Abstract: Aspects of this disclosure are directed to outputting, for display at a presence-sensitive display, a first set of two or more selectable objects in a first arrangement of locations, the computing device operating in a first instance of a limited access state. At least one of the selectable objects includes an element of a predetermined passcode. The computing device may receive an indication of a first gesture to select one of the selectable objects and an indication of a second gesture to designate the selected object as an element of a candidate passcode. The computing device may transition to an access state based at least in part on a comparison between the candidate passcode and the predetermined passcode. The computing device may transition to a second instance of the limited access state, and may output a second set of two or more selectable objects in a second, different arrangement.

Abstract: Seamless, secure, private, collaborative file synchronization across trust boundaries, typically as a companion to a store and sync file service. Information needed to recover a file is stored within the file itself, without giving away secret data. User specific personal keys are preferably only stored on the users' device(s). A unique ID is also created for each protected file; a password is generated that depends on (a) a key value that can either be (i) the user's personal key in the case of a file that is to be private or (ii) a shared key in the case of a file that is to be shared with other users, and (b) the unique file ID. The password is then encrypted using a recovery key and also stored in the file itself. The file is secured using a format that supports password-based content encryption.

Abstract: In a server-computer implemented system for online document collaboration, a document stored online in a first account may be modified by one or more of an authorized first group of users, which modifications are received and applied to the document. Electronic notification that the document is modified is sent to one or more of an authorized second group of users, who can thereafter further modify the document, or indicate their approval or disapproval of the modifications made by the one or more of the authorized first group of users. The one or more of the authorized first group of users is authorized to make specific permitted changes to the document, and if an attempt is made to change the document in a manner not permitted, then an alarm condition is generated.

Abstract: A system, apparatus, method, and machine readable medium are described for multi-device operations within an authentication framework. For example, one embodiment of a method comprises: detecting N authentication devices on a client, wherein N>1; generating a N cryptographic entities, one for each of the N authentication devices; transmitting a command to the client to register each of the N cryptographic entities into each of the N authentication devices; executing the command on the client and responsively registering each of the N cryptographic entities into each of the respective N authentication devices; and subsequently using at least one of the authentication devices and its associated cryptographic entity for authenticating a user of the client over a network.

Abstract: Described herein are various technologies pertaining to constructions of a password-based authentication protocol that are configured to allow a user to register with and authenticate to an online service without the online service receiving a password or a deterministic function of the password of the user. When registering with an online service, a client computing device establishes a cryptographically strong random secret and stores an encryption of such secret with a data storage device. The storage device also never receives the password or a deterministic function of the password. When the user wishes to authenticate to the online service, the user employs her password to retrieve the encrypted secret from the storage device, decrypts such secret, and utilizes the decrypted secret to answer a cryptographically strong challenge provided to the user by the online service upon the online service receiving a username pertaining to such user.

Abstract: Computing devices utilizing trusted execution environments as virtual smart cards are designed to support expected credential recovery operations when a user credential, e.g., personal identification number (PIN), password, etc. has been forgotten or is unknown. A computing device generates a cryptographic key that is protected with a PIN unlock key (PUK) provided by an administrative entity. If the user PIN cannot be input to the computing device the PUK can be input to unlock the locked cryptographic key and thereby provide access to protected data. A computing device can also, or alternatively, generate a group of challenges and formulate responses thereto. The formulated responses are each used to secure a computing device cryptographic key. If the user PIN cannot be input to the computing device an entity may request a challenge. The computing device issues a challenge from the set of generated challenges.

Abstract: A peer-to-peer (P2P) bot(s) in a network is identified using an already identified P2P bot. More specifically, such embodiments may facilitate determining a candidate set of computers, which may be potential P2P bots, by identifying computers in a network that have a private mutual contact with a seed bot, which is a computer identified as a P2P bot, and identifying additional computers that have private mutual contacts with the identified computers. Further, a confidence level indicative of a certainty of a membership of each of the candidate computers in the P2P botnet is determined and responsive to a determination that the confidence level of the candidate computer exceeds a determined threshold confidence level, the candidate computer is identified as a P2P bot.

Abstract: An authentication processing device receives biometric data to be checked from a biometric measuring device; transforms the biometric data that is input from the biometric measuring device by using a checking transformation parameter that is different from a registration transformation parameter; and creates checking biometric data. Then, the authentication processing device performs a differential transformation process on the created checking biometric data by using a differential parameter by which a transformation state transformed by the checking transformation parameter and a transformation state transformed by the registration transformation parameter have the same state. Thereafter, the authentication processing device checks the transformed checking biometric data against the registration biometric data stored in a transformation registration data DB and performs authentication.

Abstract: The present invention provides cost efficient two way authentication method in which the authentication module can be provided as a Plug and Play (PnP) architecture enabling dual layer security with reduced cost where the actions are initiated by a server and user input is received through an audio session for added security. The second level authentication can be carried out with mobile as client device making it cost efficient. The invention can be hosted as an independent service or can be integrated with existing authentication mechanisms, making it elegant for usage.

Abstract: A uniform certificate revocation list managing apparatus is provided for managing canceled register information of all believable groups in a believable anonymous register system. Canceled register information includes canceled member information of each believable group, list information of unbelievable groups, and list information of unbelievable register service institutions. The uniform certificate revocation list managing apparatus interacts with each believable group and each register system, so as to update a certificate revocation list of each believable group in real time.

Abstract: According to one embodiment, an electronic apparatus comprises a communication module and a connection control module. The communication module is configured to execute close proximity wireless transfer. The connection control module is configured to start an operation of establishing a connection between the communication module and an external device which is in close proximity to the communication module if an identifier of the external device wirelessly transmitted from the external device is included in a connection permission list. The connection control module is configured to display a password entry screen if the identifier is not included in the connection permission list, and to add, if a password entered on the password entry screen matches with a registered password, the identifier to the connection permission list and start the operation of establishing the connection between the communication module and the external device.

Abstract: In a computer-implemented method, a digital content item to be tested is received. A display of a visual representation of the digital content item is simulated, where the visual representation is selectable and the digital content item is associated with a code snippet that is executed when the visual representation is selected. A simulated user click on the visual representation is received and the code snippet is executed in response. Processing actions of the code snippet are monitored, and it is determined whether the processing actions violate one or more predetermined system policies indicative of a content item unsuitable for service. A score for the code snippet is calculated based on one or more violations of the one or more predetermined system policies. The digital content item is suspended to prevent service of the digital content item if the score exceeds a predetermined threshold score, and validated for service otherwise.

Abstract: A method and system for multiplexing of multiple channels of video data through a single analog broadcasting channel is disclosed. The method enables a spatial and temporal multiplexing of videos of each of the multiple channels. The multiplexed content is created as a result of multiplexing that is encoded to generate digital transport stream that is transmitted through analog medium. The system enables a STB receiver to decode each of the videos from the stream. At least one video from the multiple videos is played on the television based on user selection.

Abstract: Automatic authorization of users and configuration of a software development environment can include selecting a task defined within a project plan of a software system under development, wherein the task specifies a development tool and a user, and automatically authorizing, using a centralized data processing system, the user to access the development tool.

Abstract: Automatic authorization of users and configuration of a software development environment can include selecting a task defined within a project plan of a software system under development, wherein the task specifies a development tool and a user, and automatically authorizing, using a centralized data processing system, the user to access the development tool.

Abstract: A third party provides an analysis of an analog signal property derived from an electronic device. A data set describing an analog signal property is obtained. The data set is derived from at least one measurement on the signal. A permission set based on data received from a supplier entity is maintained. A consumer entity having permissions are permitted access to information computed from the data set. A consumer input from the consumer entity is received. The consumer input represents a request for the analysis result. A determination is made based on permissions that the consumer entity is permitted access to the computed information. An analysis result from the data set is computed after receiving the consumer input. The analysis result is provided to the consumer entity. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to symmetric key generation and provide a method, system and computer program product for symmetric key generation using an asymmetric private key. In one embodiment, a symmetric key generation data processing system can include a symmetric key generator configured with a programmatic interface including an input parameter for a seed, an input parameter for an asymmetric private key, and an output parameter for a symmetric key. The symmetric key generator can include program code enabled to generate the symmetric key by encrypting the seed with the asymmetric private key.

Abstract: A secure processor such as a TPM generates one-time-passwords used to authenticate a communication device to a service provider. In some embodiments the TPM maintains one-time-password data and performs the one-time-password algorithm within a secure boundary associated with the TPM. In some embodiments the TPM generates one-time-password data structures and associated parent keys and manages the parent keys in the same manner it manages standard TPM keys.

Abstract: A system and method for generating user authentication challenges based at least in part on an account owner's social network activity information. A login request including an account owner's correct username and password as well as additional login information is received from a user. The login attempt is detected as a potentially fraudulent based on the additional login information from the user. The account owner's social network activity information is analyzed. An authentication challenge based at least in part on the account owner's social network activity information is generated and sent for display. The login request is allowed or denied based on the completion on the authentication challenge.

Abstract: Embodiments of multi-user web service sign-in client side components are presented herein. In an implementation, the currently authenticated user account of a first application of a client is transferred to another application of a client. In another implementation, a common credential store is used to share data for a plurality of user accounts associated with a client between a plurality of applications of the client, and for the applications to output multi-user interfaces having portions corresponding to the plurality of accounts.

Abstract: A manipulable human interactive proof (HIP) displays at most a portion of verification information. A user performs at least one manipulation on the HIP display to obtain full verification information.

Abstract: An invention is described for securely deploying a provable identity for virtual machines (VMs) in a dynamic environment. In an embodiment, a fabric controller instructs a VM host to create a VM and sends that VM a secret. The fabric controller sends that same secret (or a second secret, such as the private key of a public/private key pair) to the security token service along with an instruction to make an account for the VM. The VM presents proof that it possesses the secret to the security token service and in return receives a full token. When a client connects to the deployment, it receives the public key from the security token service, which it trusts, and the full token from the VM. It validates the full token with the public key to determine that the VM has the identity that it purports to have.

Abstract: A secure mechanism for performing a network boot sequence and provisioning a remote device may use a private key of a public key/private key encryption mechanism to generate a command by a server and have the command executed by the device. The command may be used to verify the authenticity of the remote device, and may be used to establish ownership of the device. After authenticity and, in some cases ownership is established, bootable software may be downloaded and executed. The remote device may be provisioned with software applications. One mechanism for performing the initial encrypted commands is through a Trusted Platform Module. In many embodiments, the public key for the initial encrypted communication may be provided through a trusted second channel.

Abstract: Systems and methods for exchanging information for access to a computing resource are provided herein. Methods may include receiving a request to access a computing resource, the computing resource being selectively unavailable to the information provider, responsive to receiving the request, providing the information provider a problem that is to be solved by the information provider prior to making the computing resource selectively available to the information provider, wherein solving the problem elicits desired information from the information provider, and responsive to receiving the desired information, selectively making the computing resource available to the information provider.

Abstract: Aspects of the invention provide for masking a current profile of a one-time programmable (OTP) memory. In one embodiment, a circuit includes: a first one-time programmable (OTP) memory configured to receive a data input for a plurality of address fields; and a second OTP memory configured to receive an inverse of the data input for a plurality of address fields, wherein a current profile for a programming supply for the first OTP memory and the second OTP memory is masked, such that the data input for the first OTP memory is undetectable.

Abstract: A client hosted virtualization system includes a task oriented device, a processor, and non-volatile memory with BIOS code and virtualization manager code. The virtualization manager initializes the client hosted virtualization system, authenticates a virtual machine image, launches the virtual machine based on the image, receives a transaction targeted to the task oriented device, prioritizes the transaction, sends the transaction to the task oriented device, receives a response from the task oriented device, and sends the response to the virtual machine. The client hosted virtualization system is configurable to execute the BIOS or the virtualization manager.

Abstract: A method, a computer readable medium and a system of multi-domain login and messaging are provided. The method for multi-domain login comprises inputting a local password by an agent, accessing a password vault with the local password, and retrieving at least one hidden password from the password vault, and logging the agent into at least one agent application using the at least one hidden password. The method for multi-domain messaging comprises retrieving information of an agent from a database, retrieving at least one skill group to which the agent belongs from the information, retrieving a message linked to the at least one skill group, and sending the message to the agent.

Abstract: A digital signature of a message originator of a message is validated by a processor on message retrieval by a message recipient as a first-tier validation of the message. In response to a successful first-tier validation of the digital signature of the message originator, a transaction token and a message originator identifier are extracted from a message payload of the message. Communication is initiated with a verification service within a secure messaging environment of the message originator as a second-tier validation of the message using the extracted transaction token and the extracted message originator identifier to confirm whether the secure messaging environment of the message originator generated the transaction token and inserted the transaction token into the message payload. Results of the second-tier validation of the message with the verification service within the secure messaging environment of the message originator are determined.

Abstract: The present invention relates to data encryption and more particularly to data encryption for prevention of malware attacks designed to access user data. The present invention protects user data against regular malware and advance malware like rootkit attacks, zero day attacks and anti-malware disabler attacks. In one embodiment, the present invention uses encryption, application whitelisting, and application binding to prevent malware from accessing a victim's data files. In another embodiment, the present invention uses application path binding to further contain the malware from accessing the victim's data.

Abstract: Efficient routing for a client-server session or connection is provided in an application layer of multi-layered systems interconnect stack by caching a plurality of application-specific information at an intermediary network point; using the application specific information to route messages for an application connection; and indexing the application-specific information with a key provided by the application. Optionally, a second key may be used to retrieve the application-specific information if the first key is not provided in an application connection request, where the second key is optionally opaque to the application program. The intermediary network point may be an edge of network Internet Protocol (IP) switch, and the application layer in which the routing is performed may be layer seven of the Open Systems Interconnection model.

Abstract: A method for managing access to a computing environment by a computing device includes providing at least one credential that identifies both the computing device and a user of the computing device, storing data at the computing environment relating to the computing device and the user in association with the credential, and selectively granting an access request received from the computing device using the credential in accordance with the data stored at the computing environment.

Abstract: A digital signature of a message originator of a message is validated by a processor on message retrieval by a message recipient as a first-tier validation of the message. In response to a successful first-tier validation of the digital signature of the message originator, a transaction token and a message originator identifier are extracted from a message payload of the message. Communication is initiated with a verification service within a secure messaging environment of the message originator as a second-tier validation of the message using the extracted transaction token and the extracted message originator identifier to confirm whether the secure messaging environment of the message originator generated the transaction token and inserted the transaction token into the message payload. Results of the second-tier validation of the message with the verification service within the secure messaging environment of the message originator are determined.

Abstract: Resources may be managed in a topology for audio/video streaming. DisplayPort is a digital audio/video interconnect standard of the Video Electronic Standards Association (VESA). It allows video and audio to be coupled from a computer to a video display or an audio playback system. The topology includes audio/video sources and sinks and intervening branch devices. Messages between these sources, sinks, and branch devices may be used for resource management.

Abstract: According to one embodiment, an authentication method includes generating, by the memory, first authentication information by calculating secret identification information with a memory session key in one-way function operation, transmitting encrypted secret identification information, a family key block, and the first authentication information to a host, and generating, by the host, second authentication information by calculating the secret identification information generated by decrypting the encrypted secret identification information with the host session key in one-way function operation. The method further includes comparing, by the host, the first authentication information with the second authentication information.

Abstract: Systems, methods, and apparatus for generating and validating product keys. In some embodiments, a product key includes security information and identification information identifying at least one copy of a software product. The identifying information may be used to access validation information from at least one source other than the product key, and the validation information may be used to process the identification information and the security information to determine whether the product key is valid. In some further embodiments, the security information includes a first portion to be processed by a first validation authority using first validation information and a second portion to be processed by a second validation authority using second validation information, wherein the second validation information is stored separately from the first validation information.

Abstract: A human interactive puzzle (HIP) authorization architecture where keyed and animated puzzles are executed by HIP players which are distinct and obfuscated to the point where breaking a single player is a relatively costly operation. A key is created in response to a request for a service, a HIP player is created based on the key, and a small installation executable is created that expands during installation to produce a computationally expensive data structure on the client relative to verification of the solution at the server. Thus, copying of the player or relay of the puzzle to a third system requires more time than allowed to receive the solution at the server.

Abstract: A system and method for managing communication. The system and method applying to but not limited to settop boxes (STBs) and other devices used to interface services. The management including any number of features and processes associated with achieving Quality of Service (QoS) across different domains and according to network limitations associated with the same.

Abstract: A method and apparatus for generating a password in real time by creating at least one password map during creation of an account associated with a user, and generating and providing a random password hint sequence grid to the user in real time, authenticating the user for accessing the account using a password created by the user, where the password is created by the user using the random password hint sequence grid and the at least one password map.

Abstract: An identification module receives a password request for a specified user and communicates an encrypted password field in response thereto, wherein the encrypted password field references a directory object corresponding to the specified user. The present invention also teaches an authentication module that communicates the password request to the identification module and receives the encrypted password field therefrom. Upon receiving the encrypted password field, the authentication module authenticates the specified user against the referenced directory object. In some embodiments, the encrypted password field is stored in an identification data store of an identification server and the directory object is stored in an authentication data store of an authentication server.

Abstract: Application programming interface (API) for starting and accessing distributed routing table (DRT) functionality. The API facilitates bootstrapping into the DRT by one or more devices of a group of devices (a mesh) seeking to collaborate over a serverless connection, establishing a node of the DRT, where each node is an instance of an application that is participating in the mesh, and node participation by allowing the application to search for keys published by other nodes in the mesh, or by becoming part of the mesh by publishing a key. The API facilitates optimization of the routing table for quickly finding a root of a specific key in the mesh by finding the key directly in a cache or by asking a root node of the key that is in the local routing table that is closest numerically to the key being searched.

Abstract: An embodiment generally relates to a method of managing tokens. The method includes detecting a presence of a token at a client and determining a status of the token. The method also includes formatting the token at the client in response to the status of the token being unformatted.

Abstract: Methods and systems are disclosed for providing indirect and temporary access to a company's IT infrastructure and business applications. The methods/systems involve establishing an access control center (ACC) to control the access that technical support personnel may have to the company's IT infrastructure and business applications. Thin client terminals with limited functionality may then be set up in the ACC for use by the technical support personnel. The thin client terminals connect the technical support personnel to workstations outside the ACC that operate as virtual desktops. The virtual desktops in turn connect the technical support personnel to the IT infrastructure and business applications. An ACC application may be used to control the connection between the thin client terminals and the virtual desktops and the virtual desktops and the IT infrastructure and business applications.

Abstract: An exemplary method and apparatus are provided for establishing a communication between a first communication terminal and a second communication terminal over a network. A server dynamically generates a first single-use key and a second single-use key respectively associated with the first and second communication terminals as a function of time data related to at least one previous communication between the first communication terminal and the second communication terminal, during a request to establish a call from the first communication terminal to the second communication terminal. The server compares the first and second keys that were generated, and authorizes the establishment of the communication if the compared keys are identical.

Abstract: The systems and methods described herein relate to secure extranets which utilize certificate authentication to mediate access, transactions, and user tracking. Such extranets may be employed to provide an interface accessible over a network, such as the Internet, capable of authenticating and recording transactions for business, medical, or other purposes.

Abstract: A license management system is connected to an authentication database holding information about license and user and manages a plurality of licenses. The system comprises a data receiving section, a data reading section and a license confirmation section. The data receiving section receives a user ID which is a code to identify a user. The data reading section reads out from the authentication database a user-type ID which is associated with the received user ID and is a code to identify the type of the user, and reads out from the authentication database a license ID which is associated with the user-type ID and is a code to identify the license. The license confirmation section confirms the content of a license which is associated with the read-out license ID and whether the license is correct on the basis of the confirmed content, and allows login by the user only when the license is correct.

Abstract: Systems and methods for securely entering pass-sets in input/output (I/O) devices. An exemplary I/O device includes an authentication application, an output interface and a user-controls interface. The authentication application is configured to generate aural, visual, audiovisual or tactile messages containing one or more pass-set entry menus, in response to a request to access a pass-set protected resource by a user of the I/O device. The output interface is configured to securely present the generated messages for the user. For example, the headphone of a headset can securely present an aural message to a wearer. The user-controls interface is configured to assist the user in making a selection from the menus or choices presented to the user. For example, a variety of controls, switches and buttons on a headset can facilitate user input. The user selection is then assembled into a user entered pass-set for authenticating the user's identity by an authenticator.

Abstract: A method for authenticating a portable data carrier (10) to a terminal device by the following steps: In the data carrier (10) a public session key (PKSession) is derived (S5) from a public key individual to the data carrier (PKi) which has in its turn been derived (TS32; S1) from a public group key (PK). Further, a secret session key (SKSession) is derived (S4) from a secret key individual to the data carrier (SKi) which has in turn been derived (TS31) from a secret group key (SK). Subsequently, a secret communication key (KK) is agreed on (S7) between the data carrier (10) and the terminal device. Finally, the terminal verifies (S8) the public session key (PKSession) of the data carrier (10).

Abstract: Systems and methods modifying a presentation of media content in response to a detected violation are provided. In particular, media content such as a media stream broadcasted by a user to other users can be monitored. The broadcasted media stream can be fingerprinted and compared to a fingerprint repository that includes entries associated with media content that is copyrighted or otherwise considered a violation. If the fingerprint matches entries included in the fingerprint repository, then the media stream can be modified such as modified to terminate.

Abstract: A confidential information exchange between a sender and a receiver may be conducted without the use of encryption keys. The information is coded with a Challenge-Response Table that is shared between the sender and the receiver. Rather than sending a challenge and then waiting for a response, the challenge and response are both sent by the sender of the information. The information sent comprises an index with a challenge and a response from the Challenge-Response Table. Upon receiving the coded information, the receiver uses the Challenge-Response Table to decode the information by using the index to locate the challenge and its valid response. Upon determining that the challenge and the response are correct, a first decoded answer is determined. Upon determining that either the challenge or the response, or both, are incorrect, a second decoded answer is determined.

Abstract: An OpenFlow network controller controls an OpenFlow network. A networking connection is established between the OpenFlow network controller and an OpenFlow network device attempting to become part of the OpenFlow network. After establishing the networking connection with the OpenFlow network device, the OpenFlow network controller attempts to authenticate the OpenFlow network device. Where authentication of the OpenFlow network device is successful, the OpenFlow network controller sends a message to the OpenFlow network device to indicate that the authentication was successful and permits the OpenFlow network device to join and perform OpenFlow messaging.