be executed on a processor external to the media package, and a processing device storing a state and a second part of the program code, the first and the second parts of the program code being adapted to interact when executed so as to execute the program code. The processing device comprises a processor for verifying the state and for executing the second part of the program code if the verification of the state indicates that this is authorized; and a first interface for communication with the processor external to the media package. The processing device further comprises a second interface adapted to interact with a state change device in order to set the state from a first state not authorizing execution of second part of the program code to a second state authorizing execution of second part of the program code.

Abstract: An electronic circuit includes a more-secure processor having hardware based security for storing data. A less-secure processor eventually utilizes the data. By a data transfer request-response arrangement between the more-secure processor and the less-secure processor, the more-secure processor confers greater security of the data on the less-secure processor. A manufacturing process makes a handheld device having a storage space, a less-secure processor for executing modem software and a more-secure processor having a protected application and a secure storage. A manufacturing process involves generating a per-device private key and public key pair, storing the private key in a secure storage where it can be accessed by the protected application, combining the public key with the modem software to produce a combined software, signing the combined software; and storing the signed combined software into the storage space.

Abstract: A method is provided for provisioning a device certificate. A device certificate request is transmitted from a communication device to a server in a communication network using an established communications channel between the communication device and the server. The device certificate request comprises at least a user identifier and a device identifier. The server provides to the communication device a device certificate that includes the user identifier and the device identifier and that is signed by a private key of a certificate authority.

Abstract: A method and system for transmission of digital content via e-mail with point of use digital rights management is disclosed. The secured access rights to the digital content may be customized for individual recipients by the sender, and may evolve over time. The access rights are enforced according to a time-dependent scheme. A key server is used to arbitrate session keys for the encrypted content, eliminating the requirement to exchange public keys prior to transmission of the digital content. During the entire process of transmitting and receiving e-mail messages and documents, the exchange of cryptographic keys remains totally transparent to the users of the system. Additionally, electronic documents may be digitally signed with authentication of the signature.

Abstract: Controlling access to disseminated messages includes implementing one or more key management policies that specify how various encryption keys are maintained and in particular, when encryption keys are made inaccessible. Deleting a particular key renders inaccessible all copies of messages, known or unknown, associated with the particular key, regardless of the location of the associated messages. A message may be directly or indirectly associated with a deleted key. Any number of levels of indirection are possible and either situation makes the message unrecoverable. The approach is applicable to any type of data in any format and the invention is not limited to any type of data or any type of data format.

Abstract: A software distribution method (300) with security add-on is proposed. Particularly, any software package to be deployed to selected target endpoints is encrypted (312-315) with a symmetric key (generated dynamically). The symmetric key is in turn encrypted (318-321) with a public key of each target endpoint. A multi-segment software package (embedding the encrypted software package and the encrypted symmetric keys) is then deployed (324-336, 360) to all the target endpoints. In this way, each target endpoint can decrypt (343-348) the encrypted symmetric key with a corresponding private key; it is then possible to decrypt (363-366) the encrypted software package with the symmetric key so obtained. As a result, the endpoint is able to apply (369) the decrypted software package. Therefore, the application of the software package can be restricted to the desired target endpoints only.

Abstract: An image output system includes a computer and a complex machine connected to the computer. A password generating section of the complex machine, in a case where a user ID transmitted from a transmitting section of the computer is stored in a HDD, generates a password which is different from the user ID, and the transmitting section transmits the password generated by the password generating section. A controller, in a case where the password received by a password receiving section and the password transmitted from the password transmitting section to the computer, controls an image forming section to output image data which is not combined with electronic watermark information by an electronic watermark information combining section.

Abstract: An email policy is applied in a policy manager, running on a mail server in a local area network, to determine whether an outgoing email message should be allowed to be transmitted to a destination address outside the local area network, for example over the internet. A digital signature is used in the policy manager, to determine if the sender is the sender indicated in the message itself. If so, a sender-dependent policy is applied.

Abstract: A system for providing program information has a user terminal, a recording medium capable of reading information therefrom and writing information thereto through a command issued by the user terminal, and a server connected to the user terminal via a network, and provides program information from the server to the recording medium. The recording medium has a first control unit that performs a first mutual authentication operation with a first storage unit capable of writing program information thereto and the user terminal, and that executes a command to write program information to the first storage unit only if the first mutual authentication operation is successful. The user terminal performs a second mutual authentication operation with the server, obtains program information transmitted from the server if the second mutual authentication operation is successful, and issues a command to write the program information to the first storage unit of the recording medium.

Abstract: Methods and devices for allowing a wireless communication device (1301) initially unauthorized for communication with a network to obtain persistent soft network subscription credential information (1303) from a wireless communication device (1401) initially authorized for communication with the network are disclosed. In performing the persistent transfer of the soft network subscription credential information (1303), one of a token management module (1312), a session initiation protocol communication module (1408), or a electronic rights manager (1406) may be used to ensure that only one communication device is capable of communicating with a network at any one time.

Abstract: Described are techniques for providing a host identifier for a host. A first portion including a first identifier associated with a system for the host is received. A second portion including a second identifier generated in accordance with a hardware property of the host is received. The host identifier is formed using the first and second portions. The host identifier is used to uniquely identify the host in a storage area network.

Abstract: An exemplary method involves an SSL server receiving an SSL session request from an SSL client. It is determined whether the SSL client is going to use certificate-based authentication. This may involve identifying a port at which the SSL session request was received. Alternatively, this may involve identifying an IP address at which the SSL session request was received. Alternatively still, this may involve examining authentication information in the SSL session request. If the SSL client is going to use certificate-based authentication, a certificate is requested from the SSL client. If the SSL client is not going to use certificate-based authentication, the certificate is not requested from the SSL client.

Abstract: The present invention is directed towards systems and methods for maintaining Certificate Revocation Lists (CRLs) for client access in a multi-core system. A first core may generate a secondary CRL corresponding to a master CRL maintained by the first core. The CRLs may identify certificates to revoke. The first core can store the secondary CRL to a memory element accessible by the cores. A second core may receive a request to validate a certificate. The second core can provisionally determine, via access to the secondary CRL, whether the certificate is revoked. The second core may also determine not to revoke the certificate. Responsive to the determination, the second core may request the first core to validate the certificate. The first core can determine whether to revoke the certificate based on the master CRL. The first core may send a message to the second core based on the determination.

Abstract: A method for authenticating an operator of an AP includes: registering the operator's identity with a CA, by providing the operator's identification information and public key; creating a certificate including the foregoing; signing the certificate with the CA's private key; provisioning the AP with the signed certificate; provisioning a client with the CA's public key; sending a request from the client to the AP; generating a signature with the operator's private key; returning a reply to the client, including the AP provisioned certificate signed with the generated signature; using the client provisioned CA's public key to obtain the operator's public key from the certificate received in the reply; and, using the operator's public key obtained from the certificate received in the reply to verify the signature generated with the operator's private key and used by the AP to sign the certificate received in the reply.

Abstract: A method and apparatus are provided for enabling a Universal Plug and Play (UPnP) device to be automatically provisioned to access services without the need for manual interaction. In accordance with the invention, when a UPnP device needs to be provisioned, it automatically obtains pre-provisioning information from a provisioning device on the home network, and uses the pre-provisioning information to interact with the provisioning device to cause the UPnP device to be provisioned. The provisioning enables the UPnP device to access services, including digital rights management (DRM) services, over a network.

Abstract: A system and method for enterprise security including symmetric key protection. In accordance with an embodiment, the system provides a higher level of protection against unauthorized key disclosure by encrypting randomly generated seed data used for key generation, and using digital signatures and asymmetric encryption.

Abstract: Two or more distinct operating systems (OSs) are loaded simultaneously and run on an x86 computer system. Each OS is booted serially and in such a way that the OS resides in a separate memory footprint than the other OSs by partitioning the memory map. The partition of the memory map includes a low memory region, dedicated memory partitions for storing each OS, and dedicated regions for storing shadows of the low memory region and the ACPI for each OS. Switching between the two or more resident OSs is performed by sleeping the current OS and then resuming the desired OS using the shadow previously stored for the desired OS. None of the resident OSs require any modification in order to run in this fashion.

Abstract: Techniques for assuring a receiver's non repudiation of a communication are provided via cooperation with a secure device. A secure device operates within a local environment of a receiver and exchanges certificates with a sender via the receiver. The sender encrypts data in a communication with the receiver. Separately, the sender sends an encrypted version of a decryption key to the receiver. The receiver presents the encrypted version of the key to the secure device and the secure device supplies the decryption key for use by the receiver to decrypt the previously sent encrypted data.

Abstract: A service providing system is disclosed. The service providing system includes an information processing apparatus and a service providing server, each having an authentication mechanism, that are connected via a network, wherein the information processing apparatus and the service providing server provides a service in response to a request by an authenticated user. The information processing apparatus includes: an information obtaining part for obtaining authentication information for performing authentication in the service providing server wherein the authentication information is associated with a user authenticated in the information processing apparatus; and a process request part for sending a process request including the authentication information to the service providing server.

Abstract: In one embodiment, an apparatus and method for partitioning data on a smartcard dependent on an entered password are disclosed. In one embodiment, the method includes maintaining multiple containers in a smartcard, associating a different personal identification number (PIN) with each of the multiple containers, and accessing contents of a container when an associated PIN for the container is provided by a user of the smartcard. Other embodiments are also described.

Abstract: The invention discloses a portable information security device in the security field. In order to solve the problem that the USB Key transfers data at low speed and may occupy more CPU resources with USB master/slave protocol, and to meet the demand on development of the next generation of interface technology, the invention provides a portable security device, based on serial ATA protocol, comprising an eSATA interface unit, a memory unit, a privilege management unit, an algorithm unit and a control unit.

Abstract: A method for providing attribute data. A request is received from a user device for a virtual ID token relating to attribute information pertaining to a subscriber associated with the user device. Responsive to the request for the virtual ID token, a data record is read from a database. The data record includes L attributes of the subscriber. L is at least 2. The data record is provided to the user device. A selection of M attributes of the L attributes is received from the user device. M is less than L. A virtual record including the M attributes selected from the data record is generated. The virtual record includes a virtual ID (VID) for identifying the virtual record. The generated virtual record is stored in the database. The virtual ID token is provided to the user device. The virtual ID token includes the VID.

Abstract: An image forming system includes a client apparatus and an image forming apparatus. The client apparatus includes an authentication data storing area defining section that produces an authentication data storing area in an external storage medium; a writing section that writes authentication data into the authentication data storing area; and an image data storing section that stores image data into the external storage medium. The image forming apparatus includes a searching section, an input section, an authenticating section, and an image processing section. The searching section reads authentication data from the external storage medium. Identification information is received from a user through the input section. The authenticating section performs authentication based on the identification information and the authentication data. The image processing section processes the image data. When the authentication has been established, the searching section reads image data from the external storage medium.

Abstract: A method of controlling presentation of content on a media storage device is described. The method is comprised of verifying the presence of a media presentation mechanism and a usage compliance mechanism on a computer system operated by a recipient to whom the media storage device is distributed. The usage compliance mechanism includes a file system filter driver for controlling data reads associated with the computer readable media. The media presentation mechanism is communicatively coupled with the usage compliance mechanism. The present method further includes the file system driver performing a first decryption of the computer readable media. The present method further includes the media presentation mechanism performing a second decrypting of the computer readable media concurrent with presenting the computer readable media to the recipient.

Abstract: A processor, connected to a non-volatile memory storing first memory authentication information for authentication of the non-volatile memory, the processor includes an operation unit configured to perform an operation utilizing information stored in the non-volatile memory; an authentication memory formed integrally with the operation unit, and storing second memory authentication information for authentication of the non-volatile memory; an authentication information acquiring unit configured to acquire the first memory authentication information from the non-volatile memory; a memory authenticating unit configured to compare the first memory authentication information and the second memory authentication information to authenticate the non-volatile memory; and a memory access controlling unit configured to permit an access to the non-volatile memory when the memory authenticating unit succeeds in authentication.

Abstract: A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one embodiment, a certificate synchronization application is programmed to perform certificate searches by querying one or more certificate servers for all certificate authority (CA) certificates and cross-certificates on the certificate servers. In another embodiment, all certificates related to an identified certificate are retrieved from the certificate servers automatically by the certificate synchronization application, where the related certificates comprise at least one of one or more CA certificates and one or more cross-certificates. Embodiments of the invention facilitate at least partial automation of the downloading and establishment of certificate chains, thereby minimizing the need for users to manually search for individual certificates.

Abstract: A system and method of generating a watermarked signal are disclosed. The system segments the signal into overlapping blocks using a window function and processes the overlapping blocks according to whether each block is odd- or even-numbered. The system windows the odd-numbered blocks, modulates the phase of each block in the frequency domain, transforms each modulated block in the time domain, windows each block transformed into the time domain and overlap-adds each odd-numbered block with each even-numbered block to generate the watermarked signal.

Abstract: Techniques for supporting concurrent data services with different credentials are described. A wireless communication network authenticates a user/device whenever new credentials are used. An access terminal sends first credentials via a Point-to-Point Protocol (PPP) link to a Packet Data Serving Node (PDSN) and receives an indication of successful authentication for a first data service based on the first credentials. The access terminal may receive a request for a second data service and second credentials from an internal application or a terminal device coupled to the access terminal. The access terminal then sends the second credentials via the PPP link to the PDSN while the first data service is ongoing. The access terminal receives from the PDSN an indication of successful authentication for the second data service based on the second credentials.

Abstract: Before a relying party grants a client access to a resource, the last use of the security token by the client to access the resource of the relying party can be verified. Verification can be accomplished by comparing the last time the client sent the security token to the relying party with the last time the relying party received the security token from the client. If the last use of the security token is not verified, the possibility exists that the security token has been fraudulently used by a third party.