Abstract: Apparatus, methods and software that implement cross-connected, server-based, IP-connected, point-to-point connectivity between remotely located firewall-protected devices. The apparatus, methods, and software allow user computers to communicate with remotely located firewall-protected devices that without the necessity to configure the firewalls. The apparatus methods, and software are implemented using a relay server that runs software that implements communication between an arbitrary number of firewall-protected devices and an arbitrary number of firewall-protected user computers that are remotely-located from the devices.

Abstract: A method and apparatus for filtering user identifying information. A user request for content is received, the request including user identifying information. A determination is made as to whether the user request satisfies context criteria. If the user request satisfies the context criteria, the user identifying information is filtered out from the user request. The filtered request is then sent to a content provider.

Abstract: An authority management apparatus configured to communicate with an external apparatus having one or more functions includes a management unit configured to manage authority information indicating an authority concerning use of the one or more functions of the external apparatus with respect to a particular user, an updating unit configured to, based on permission information for permitting a second user different from a first user to use a function of the external apparatus that the first user can execute, update the authority information concerning the second user, and a sending unit configured to send the authority information updated by the updating unit to the external apparatus to be used by the second user.

Abstract: Securing large networks having heterogeneous computing resources including provision of multiple services both to clients within and outside of the network, multiple sites, security zones, and other characteristics is provided using access control functionality implemented at hosts within the network. The access control functionality includes respective access control policies for indicating to each host from which other computers it can accept connections. Content of the access control policies can be determined based on application data flow needs, and can draw information from databases including DNS and security zone information for hosts to which the access control policies will be applied. Access control policies can be formatted automatically for different host with different characteristics from the same base logical rule set.

Abstract: A secure access system includes at least one lock, at least one electronic key with stored information assigned to a user and a system administration for administering user access privileges. A method for remotely updating the user's expired access privileges includes establishing communication between the user and the system administration from a location remote from the system administration, receiving a remote privilege code from the system administration, communicating the remote privilege code to the lock, and, if authorized, the lock validating the privilege code to renew the user's access privileges. The validated privilege code can also be made effective to access other different locks within the system.

Abstract: Systems and methods for personalized security management of online applications are provided. A determination may be made that a condition for constructing an increased authentication proposal for access to an online financial service is satisfied. The increased authentication proposal may be associated with (i) a user of the online financial service and (ii) a user request option associated with the online financial service. Based upon the determination that the condition is satisfied, the increased authentication proposal may be generated and transmitted for presentation to the user. An increased authentication proposal response may then be received, and the increased authentication proposal response may be processed in order to store, in association with the user and the user request option, (i) an indication of an increased authentication condition and (ii) an indication of an increased authentication mechanism.

Abstract: The present invention relates to a method and a device for ensuring information integrity and non-repudiation over time. A basic idea of the present invention is to provide a mechanism for secure distribution of information, which information relates to an instance in time when usage of cryptographic key pairs associated with a certain brand identity commenced, as well as when the key pairs ceased to be used, i.e. when the key pairs were revoked. The mechanism further allows a company or an organization to tie administration of cryptographic key pairs and a procedure for verifying information integrity and non-repudiation to their own brand. This can be seen as a complement or an alternative to using a certificate authority (CA) as a trusted third party, which CA guarantees an alleged relation between a public key and the identity of the company or organization using the cryptographic key pair to which that public key belongs.

Abstract: In an input/output virtualization-enabled computing environment, a device, method, and system for securely handling virtual function driver communications with a physical function driver of a computing device includes maintaining communication profiles for virtual function drivers and applying the communication profiles to communications from the virtual function drivers to the physical function driver, to determine whether the communications present a security and/or performance condition. The device, method and system may disable a virtual function driver if a security and/or performance condition is detected.

Abstract: The invention provides a system for retrieving at boot time user data stored on a computer. The computer comprises a processor coupled through a system bus to I/O devices and to a system memory, the computer further having a basic input output system (BIOS) unit operatively coupled to the system bus for loading a computer operating system during a computer boot procedure, wherein the system memory being accessible to the computer operating system via the system bus. The system comprises a boot adapter for connecting the system bus to a boot bus, a boot memory coupled to the boot bus wherein the boot memory comprises storage locations for storing the predefined user data, and program code means coupled to the BIOS unit. The program code means are operative for loading a boot operating system during the computer boot procedure, the boot operating system having instructions for accessing the boot memory during the computer boot procedure.

Abstract: A user authenticates to a Web- or cloud-based application from a browser-based client. The browser-based client has an associated rich client. After a session is initiated from the browser-based client (and a credential obtained), the user can discover that the rich client is available and cause it to obtain the credential (or a new one) for use in authenticating the user to the application (using the rich client) automatically, i.e., without additional user input. An application interface provides the user with a display by which the user can configure the rich client authentication operation, such as specifying whether the rich client should be authenticated automatically if it detected as running, whether and what extent access to the application by the rich client is to be restricted, if and when access to the application by the rich client is to be revoked, and the like.

Abstract: A projection type image display device provided with an unauthorized use preventing system includes a button unit or a remote controller for operating the display device, a condition memory for storing information indicating at least one use condition in an authorized use of the display device, a password memory for storing a password for releasing a restriction on the use of the display device, a detector for detecting a used condition of the display device at a power on timing, and a processor for imposing restrictions on the use of the display device when the use condition detected by the detector does not match the at least one use condition indicated by the information stored in the condition memory and for relieving the restriction based upon input of the password.

Abstract: Embodiments of the invention provide a system for encrypting web session data which may include a session management module adapted to receive data from a web application module and provide a token that represents the data in encrypted form to the web application, wherein the web application is adapted to use the token to represent the data. The system may also include a tokenizer module communicably coupled to the session management module, wherein the tokenizer module is adapted to receive the data and generate the token. Further, the system may include a database communicably coupled to the session management module, wherein the database is adapted to receive the token and the data, associate the token with the data, and store the token and the data.

Abstract: A mesh network surveillance system and method for providing communication between a base system having at least one input capture device ICD(s) and other ICD(s), wherein the ICD(s) are operable to provide a self-configuring network with each other, including the steps of providing this base system; at least one user accessing the ICDs and inputs remotely via a user interface through a remote server computer and/or electronic device communicating with it, for providing a secure surveillance system with extended inputs range and self-configured networking for smart cross-communication for monitoring a target environment.

Abstract: A speaker-verification digital signature system is disclosed that provides greater confidence in communications having digital signatures because a signing party may be prompted to speak a text-phrase that may be different for each digital signature, thus making it difficult for anyone other than the legitimate signing party to provide a valid signature.

Abstract: System for conducting remote biometric operations that includes a biometric data reading device connected to a personal computer and configured to send said encrypted data to a remote data authentication center for establishing a secure communications channel once the user identity has been verified by means of said biometric data. This invention refers to a remote biometric operations system that can be connected to a computer to carry out electronic banking and other similar operations with a certain degree of safety.

Abstract: Independent verification of user profile attributes that are stored on third-party community-based web sites is provided. A user request indicates target profile attributes to verify. Profile attribute data concerning a profile owner is collected from a plurality of community sites. The collected data is verified, and results of the verification process are stored in a database. When a user views verified profile attributes on a page on a community site, the corresponding stored verification status is retrieved, and an indication of the trust status of the profile is output to the user, for example by modifying the displayed web page to display the trust status.

Abstract: Systems and methods for stateless system management are described. Examples include a method wherein a user sends the management system a request to act upon a managed system. The management system determines whether the user is authorized for the requested action. Upon authorization, the management system looks up an automation principal, which is a security principal native to the managed system. The management system retrieves connecting credentials for the automation principal, and connects to the managed system using the retrieved credentials. Once the managed system is connected, the management system performs the requested action on the managed system, and sends the result back to the user.

Abstract: A processorless hardware token provides a one-time password for user authentication. The processorless hardware token contains a non-volatile memory upon which is stored a pre-produced sequence of one-time passwords. The processorless hardware token uses limited circuitry on a circuit board to read from the non-volatile memory and display a one-time password associated with a current interval. The displayed one-time password is then used for authentication by an authentication server that compares the one-time password displayed on the processorless hardware token with a one-time password retrieved from a copy of the pre-produced sequence of one-time passwords stored on the Authentication Server.

Abstract: A technique provides authentication codes to authenticate a user to an authentication server. The technique involves generating, by an electronic apparatus (e.g., a smart phone, a tablet, a laptop, etc.), token codes from a cryptographic key. The technique further involves obtaining biometric measurements from a user, and outputting composite passcodes as the authentication codes. The composite passcodes include the token codes and biometric factors based on the biometric measurements. Additionally, the token codes and the biometric factors of the composite passcodes operate as authentication inputs to user authentication operations performed by the authentication server. In some arrangements, the biometric factors are results of facial recognition (e.g., via a camera), voice recognition (e.g., via a microphone), gate recognition (e.g., via an accelerometer), touch recognition and/or typing recognition (e.g., via a touchscreen or keyboard), combinations thereof, etc.

Abstract: An client hosted virtualization system includes an authentication device, a processor and non-volatile memory with BIOS code and virtualization manager code. The virtualization manager initializes the client hosted virtualization system authenticates a virtual machine image, launches a portion of the virtual machine that initiates an authentication session with the authentication device, receives an authentication object from the authentication device, sends the authentication object to the portion of the virtual machine, and launches another portion of the virtual machine. The client hosted virtualization system is configurable to execute the BIOS or the virtualization manager.

Abstract: The present invention relates to a method and a device for determining access to multimedia content from an entry identifier, in a domain which comprises a number of entry identifiers, and where the multimedia content is assigned an access number n indicating the number of entry identifiers which may access the multimedia content. This is obtained by accessing a domain list indicating at least some of said entry identifiers in said network domain and by further determining that the entry identifier may access said multimedia content if said entry identifier is between the n entries in said domain list determined by an evaluation rule.

Abstract: Provided is a two-actor user authentication system with a reduced risk of leakage of authentication information. The two-factor user authentication system is designed to use, as a password, a one-time-password derivation rule to be applied to certain pattern elements included in a presentation pattern at specific positions so as to create a one-time password, and further use, as a second authentication factor, information identifying a client to be used by a user. An authentication server is operable to generate a pattern seed value adapted to uniquely specify a presentation pattern in combination with a client ID, and transmit the pattern seed value to an authentication-requesting client. The authentication-requesting client is operable to create a presentation pattern based on a client ID acquired therefrom, and display the presentation pattern to allow a user to enter thereinto a one-time password based on the presentation pattern.

Abstract: According to one embodiment, a device includes a second data generator configured to generate a session key (SKey) by encrypting a random number (RN) with the second key (HKey) in AES operation; a one-way function processor configured to generate an authentication information (Oneway-ID) by processing the secret identification information (SecretID) with the session key (SKey) in one-way function operation; and a data output interface configured to output the encrypted secret identification information (E-SecretID) and the authentication information (Oneway-ID) to outside of the device.

Abstract: Computer login may comprise any user-determined submission. A user may select among different devices for input, select the signal content, and as well select the types of signals used for a login signature. Account identification may be inferred by signature rather than explicitly stated. A plurality of discontiguous data blocks in a plurality of files may be employed for validation. The paths to data used in validation may be multifarious, regardless of the prospects for successful authorization.

Abstract: Challenge-response authentication protocols are disclosed herein, including systems and methods for a first device to authenticate a second device. In one embodiment, the following operations are performed by the first device: (a) sending to the second device: (i) a challenge value corresponding to an expected response value known by the first device, and (ii) a hiding value; (b) receiving from the second device a masked response value; (c) obtaining an expected masked response value from the expected response value and the hiding value; and (d) determining whether the expected masked response value matches the masked response value received from the second device. The operations from the perspective of the second device are also disclosed, which in some embodiments include computing the masked response value using the challenge value, the hiding value, and secret information known to the second device.

Abstract: When a plurality of authentication cards are read by an authentication device and the authentication cards are authenticated in an image output device, a binding and printing process is carried out. The image output device combines (binds) jobs associated with the authenticated cards into one job. The order of combining the jobs and the print mode for the combined job are set in accordance with the order in which the authentication cards have been authenticated or the priorities assigned to the respective jobs. The image output device prints the combined job to obtain a set of printouts. It is thus possible to provide the image output device which can output a plurality of jobs collectively, without the need of complicated operations, while maintaining a high level of security.

Abstract: Methods, apparatus, systems and computer program products are described and claimed that provide for automatically and positively determining that an associate accessing a business domain/application using an application-specific associate identifier is the same associate that is accessing another business domain/application using another application-specific associate identifier. Once the positive determination of same associate is made, a federated identifier key is generated and applied to all of the platforms in which the associate can be positively identified, so as to globally identify the associates across multiple enterprise-wide domains/applications. As such, the present invention eliminates the need to manually analyze associate data to determine if an associate interfacing with one domain/application is the same associate interfacing with another domain/application.

Abstract: An electronic device, system and method for automatically managing wireless connections with a plurality of other devices are provided. The electronic device may be a security token access device and may be adapted to wirelessly pair and optionally securely pair with other devices. Connection information, which may comprise security information, is maintained at the electronic device for each connected device. When a connected device becomes stale, the electronic device implements one or more steps to manage the stale device's connection.

Abstract: Disclosed are various embodiments for account management for multiple network sites. Multiple accounts of a user are maintained for multiple network sites in a computing device. A secured resource of a network site is to be accessed by the computing device. A new account is created, or an existing account is upgraded, in response to determining that the accounts are not capable of accessing the secured resource. A set of information about the user is provided to the network site to create, or upgrade, the account.

Abstract: Techniques for distributed and secure content delivery are provided. Requests for content are routed to a centralized service where the requestors are authenticated for access to the content. The centralized service generates access statements for the requesters. The requestors are redirected to particular distributed content services having access to the desired content. The distributed content services verify the access statements and vend the desired content to the requestors.

Abstract: The public exponent e of an RSA key is embedded in a RSA key object that lacks this exponent. During exponentiation, the public exponent e may be extracted and used to verify that the result of the exponentiation is correct. The result is output only if this is the case. The invention counters fault-attacks. Also provided are an apparatus and a computer program product.

Abstract: A method and apparatus for encrypting an electronic document involves a computer having a first monitor and a signature capture apparatus configured to capture a handwritten signature on a second monitor. A hash sum of the electronic document generated in the computer is transmitted to the signature capture apparatus. The electronic document and the first hash sum thereof are displayed on the first monitor. The first hash sum is also displayed on the second monitor. After electronically capturing the handwritten signature, the signature data and the first hash sum are encrypted in the signature capture apparatus and then transmitted to the computer. The encrypted signature data, the first hash sum and the signed document are stored on a computer-readable medium.

Abstract: A system and method for providing third party secure hosting of an application. The system and method includes providing a host system with a main memory and a third party secured memory, the third party secured memory storing third party information; encrypting the third party information stored on the third party secured memory upon access by a user, the encrypting being via a security key, the security key being held at a customer location; and, enabling access to the third party information only to users having the security key.

Abstract: A system and method are provided for authenticating a person's identity to a business using a trusted entity with a secure repository to store and protect the person's identity information. The person accesses their account on the trusted entity's server using a user name and a password. Then, the trusted entity grants the person a unique code so the person can authenticate their identity to the business. The person delivers the unique code to the transactional entity. The business makes a request to verify the unique code with the trusted entity. The trusted entity verifies the unique code, which authenticates the person's identity to the business.

Abstract: The disclosure is directed toward a secure method and system for creating a library on a server computer, and releasing such information to authorized requesters. Several types of information are stored for release to different entities with appropriate authorization. Any modifications or updates are automatically notified to any authorized requesters. The requester optionally provides information about to whom and where to notify changes or updates. Sending a message to an electronic mail box may accomplish such change or update notification. A frequent unauthorized requester of information is tagged as “junk” requester, to whom no further information will be released. Items that are restricted as to their use can be shared by users via a license-pooling method disclosed herein.

Abstract: The disclosure relates to a method for communication between a secure information storage device and at least one third party with which information is exchanged. An entity ensures the management of a plurality of secure information storage devices to which said device pertains.

Abstract: Transaction processing in an offline environment for a prepaid product comprising a portable consumer device includes responding to presentation of the prepaid product at a reader for offline processing by initiating operation of the prepaid product, receiving data from the prepaid product at the reader that indicates the prepaid product is associated with a prepaid account balance, determining that the prepaid product is in a negative balance condition, and taking preventive action in response to the negative balance condition such that future acceptance of the prepaid product at a reader is prevented.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting one or more portions of one or more items and that was in possession of a first user has been transferred from the first user to a second user; and marking, in response to said determining, the one or more portions of the one or more items to facilitate the computing device in returning to the one or more portions upon the computing device being at least transferred back to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: A method and apparatus for preventing accidental disclosure of confidential information via visual representation objects is described. In one embodiment, the method includes establishing pattern information with respect to confidential information, wherein the confidential information is used to authenticate users, monitoring a visual representation object having an input focus associated with a user interface, wherein the visual representation object receives input data, comparing the input data with the pattern information to identify at least one unobscured portion of the confidential information and producing indicia of detection of the at least one unobscured portion of the confidential information on the visual representation object.

Abstract: A method and an apparatus which permits intuitive management of a variety of digital contents stored in a mobile device. In a method for managing the contents, the mobile device determines a type of the content when a play of the content is ended. If the content is digital rights management (DRM) content, the mobile device checks a license count for authorized access to the DRM content and then determines whether or the license has expired or will expire shortly. If the license has expired, the mobile device removes the license-expired DRM content, or alternatively transfers the license-expired DRM content to a specified folder.

Abstract: A method for imputing different usernames and passwords using an input device with a display to use different protected assets that requires the inputting of a preselected username into a username enter box and the inputting of a preselected password into a password entry box immediately prior to use. The method includes the steps of designating two or more username keys on said input device, each said username key being assigned with a unique letter or number located on said input device and to a unique username made of a plurality of alpha-number characters, designating two or more password keys on the input device each being assigned with a letter or number located on said input device and to a unique password made of a plurality of alpha-number characters. Next the protected asset is then accessed and the username key and keyword key assigned to the asset is imputed.

Abstract: Securing a network is disclosed. A monitored session between a client and a network resource is provided. It is determined whether the client is attempting an authorized command. If the command is determined to be unauthorized, the command is intercepted. Optionally, remedial action is taken if it is determined that the client is attempting an unauthorized command.

Abstract: A persistent connection is used for real-time or near real-time data transfer from a push platform on a network to a mobile station. To establish and maintain the persistent connection between the mobile station and push platform on the network, various protocols are defined over a packet connection between the mobile station and push platform. The real-time or near real-time data is pushed or sent by the push platform to the mobile station, as the data becomes available from a data source. In particular, heartbeat messages are used to determine whether or not the persistent connection is alive and available for real-time or near real-time data transfer. When the persistent connection is lost, the mobile station uses a retry connection scheme based on the number of connection attempts made by the mobile station for establishing a new persistent connection to the push platform.

Abstract: A security framework for a host computer system which allows a host to control access to a compliant security token by ensuring enforcement of established security policies administered by a middleware application. Processing between the host computer system and the security token is performed using one or more modular security application agents. The modular security application agents are counterpart applications to security applications installed in the security token and may be retrieved and installed upon to ensure compatibility between counterpart token and host security applications. The security policies are a composite of host security policies and token security policies which are logically combined by the middleware application at the beginning of a session.

Abstract: A method and system for protection of and secure access to a computer system or computer network from a portable device. The method includes the steps of receiving a first login account identifier, such as a user name from a user in communication with the computer system or network. A determination is made if the user is recognized and enrolled from the first login account identifier. If the user is recognized, a series of randomly generated visual images is displayed including one visual image from an image category which has been pre-selected by the user upon enrollment. An image category identifier is randomly assigned to each visual image in the series. An image category identifier is entered and received. If the login account identifier and the image category are validated, access is permitted to the computer system or network from the portable device.

Abstract: Methods and apparatus for centralized management of policies and access controls which provide for the storing and managing of business rules and elements of policy, and for implementing the rules and policy across heterogeneous business systems. Where rules and policies may conflict in certain cases, mechanisms for reconciling such conflicts may be provided.

Abstract: A device and a method for graphical passwords. A device displays an initial image comprising a plurality of graphical elements, each graphical element having at least two variants; receives user input to select a variant of a number of the graphical elements, thereby generating a modified image; and generates the secret value from at least the selected variants of the graphical elements. The graphical elements are advantageously seamlessly integrated in the images, thereby making the system resistant to shoulder surfing attacks.

Abstract: A system, method, and computer program product are provided for redirecting internet relay chat (IRC) traffic identified utilizing a port-independent algorithm and controlling IRC based malware. In use, IRC traffic communicated via a network is identified utilizing a port-independent algorithm. Furthermore, the IRC traffic is redirected to a honeypot.

Abstract: Methods, a client entity, network entities, a system, and a computer program product perform authentication between a client entity and a network. The network includes at least a bootstrapping server function entity and a network application function entity. The client entity is not able to communicate with both of the network entities in a bidirectional manner. The 3GPP standard Ub reference point between the client entity and the bootstrapping server function entity is not utilized for authentication purposes, such as authentication using GAA functionality for unidirectional network connections.

Abstract: The invention relates to a telecommunication method having the following steps: establishing a first connection (101) between a first ID token (106) and a first computer system (136) via a second computer system (100) for reading at least one first attribute from the first ID token, generating a first soft token, wherein the first soft token comprises the at least one first attribute and a time specification, and wherein the first soft token is signed by the first computer system, sending the first soft token from the first computer system to a third computer system (150), wherein the first connection is a connection with end-to-end encryption.