Abstract: This disclosure relates generally to methods and systems for determining when a file has changed. According to one aspect of the present disclosure, a method of determining if contents of a file have changed can include determining if a digital signature created as a function of contents of the file has changed, and when the digital signature has changed, overlaying the contents of the file with a first mark that indicates the contents have changed and blocks a view of the contents of the file.

Abstract: Various embodiments of a system and method for a single request-single response protocol with mutual replay attack protection are described. Embodiments include a system that receives multiple single request messages, each of which include a respective nonce, timestamp, and digital signature. The system may create a record of previously received nonces that, at any given time, may include multiple message nonces received within a valid period of time prior to that given time. To validate a given single request message, the system verifies the digital signature of the message, determines that the timestamp of the message indicates a time within the valid period of time prior to the current time, and determines that the nonce of the message is not present within the record of previously received nonces. The system sends a single response message that includes the same nonce as the validated message.

Abstract: A file protecting method and system and a memory controller and a memory storage apparatus using the same are provided. The file protecting method includes performing a file protection enabling procedure for a file to generate an entry value backup according to at least one entry value corresponding to at least one cluster storing the file, which is recorded in a file allocation document, store the entry value backup in a secure storage area and change the entry value corresponding to the cluster storing the file in the file allocation document, wherein the file cannot be read according to the changed entry value. Accordingly, the file stored in the memory storage apparatus the can be effectively protected from being accessed by an un-authorized person.

Abstract: Systems and methods for distributed electronic signature documents. A method for distributed electronic signature documents includes creating a signing template that contains information about how a signable document is to be signed. A signable document is created to be distributed to a signer for signing. The signable document is electronically transmitted to the signer. A message is sent using an activatable control in the signing document to a web signing server to invoke the signing process. A browser window is opened on a signer's computer in order to execute the signing process.

Abstract: Using geographical information in policy enforcement is disclosed. A request for a resource is received from a device. A policy to be applied to the request is determined based at least in part on geographical information associated with an IP address. The policy is enforced. The IP address may be either a source IP address or a destination IP address.

Abstract: A verification device 101 receives extracted and sanitized data 113 that has been sanitized to protect the privacy of person A. The verification device 101, extracts from among MCU-hash storage data 123 and for MCU1 and MCU2 among MCUs obtained by dividing the extracted and sanitized data 113, an MCU1 hash and an MCU2 hash. The verification device 101 generates an MCU3 hash to an MCU6 hash and from the MCU1 hash to the MCU6 hash, generates a JPEG frame hash 125. The verification device 101 then compares a JPEG hash 121 and the JPEG hash 125 to verify the authenticity of the extracted and sanitized data 113.

Abstract: Aspects of the present invention maintain data integrity of a monitored data object in a monitored storage repository. A first security value for the monitored data object is determined. The first security value is stored along with an authentic copy of the monitored data object in the secure repository. The second security value for the monitored data object is determined after a predetermined time interval. The first security value is compared with the second security value. An alert is generated in response to determining a difference between the second security value and the first security value.

Abstract: An image forming apparatus which can prohibit any users but a user who has made a deposit from operating the image forming apparatus for a chargeable process. A communication controller of the image forming apparatus obtains pieces of proper information of cell-phones. An ID management section issues IDs for the respective pieces of proper information, and the communication controller sends the IDs to the corresponding cell-phones. At an input section, a user of one of the cell-phones inputs the ID sent thereto. Thereafter, the communication controller receives an access from a cell-phone and receives proper information of the cell-phone. In this moment, it is judged whether the cell-phone which has made an access is identical with the cell-phone of which ID was inputted at the input section. Only when the communication controller identifies the cell-phone, the communication controller permits the image forming apparatus to communicate with the cell-phone.

Abstract: Method and system for determination of user's identity described herein, ensures a secure user authentication process using mobile device, e.g. a phone. Method can be used with any service provider resource site, not limited to a website on Internet accessed from the personal computer. The only technological pre-requisite for such a resource site, is capability to display a dynamically generated login/enrollment image. Method can be implemented for any operating system, browser or software API.

Abstract: In a method for detecting infringements of the authenticity of a system component an authentication request is sent from a controller to an authentication device of the system component. A first authentication code is calculated in the authentication device by applying a shared one-way function to an identification code, stored in the authentication device, for the system component. A second authentication code in the controller is calculated by applying the shared one-way function to an identification code, stored in the controller, for the system component, and an authentication response including the first authentication code is sent from the authentication device to the controller. The first authentication code is compared with the second authentication code in the controller for detecting infringements of the authenticity of the system component.

Abstract: Systems and methods are provided for electronic tracking and control of secure test documents. One aspect of the present subject matter is a method for management of a plurality of test documents. In one embodiment, precode data for a test-taker population is associated with secure document data for the plurality of test documents. The plurality of test documents is distributed to a test-taking center for administration to a plurality of test-takers. The plurality of test documents is received from the test-taking center after administration to the plurality of test-takers. The received plurality of test documents is verified against the distributed plurality of test documents and the precode data to account for the distributed plurality of test documents. The received plurality of test documents is processed to determine test results. The test results are reported. Other aspects are provided herein.

Abstract: Electronic data is input. The electronic data is divided into N (N is an integer satisfying N?2) segments. Examination data is generated by repeating, up to the Nth segment, the computation processing of using the computation result obtained by performing predetermined computation on the data of the Mth (M is an integer satisfying 1?M?N?1) segment as an input for predetermined computation of the data of the (M+1)th segment. Verification data for the electronic data is generated so as to contain, as intermediate data, the examination data and a computation result in the middle of generating the examination data.

Abstract: The invention relates to a method of controlling access to a processing device using an access token with a machine readable identity. The method comprises reading the identity of the access token at the location of the processing device and querying a database comprising valid identities of access tokens, wherein each identity is associated with an access permission level. If the identity is a valid identity, the method further comprises determining the associated level of access and allowing a level of access to the processing device according to the associated access permission level. In some embodiments, the processing device is an Automated Teller Machine (ATM).

Abstract: This disclosure describes a process for storing data on a central server with a plurality of users, each of them having their own user password used for creating a user key, being respectively assigned to some of these users, and some of the data, being divided into data blocks to be uploaded, and each data block being compared to data blocks on the server based on a unique data block ID value in order to determine whether a corresponding data block is already stored on the server and to upload to the server those data blocks which are not already present, a data block list to be uploaded being created and uploaded to the central server, so that in a data recovery step data stored on the central server which are requested by the user can be restored in their original form based on said list.

Abstract: In one aspect, systems and methods for three-factor authentication include receiving a user's identification and password transmitted from the user's mobile device, generating a One Time Password (OTP), encrypting the OTP, and encoding the encrypted OTP in a two-dimensional barcode. The two-dimensional barcode of the encrypted OTP is transmitted to a computing device of the user, and an image of the two-dimensional barcode of the encrypted OTP displayed on the user's computing device is captured using the user's mobile device. The two-dimensional barcode of the encrypted OTP is decoded using the user's mobile device to obtain the encrypted OTP. The encrypted OTP is decrypted using the user's mobile device and displayed. The OTP then is spoken by the user, and the user's voice and the OTP are recognized to authenticate the user.

Abstract: A secure remote-data-storage system stores encrypted data and both plaintext and encrypted keys at a server, where data at the server is inadequate to recover the plaintext of the encrypted data; and stores at least one encrypted key at a client system. To decrypt the data, the client must obtain a copy of the encrypted data from the server, and a key to decrypt its locally-stored encrypted key. Once decrypted, the locally-stored key can be used to decrypt the encrypted data, or to decrypt an encrypted key from the server, which may then be used decrypt the encrypted data.

Abstract: One embodiment is a computer program product for processing information to obtain an HMAC, comprising: by using a padding circuit, generating first key data by adding 0 with respect to secret key data, setting the secret key data as second key data, or generating third key data by adding 0 with respect to a first digest value, according to comparison result of a second key length and a block length of the hash function, and performing an exclusive OR operation with a second constant with respect to one of the first key data, the second key data, and the third key data to calculate first data; by using a hash calculation circuit, obtaining the first digest value, and obtaining a second digest value, by using a holding circuit, storing the secret key data or the first digest value; and by using a control unit, managing a processing state for calculating the HMAC.

Abstract: Various embodiments herein include at least one of systems, methods, and software to receive and process credential requests for remote support of computer applications. One embodiment includes receiving a credentials request in a first environment from a second environment in response to an incident in the first environment. This embodiment further includes processing the received credentials request within the first environment by approving the request, activating credentials, and sending the credentials to the second environment. This embodiment may further include receiving, within the first environment, a message indicating the incident is resolved and deactivating the credentials.

Abstract: A method, computer program product, and computing device for obtaining an uncompressed digital media data file. One or more default watermarks is inserted into the uncompressed digital media data file to form a watermarked uncompressed digital media data file. The watermarked uncompressed digital media data file is compressed to form a first watermarked compressed digital media data file. The first watermarked compressed media data file is stored on a storage device. The first watermarked compressed media data file is retrieved from the storage device. The first watermarked compressed digital media data file is modified to associate the first watermarked compressed digital media data file with a transaction identifier to form a second watermarked compressed digital media data file.

Abstract: A system (50) is used for identifying a content item. The system (50) receives a received first identifier (101) of the content item, the received first identifier being based on at least part of a baseband level representation of the content item; a received second identifier (102) of the content item, the received second identifier being based on at least part of an encoded representation (103) of the content item; and the at least part of the encoded representation (103) of the content item. The system comprises a second identifier generator (53) for generating a generated second identifier based on the at least part of the encoded representation (103) of the content item; and a validation unit (54) for validating the received first identifier as a valid first identifier of the content item if the generated second identifier matches the received second identifier.

Abstract: A system for secure transfer of encrypted data involves a sender client, a recipient client, a main server, and a key server. The sender client receives instructions from a first user identifying transfer data and a recipient identifier, creates a key, encodes the transfer data using the key, and communicates the key and the recipient identifier to a server. The server creates a secure package identifier and communicates such to the sender client. The recipient client receives and identifies the secure package identifier and the encoded transfer data, receives from a second user a user identifier, and communicates the user identifier and the secure package identifier to the server. The server communicates the key to the recipient client only if the secure package identifier received from the recipient client matches the secure package identifier created by the server and if the user identifier matches the recipient identifier.

Abstract: A method and system for identifying a source of a copied work that in one embodiment includes obtaining at least some portions of a reference work, collecting at least some portions of the suspect work, matching the suspect work with the reference work, wherein the matching includes temporally aligning one or more frames of the reference work and the suspect work, spatially aligning frames of the reference work and the suspect work, and detecting forensic marks in the suspect work by spatiotemporal matching with the reference work.

Abstract: The present invention relates to an agent apparatus and method for sharing anonymous identifier-based security information among security management domains. A plurality of security information sharing agent apparatuses respectively located in a plurality of security management domains and configured to collect security information and transmit collected security information to outside of the security management domains.

Abstract: A system and method for verifying ownership of an electronic receipt in a communication system providing a public key infrastructure, the verification arising out of a series of messages being sent and received between a first party and a verifying party, the method comprising the steps of receiving a proof message from the first party, the proof message being derived from at least a first public key based on a secret owned by the first party and wherein the secret is associated with at least the secret of a further public key of the first party and an electronic receipt that has been issued by electronically signing a request message with a second public key, determining whether or not the proof message was derived from the second public key.

Abstract: A server transmits a message and attachments from a sender to a recipient. A hash is provided of (a) the message, (b) an identification of the sender and (c) a hash of the attachments to form a data string. Instructions may be included for the recipient to send a hashed encryption of the string to a website at the server by registered electronic mail which provides options to obtain other electronic advantages. To authenticate the message, the recipient transmits the message, the attachments and the hashed encryption of the string to the server website. The server decrypts and detaches the hashed encryption of the string to provide a first string and hashes the message, the sender identification and the hashed attachments in the first string to form a second string. The server also detaches and hashes the attachments from the message received at the server website to form first hashed attachments and detaches the hashed attachments from the string to form second hashed attachments.

Abstract: A distributed hash table infrastructure is described that supports pluggable modules for various services. Transport providers, security providers, and other service providers may be swapped, providing flexibility in supporting various devices and networking configurations.

Abstract: A system and method for rights protection of a dataset that includes multiple trajectory objects includes determining an intensity power for embedding a watermarking key in a data trajectory. The data trajectory is modified to embed a watermarking key at the intensity power such that the intensity power guarantees an original pair-wise relationship between distance-based neighboring objects before and after embedding of the key such that a modified trajectory provides a watermarked version of the data trajectory.

Abstract: A secure protocol for transactions, such as electronic commerce transactions, is described that provides improved security through exploiting an independent (where this independence is logical and/or physical) communication path (e.g., between a customer and a back-end financial institution), ensuring that key financial information remains within the back-end financial institutions themselves. Hence, this protocol directly reduces cyber-crime risks through improvements to transaction security. In addition, various implementations of the secure protocol provide non-repudiation for one or more of the entities involved in the transaction.

Abstract: A method, programmed medium and system are provided for enabling a user to choose a user-preferred encryption type from among a plurality of encryption types listed in a user's Kerberos configuration file. During the ticket granting process in a Kerberos system, a user is requested to select a preferred encryption type to be used in the Kerberos communication from among encryption types contained in the user's Kerberos configuration file. The user-selected encryption type is then implemented for use in encrypting a session ticket (as well as generating the session key of user requested encryption type) for use by the user machine in communicating securely with an Kerberized application server when being communicated by that particular user. Thus, the system allows different users to simultaneously communicate with the same Kerberized application server using a supported encryption type of the user's own choice.

Abstract: A method for securing communications in a vehicle-to-vehicle (V2V) system including an on-board computer of a broadcasting vehicle predicting a value for a vehicle parameter, generating a heavyweight signature corresponding to the predicted value, and obtaining an actual value for the vehicle parameter. The method also includes the computer comparing the predicted value to the actual value to determine if the predicted value bears a first relationship to the actual value. If the computer determines that the predicted value bears the relationship to the actual value, the on-board computer generates a lightweight authenticating signature to correspond to the predicted value and broadcasts a data message having the predicted value with the corresponding heavyweight authenticating signature and the corresponding lightweight authenticating signature.

Abstract: A method of checking whether a content aggregator's content matches a content owner's content involves generating a fingerprint of the content and looking for a matching fingerprint from the content owner through a service provided by the content owner. In one aspect, the fingerprints are generated from an intermediate digest of the content instead of the original form.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for authorizing actions of a service provider. In one aspect, a method includes providing a user security key to a mobile device of a user. A request is received from a client device distinct from the mobile device to perform an action. A challenge token including a security signature matched to a service security key is generated, and the challenge token is provided to the mobile device. An approval value is received from the client device. The approval value is determined to be valid in reference to the challenge token and the user security key previously provided to the mobile device and to indicate approval to perform the action for the user. The action is performed in response to receiving the approval value.

Abstract: A device with a touch-sensitive display may be unlocked via gestures performed on the touch-sensitive display. The device is unlocked if contact with the display corresponds to a predefined gesture for unlocking the device. The device displays one or more unlock images with respect to which the predefined gesture is to be performed in order to unlock the device. The performance of the predefined gesture with respect to the unlock image may include moving the unlock image to a predefined location and/or moving the unlock image along a predefined path. The device may also display visual cues of the predefined gesture on the touch screen to remind a user of the gesture.

Abstract: Virtual account based digital cash protocols employ two pairs of private and public keys. Each public key is certified separately and the protocols do not use any blind signature schemes. As a result, the virtual account based digital cash protocols provide strong protection of the user privacy by using two certified public keys instead of a blind signature. One pair of certified keys consists of one master user private key and one master user public key. A second pair of certified keys consists of one pseudonym user private key and one pseudonym user public key. The use of a master key pair and a pseudonym key pair circumvents the need for blind signatures. As a result, the proposed protocols do not require blind signatures and do not add additional overhead and security requirements necessitated by conventional blind signature schemes.

Abstract: A system and method are provided for authenticating a person's identity to a business using a trusted entity with a secure repository to store and protect the person's identity information. The person accesses their account on the trusted entity's server using a user name and a password. Then, the trusted entity grants the person a unique code so the person can authenticate their identity to the business. The person delivers the unique code to the transactional entity. The business makes a request to verify the unique code with the trusted entity. The trusted entity verifies the unique code, which authenticates the person's identity to the business.

Abstract: A terminal device recording content onto a recording medium device, a permission to record the content onto the recording medium device being granted by a server device, the terminal device comprising: a generation unit generating a value calculated so as to represent subject content for which permission to record is requested; an information transmission unit requesting the permission from the server device by transmitting information indicating the value generated by the generation unit to the server device; a signature reception unit receiving subject content signature data from the server device, the subject content signature data being transmitted by the server device upon granting the permission; and a recording unit recording the subject content onto the recording medium device as one of plain-text data and encrypted data, as well as the subject content signature data received by the signature reception unit.

Abstract: A method of detecting a fault attack including generating a first signature of a first group of data values by performing a single commutative non-Boolean arithmetic operation between all the data values of the first group; generating a second set of data values by performing a permutation of the first set of data values; generating a second signature of the second group of data values by performing said single commutative non-Boolean arithmetic operation between all the data values of the second group; and comparing the first and second signatures to detect a fault attack.

Abstract: According to an embodiment, an information processing device offering various APIs stores, for every application program, a WSDL file which indicates definition information of an API which is permitted to be used by an application program, and developer information which specifies a developer of an application program. The information processing device releases to an application program a WSDL file corresponding to the application program, receives, through a web service, a request that is a request for use of a first API, determines whether or not the definition information of the first API is indicated in a first WSDL file corresponding to the first application program, and determines whether or not the first WSDL file is leaked, using developer information.

Abstract: Peer-to-peer authentication may be accomplished by sending a digital certificate to a responder, receiving a randomized codeword in response to the sending, creating a secure fingerprint based at least in part on the digital certificate and randomized codeword, creating a first bit sequence based at least in part on a first portion of the secure fingerprint and a second portion of the randomized codeword and indicating the first digital certificate is authenticated based upon whether the first bit sequence matches a second bit sequence received from the responder via an out-of-band communication in response to the sending. The size of the first bit sequence is less than the size of the secure fingerprint. According to another aspect, the first bit sequence is compared with a rendering of the second bit sequence, using an out-of-band communication, by associating the first bit sequence with one or more indices into an array of representations.

Abstract: Various methods and systems are provided for inserting a user-selected pattern below a main application display when sensitive information is being requested or to be communicated. The border of the main application layer may also be modified at this time, either with or without the underlying pattern. This visual change provides the user an assurance that the application or site is authentic and not a phishing attack. The user-selected patterns are stored in secure areas, such as a secure element on the user device or in a cloud accessible by the application or site.

Abstract: Digitally signing data for multiple encodings is disclosed. A first signature of the data is generated. A second signature of a second encoding of the data is generated. The first signature and the second signature are associated with the signed data.

Abstract: Techniques are disclosed for authenticating users to a computing application. A relying application transmits a login page to a user requesting access to the application. The login page may include a QR code (or other barcode) displayed to the user. The QR code may encode a nonce along with a URL address indicating where a response to the login challenge should be sent. In response, the user scans the barcode with an app on a mobile device (e.g., using a camera on a smart phone) to recover both the nonce and the URL address. The mobile device may also include a certificate store containing a private key named in a PKI certificate. The app signs the nonce using the private key and sends the signed nonce in to the URL in a response message.

Abstract: A method and apparatus for encrypting an electronic document involves a computer having a first monitor and a signature capture apparatus configured to capture a handwritten signature on a second monitor. A hash sum of the electronic document generated in the computer is transmitted to the signature capture apparatus. The electronic document and the first hash sum thereof are displayed on the first monitor. The first hash sum is also displayed on the second monitor. After electronically capturing the handwritten signature, the signature data are encrypted using the first hash sum. A digital signature image is generated in the signature capture apparatus and the first hash sum is embedded therein. The embedded first hash sum is then extracted in the computer. If the extracted hash sum is identical to the first hash sum generated in the computer apparatus, the encrypted signature data and the signed document are stored.

Abstract: A system and method for generating a non-repudiatable record of a communications data stream is provided, which is applicable to real-time and quasi-real-time data streams. A binary communication data stream is captured and segmented into defined frames. A key frame is generated for each of a number of data frames containing integrity and authentication information. The key frame is inserted into the data stream to provide an authenticated data stream.

Abstract: A system, method, and computer program product that may use a cache in the decompression of block compressed image data. Each data entry in the cache may represent decompressed image data corresponding to a compressed block of an image. The indices of the cache are keys, where each key is the output of a hash process that is performed on the corresponding compressed block. Decompression of a compressed block may be performed by hashing the compressed block to generate the key. The key may be used to access the cache. The decompressed data indexed by the key may be read and used as the decompressed version of the compressed block. If no data corresponds to the key, or if the cached data indexed by this key is otherwise invalid, then a conventional decompression process may be applied to the compressed block to yield the decompressed data. This decompressed data may then be written to the cache, at a location corresponding to the key.

Abstract: The invention concerns a method of detecting a fault attack including providing a plurality of blinding values; generating a first set of data elements including a first group of data elements and at least one additional data element generated by performing the exclusive OR between at least one data element in the first group and at least one of the blinding values; generating a second set of data elements corresponding to the exclusive OR between each data element of the first set and a selected one of the plurality of blinding values; generating a first signature by performing a commutative operation between each of the data elements of the first set; generating a second signature by performing the commutative operation between each of the data elements of the second set; and comparing the first and second signatures to detect a fault attack.

Abstract: At the first data access by a navigation unit to a recording medium that records updating right information necessary for updating map data in a rewritable data area in which map data are recorded, the updating right information is read from the data area and is deleted from the data area, and a map updating due date created based on the read updating right information is written in a memory of the navigation unit together with the medium identification information read from a non-rewritable management area.

Abstract: A system and method of authenticating data files is provided. The method includes providing a plurality of software part files and a manifest file associated with the software part files. The manifest file identifies each of the plurality of software part files. The method includes associating the manifest file with a manifest detached digital signature. The method also includes digitally signing the manifest file with the manifest detached digital signature. The manifest detached digital signature authenticates the manifest file. The method includes associating each of the plurality of software part files with one a plurality of unique detached digital signatures. The method includes digitally signing each of the plurality of software part files with one of the plurality of unique detached digital signatures. Each of the plurality of unique detached digital signatures authenticates one of the software part files.

Abstract: The present invention provides for an authenticity marker to be embedded within web page and/or email content which allows a user to validate that the content originates from the true source of the content and is not merely a copy. The method includes a user requesting content in the form of a web page and/or email from a server using a web browser or email client. The server receives the request, retrieves the content and forwards it to an authentication server. The authentication server inserts into the retrieved content a unique fractal icon and/or information only known between the owner of the content and the user.

Abstract: Representations of polynomials a, s, t, e—1 and e—2 can be provided. Values of coefficients of the polynomials can be limited, and can be computed using randomization techniques. A verification key can be generated to include representations of polynomials a, b, and c. Computation of b can include computing a product using a and s, and adding e—1. Computation of c can include computing a product using a and t, and adding e—2. A signing key can represent s and t. The signing key can be used to produce a message signature that can represent a sum of t and a product of s and m, with m being derived from a message to be signed. The verification key can be used to verify the signature by checking coefficient sizes of a polynomial represented by the signature, and of a checking polynomial derived from the verification key and the signature.