Abstract: Exposure of sensitive information to users is controlled using a first security token containing user identity and user credentials to represent the user who requests services, and a second security token containing two other identities, one identifying the token issuer and the other identifying the owning process. When requesting services, the token-owning process sends a security token to indicate who is making the request, and uses its key to digitally sign the request. The token-owning process signs the request to indicate that it endorses the request.

Abstract: A host apparatus to obtain electronic authentication of a request associated with a group, the host apparatus including a processor to receive the request from an external device external to the group, to generate a digital document based on information associated with the request, to transmit the digital document to a trusted entity device for electronic authentication of the request, to receive the digital document from the trusted entity device, to determine whether the electronic authentication of the request was successful, and to process the request when it is determined that the electronic authentication of the request was successful.

Abstract: A binding verification scheme based on a proof of possession of the device-specific secret key associated with the reported IMEI is provided. The IMEI reported by user equipment (UE) is checked to make sure that it matches the IMEI configured into the UE by the manufacturer and has therefore not been modified by an attacker.

Abstract: The present invention relates to data communication systems and protocols utilized in such systems.

Abstract: Electronic transactions employing prior art approaches of digital certificates and authentification are subject to attacks resulting in fraudulent transactions and abuse of identity information. Disclosed is a method of improving electronic security by establishing a secure trusted path between a user and an institution seeking an electronic signature to verify a transaction before any request for signature and completing electronic transaction activities occurs. The secure trusted path providing the user with a predetermined portion of the request from the institution for a signature upon a personalized device that cannot be intercepted or manipulated by malware to verify that the request as displayed upon the user's primary computing device is valid.

Abstract: Disclosed are a method of generating a watermark, a method of generating a broadcast content including the same, and a watermarking system. The method of generating a watermark according to an exemplary embodiment of the present disclosure includes: determining a size of a target image to which a broadcast content is provided; determining the number of watermarks to be inserted into one frame of the target image; generating a watermark insert pattern by using the size of the target image and the number of watermarks; and scaling up the watermark insert pattern to a predetermined pattern for inserting the watermark insert pattern into an original image of the broadcast content.

Abstract: A communication device for performing communication by employing first and second communication units, includes: a reception unit for receiving a communication packet including a random number generated for every connection with another communication device, a certificate calculated with the random number, and authentication method information indicating whether or not an authentication method at the second communication unit is compatible with the public key system, through the first communication unit; and a method determining unit for determining whether or not an originator of the communication packet accepts public key encryption based on the authentication method information included in the communication packet; wherein in a case of the method determining unit determining that the originator of the communication packet does not accept the public key system, the random number included in the communication packet is replied to the originator as the identification information of the device itself.

Abstract: Technologies for labeling diverse content are described. In some embodiments, a content creation device generates a data structure that may include encrypted diverse content and metadata including at least one rights management (RM) label applying to the diverse content. The RM label may attribute all or a portion of the diverse content to one or more authors. The metadata may also be signed using an independently verifiable electronic signature. A consumption device receiving such a data structure may verify the authenticity of the electronic signature and, if verification succeeds, decrypt the encrypted diverse content in the data structure. Because the metadata is encapsulated with the diverse content in the data structure, it may accompany the diverse content upon its transfer or incorporation into other diverse content.

Abstract: A system and method for embedding a watermark into a data file and communicating the data file to a particular node from a source component is described. The system includes a particular node, a source component, a node identifier request, a query, a watermark, a permutation key, an encrypted data file, and a node decryption key. The node identifier request is communicated from the source component to the particular node. The watermark is then embedded into the data file by the source component. The permutation key is configured to permute the watermark and the permutation key is changed so the location of the watermark changes. The encrypted data is decrypted at the particular node with the node decryption key that corresponds to the particular node. The particular node recovers the watermark from the data file with the permutation key.

Abstract: A secure signing method, a secure authentication method, and an IPTV system are disclosed. The secure signing method includes preparing digital signature header fields and setting an attribute, calculating a hash digest of content using a hashing algorithm, storing the calculated hash value in a message digest field of the digital signature header, encrypting the message digest using a secret key and inserting the encrypted message digest in a signature field of the digital signature header, and associating the digital signature header with the content by prefixing the digital signature header to the content.

Abstract: A DRM client on a device establishes trust with a DRM server for playback of digital content. The client executes in a secure execution environment, and the process includes (1) securely loading loader code from secure programmable memory and verifying it using a digital signature scheme and first key securely stored in the device; (2) by the verified loader code, loading DRM client code from the memory and verifying it using a digital signature scheme and second key included in the loader code; (3) by the verified DRM client code (a) obtaining a domain key from the memory; (b) encrypting the domain key with a device identifier using a DRM system key included in the DRM client code; and (c) sending the encrypted domain key and device identifier to the DRM server, whereby the device becomes registered to receive content licenses via secure communications encrypted using the domain key.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for generating a nonce. In one aspect, a method includes generating, by a data processing apparatus, a source value, and hashing, by the data processing apparatus, the source value to generate the nonce.

Abstract: A vendor system may allow a user to electronically sign documents. The vendor system may receive a package of biometric information from the user. In one embodiment, the vendor system may compare the received package of biometric information with a registered package of biometric information associated with the user. If the received package of biometric information matches the registered package of biometric information, the vendor system may sign a document with an electronic signature.

Abstract: A method and apparatus for establishing a secure session with a device without exposing privacy-sensitive information are described. In one embodiment, the method includes the authentication of a digitally signed message received from a hardware device. In one embodiment, a digital signature, created by a private signature key of the hardware device, is authenticated according to a public key of an issuer without disclosure of an identity of the hardware device. The digital signature is a signature of an ephemeral DH public key, which the verifier is now assured comes from a trusted device. An encrypted and authenticated session (“secure session”) is established with the authenticated hardware device according to a key exchange using this signed ephemeral DH public key. Other embodiments are described and claimed.

Abstract: Embodiments of authenticating an electronic document are disclosed. A document authentication system is operatively connected with a professional system, a license management system and a certification authority system, for authenticating an electronic document of a client response to a request from a client system. An authentication unit included in the document authentication system receives the electronic document from the client system for review and seal thereof, transmits the electronic document to receive the electronic document with the electronic signature implemented and transmits the electronic signature to the license management system to verify license validity of the professional based on the electronic signature. Further, the authentication unit transmits the electronic document to the client system with the electronic signature including a seal imprint image of the professional if the license of the professional is valid.

Abstract: Described herein is a technology facilitating circumvention of dynamic and robust detection of one or more embedded-signals (e.g., watermark, copyright notice, encoded data, etc.) in one or more input carrier signals (e.g., multimedia stream, video stream, audio stream, data, radio, etc.).

Abstract: The present disclosure relates generally to cell phones and cameras, and to digital watermarking involving such cell phones and cameras. One claim recites a method comprising: measuring distortion introduced by a cell phone camera; using a programmed electronic processor, quantifying the distortion; and providing quantified distortion as feedback to adjust a digital watermark embedding process in view of the distortion introduced by the cell phone camera. The act of quantifying distortion may include, e.g., quantifying a spatial frequency response (SFR) of the cell phone camera. Of course, other claims and combinations are provided too.

Abstract: An originating email server is authenticated by a destination email server using a public key provided by the originating email server, thereby making it possible to detect an email with a forged origination address with no action required by a domain owner. A personal computer is authenticated using a reputation report associated with a unique number corresponding to the personal computer, enabling, in one embodiment, spam detection, and, in another embodiment, a decision that a valid user is requesting service registration at a website.

Abstract: The techniques and systems described herein present various implementations of a model for authenticating processes for execution and specifying and enforcing permission restrictions on system resources for processes and users. In some implementations, a binary file for an application, program, or process may be augmented to include a digital signature encrypted with a key such that an operating system may subsequently authenticate the digital signature. Once the binary file has been authenticated, the operating system may create a process and tag the process with metadata indicating the type of permissions that are allowed for the process. The metadata may correspond to a particular access level for specifying resource permissions.

Abstract: Techniques for determining whether firmware should trust an application sufficiently so as to provide a service to the application. Firmware, executing on a device, receives an indication that an application, also executing on the device, is requesting a service provided by the firmware. The firmware obtains (a) an operating system signature associated with the application and (b) a firmware signature associated with the application. The operating system signature is a signature that is used by the operating system, executing on the device, to authenticate the application, while the firmware signature is a signature that is used by the firmware to authenticate the application. If the firmware determines that the operating system signature matches the firmware signature, then the firmware storing trust data that permits the application to access the service provided by the firmware. The firmware need not calculate a signature based on the in-memory image of the application.

Abstract: A method is disclosed for performing key agreement to establish a shared key between correspondents and for generating a digital signature. The method comprises performing one of key agreement or signature generation, and using information generated in said one of key agreement or signature generation in the other of said key agreement or said signature generation. By doing this, computations and/or bandwidth can be saved.

Abstract: A method begins with a processing module issuing a retrieval request, receiving secret shares of a set of secret shares to produce received secret shares, and receiving encoded data slices of a set of encoded data slices. The method continues with the processing module decoding the received secret shares to recapture a message authentication key when a threshold number of the secret shares is received. The method continues with the processing module identifying a received encoded data slice of the received encoded data slices having an authentication code associated therewith when a threshold number of the encoded data slices is received. The method continues with the processing module verifying the authentication code based on the message authentication key and the received encoded data slice. The method continues with the processing module decoding the received encoded data slices to recapture a data segment when the authentication code is verified.

Abstract: Systems and methods for identifying content in electronic messages are provided. An electronic message may include certain content. The content is detected and analyzed to identify any metadata. The metadata may include a numerical signature characterizing the content. A thumbprint is generated based on the numerical signature. The thumbprint may then be compared to thumbprints of previously received messages. The comparison allows for classification of the electronic message as spam or not spam.

Abstract: An image forming apparatus which can prohibit any users but a user who has made a deposit from operating the image forming apparatus for a chargeable process. A communication controller of the image forming apparatus obtains pieces of proper information of cell-phones. An ID management section issues IDs for the respective pieces of proper information, and the communication controller sends the IDs to the corresponding cell-phones. At an input section, a user of one of the cell-phones inputs the ID sent thereto. Thereafter, the communication controller receives an access from a cell-phone and receives proper information of the cell-phone. In this moment, it is judged whether the cell-phone which has made an access is identical with the cell-phone of which ID was inputted at the input section. Only when the communication controller identifies the cell-phone, the communication controller permits the image forming apparatus to communicate with the cell-phone.

Abstract: Systems and methods are described for applying digital rights management techniques to manage zones in electronic content. In one embodiment, zones are defined in a piece of electronic content, and a license is associated with the electronic content that indicates how the zones are to be accessed or otherwise used. A digital rights management engine governs access to or other use of the zoned content in accordance with the license.

Abstract: In one embodiment, an object in a database schema may be verified as having a valid digital signature associated with a trusted entity. An application may be permitted access to the object of the database schema only when the object of the database schema is verified to have a valid digital signature associated with the trusted entity. In another embodiment, an object in a database schema may be verified as having a digital signature associated with at least one trusted entity. An application may be permitted access to the object of the database schema only when the digital signature for the object is verified to be associated with the at least one trusted entity.

Abstract: Methods, systems, and computer programs for producing hash values are disclosed. A prefix-free value is obtained based on input data. The prefix-free value can be based on an implicit certificate, a message to be signed, a message to be verified, or other suitable information. A hash value is obtained by applying a hash function to the prefix-free value. The hash value is used in a cryptographic scheme. In some instances, a public key or a private key is generated based on the hash value. In some instances, a digital signature is generated based on the hash value, or a digital signature is verified based on the hash value, as appropriate.

Abstract: A computer implemented method and apparatus for one-step signature trust of digitally signed documents comprising determining whether a digital signature is otherwise valid except for a lack of trust in a digital certificate; offering a recipient an option to establish trust in the digital certificate; and adding the digital certificate to a list of the recipient's trusted digital certificates when recipient opts to establish trust.

Abstract: The invention relates to a system for exchanging data between at least one sender and one receiver, such as a central server, by means of a data transmission network of Internet type, this system comprising means for encrypting/decrypting the data exchanged. The senders and the receiver comprise generators of encryption/decryption keys, which generators are synchronized to generate new keys for message encryption/decryption with each dispatching of a new message from the sender to the receiver.

Abstract: A system and method for associating message addresses with certificates, in which one or more message addresses are identified and associated with a user-selected certificate that does not contain any e-mail addresses. In certain situations, a message may be encrypted using a certificate that does not contain an e-mail address that matches the e-mail address of the individual to which the message is to be sent, so long as the address to which the message is to be sent matches any of the message addresses associated with the certificate. The message addresses are saved in a data structure that resides in a secure data store on a computing device, such as a mobile device.

Abstract: There is provided an electronic watermark generating apparatus including an appliance characterizing information generating unit that generates appliance characterizing information that characterizes an electronic appliance, by using physical data acquired by a sensor that measures characteristics of the electronic appliance, an electronic watermark generating unit that generates, in relation to the appliance characterizing information, electronic watermark information that is used for detecting whether information has been tampered with or not, an embedded position deciding unit that analyzes the appliance characterizing information, and decides an embedded position for the electronic watermark information in the appliance characterizing information, and an electronic watermark embedding unit that embeds the electronic watermark information generated by the electronic watermark generating unit in a position on the appliance characterizing information decided by the embedded position deciding unit.

Abstract: Methods, systems, and computer programs for generating a digital signature are disclosed. In some aspects, a symmetric key is accessed. The symmetric key is based on an ephemeral public key. The ephemeral public key is associated with an ephemeral private key. A ciphertext is generated based on the symmetric key and a message. An input value is obtained based on the ciphertext independent of a hash function. A digital signature is generated from the ephemeral private key, the input value, and a long term private key.

Abstract: A method of digital watermark decoding in which watermark signal components, which are embedded with different levels of redundancy in a host content signal, are selectively accumulated. In the process of decoding embedded data, components embedded with more redundancy are weighted appropriately to improve recovery of embedded data. Components embedded with less redundancy may be more reliably recovered as well by leveraging knowledge of related components encoded more robustly. Missing, weak or error prone components may be recovered based on relationship with more reliable components, and in particular, based on relationship with components embedded with higher redundancy and decoded with higher reliability. These techniques are exploited through error correction coding schemes, including convolutional codes, and explicit and implicit weighted repetition coding schemes.

Abstract: Embodiment relate to systems, methods, and computer storage media for suppressing cross-site scripting in a content delivery system. A request is received for content that includes a scripted item or scripted items. The scripted item is identified within the content. An identifier is associated with the scripted element when the scripted element is an intended scripted element to be associated with the content. The identifier may be a hash value based from a hash function and the scripted item. Prior to communicating the content to a user, the scripted item is identified again to determine if an identifier is associated with the scripted item. If an identifier is associated with the scripted item, the identifier is evaluated to determine if the identifier is appropriate. When the identifier is determined to not be appropriate, the scripted item is prevented from being communicated to a user.

Abstract: Methods and systems for video transmission and processing with customized watermarking delivery are disclosed and may include watermarking data at a communication device utilizing received global positioning (GPS) data and communicating the watermarked video data to a receiving communication device. The receiving communication device may verify the watermarked data, and may determine whether to render the received watermarked data based on the verification. The communication device may include an edge device, and may receive a feedback signal communicated from the receiving communication device. The watermarking of subsequently processed data may be adjusted based on the received feedback signal, which may include GPS data and/or device parameters corresponding to the receiving communication device. The watermarked video data communicated to the receiving communication device may be adjusted based on one or more device parameters corresponding to the receiving communication device and/or GPS information.

Abstract: A method of packet management for restricting access to a resource of a computer system. The method includes identifying client parameters and network parameters, as a packet management information, used to determine access to the resource, negotiating a session key between client and server devices, generating a session ID based on at least the negotiated session key, inserting the packet management information and the session ID into each information packet sent from the client device to the server device, monitoring packet management information in each information packet from the client device, and filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted.

Abstract: A message processing device for processing messages has at least one reception buffer, a message includes at least one authentication element and one message content. The message is received and stored in the reception buffer. A characteristic variable of a priority for security checking of the message is determined as a function of the message content. A processing sequence for further message processing for the security checking, taking into account the at least one authentication element of the messages in the reception buffer is defined and carried out as a function of the characteristic variable.

Abstract: A certificate enrollment assistant module may be provided to inject a challenge password into a certificate signing request to be sent, to a Certificate Authority, from a computing device. The certificate enrollment assistant module, thereby, acts as a trusted proxy to assist the computing device in building a valid certificate signing request without the computing device having access to the challenge password.

Abstract: Disclosed are methods and apparatus for changing a security key on a computer chip that has a CPU, a first OTPROM (OTPROM1) storing a root key of the chip or derivative thereof (RKPUB1), and a second OTPROM (OTPROM2) on which the chip manufacturer stores nothing. A ROM of the chip stores a first software program (SW1). A device manufacturer can take that chip and interface it to a mass memory of a memory block of an electronic device, then execute a second software program (SW2) that is stored on the mass memory only if SW2 is authenticated by SW1 using the RKPUB1. Then a new root key of the chip or derivative thereof (RKPUB2) is provided (via SW2 or a USB connection for example) which is stored to the OTPROM2 via a security service portion of SW1. Thereafter RKPUB2 can be used to authenticate SW2.

Abstract: A computing apparatus configured to verify a digital signature applied on a set of data received from a user device, including a user ID assigned by a partner system to uniquely identify a user of the user device among customers of the partner system, and a user device identifier identifying the user device. The digital signature is generated via applying a cryptographic one-way hash function on a combination of the set of data and a secret, shared between the computing apparatus and the partner system via a secure communication channel separate from a channel used to receive the set of data.

Abstract: Systems, methods, and devices are provided for intermediate authentication of a message transmitted through a switched-path network, such as an optical transport network (OTN). In one method, a message transmitted through communication nodes of a switched-path network may be authenticated, at least partially, by authentication logic of one or more of the communication nodes. The one or more communication nodes may identify whether a prior communication node has tampered with or corrupted the message or may generate an authentication tag to enable an authentication authority to authenticate the message.

Abstract: Methods are provided for securely loading software objects into an electronic control unit. The methods include receiving a first software object comprising a second level public key certificate, a first encryption signature and a first set of software. Once the first software object is received, validating the first second level public key is validated with the embedded root public key, the first encryption signature with the first second level public key certificate, and the first set of software with the first encryption signature. When the first set of software is valid, then the first second level public key certificate and the first set of software are stored to non-volatile memory. Once stored, a consecutive software object is received comprising only a consecutive encryption signature and a consecutive set of software from the programming source.

Abstract: A DRM method and DRM-enabled portable device for controlling playback of DRM content on the basis of content usage log is disclosed. A digital rights management method for a portable device of the present invention includes playing a content item recording, when an abnormal playback stop event is detected, a stop time point in a playback session of the content item on a usage log and controlling a next playback of the content item with reference to the recorded stop time point. The DRM method and DRM-enabled portable device of the present invention further manages the licenses issued for the DRM content stored in the portable device by updating the licenses even when the DRM content are abnormally closed during its playback session.

Abstract: A method for operating a security device includes a microcontroller, a protected memory area, in which at least one item of protection-worthy information is stored, and a unit, the microcontroller being connected to the protected memory area via the unit, the at least one item of protection-worthy information being accessed by the microcontroller via the unit when the method is carried out.

Abstract: A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one embodiment, a certificate synchronization application is programmed to perform certificate searches by querying one or more certificate servers for all of the certificates on those certificate servers. If all of the certificates on a certificate server cannot be successfully retrieved using a single search query, due to a search quota on the certificate server being exceeded for example, the search is re-performed through multiple queries, each corresponding to a narrower subsearch. Embodiments described herein enable large amounts of certificates to be automatically searched for and retrieved from certificate servers, thereby minimizing the need for users to manually search for individual certificates.

Abstract: A computationally efficient message verification strategy that achieves non-repudiation and resilience to computational denial of service attacks in conjunction with a broadcast authentication protocol that authenticates messages using a combination of a digital signature and a TESLA MAC. When messages are received at a receiver, the verification strategy separates the messages into messages with the same sender identification. The strategy then determines whether the TESLA MAC authenticator is valid for each message and discards those messages that do not have a valid TESLA MAC. The strategy collects the messages that have a valid TESLA MAC for each sender identification and performs a batch verification process on the group of messages to determine if the messages in the group have a valid digital signature. This strategy verifies each message in the group of messages if the batch verification process shows that the group of messages has a valid digital signature.

Abstract: There is disclosed a method and system for use in authenticating an entity in connection with a computerized resource. An authentication request is received from entity for access to computerized resource. An input signal is received from a communications device associated with entity. The input signal comprises current location of communications device. The current location of communications device is derived from input signal. A location history in connection with communications device is captured. The location history comprises a record of discrete locations visited by communications device over a period of time. An analysis is performed between current location of the communications device and location history in connection with communications device. An authentication result is generated based on analysis between current location of communications device and location history in connection with communications device. The authentication result can be used for authenticating entity.

Abstract: The invention concerns a cryptographic key distribution system comprising a server node, a repeater network connected to the server node through a quantum channel, and a client node connected to the repeater network through a quantum channel; wherein in use: the repeater network and the client node cooperatively generate a transfer quantum key which is supplied to a system subscriber by the client node; the server node and the repeater network cooperatively generate a link quantum key; the repeater network encrypts the link quantum key based on the transfer quantum key and sends the encrypted link quantum key to the system subscriber through a public communication channel; the server node encrypts a traffic cryptographic key based on the link quantum key and a service authentication key and sends the encrypted traffic cryptographic key to the system subscriber through a public communication channel.

Abstract: A system is provided for inside-to-outside or outside-to-inside cryptographic coding that facilitates product authentication along a distribution channel. An association of authenticated, secured codes is generated between inner items (e.g., pharmaceutical doses such as pills, capsules, tablets) and outer items (e.g., packaging containing inner items). For instance, an inner code associated with a first item is used to generate (at least partially) an outer code associated with a second item that contains one or more first items. This process may be repeated multiple times with codes for outer items being a function of codes for inner items. The sequence of items may be authenticated by the dependent relationship between their codes.

Abstract: Systems and methods for processing encoded messages within a wireless communications system are disclosed. A server within the wireless communications system performs signature verification of an encoded message and provides, together with the message, an indication to the mobile device that the message has been verified. In addition, the server provides supplemental information, such as, for example, a hash of the certificate or certificate chain used to verify the message, to the device, to enable the device to perform additional checks on the certificate, such as, for example, validity checks, trust checks, strength checks, or the like.