Abstract: Systems and methods for limiting access to data in a portable data storage device. An exemplary method may use an electronic computing device to prevent access to the data and includes the step of providing the portable storage device with a first software program that has a current expiration time value. The first software program is able to compare the current expiration time value against a time based parameter and activate a security mechanism protecting the data stored in the portable data storage device based on the comparison. The method also includes the step of providing an electronic computing device with a second software program. The second software program is able to identify the portable data storage device and reset the current expiration time value of the first software program to a later time value when the electronic computing device is electronically communicating with the portable data storage device.

Abstract: According to this disclosure, a user is identified (and selectively granted access to protected resources) by using information that describes the user's interpersonal relationships. This information typically is stored in a datastore, such as a digital address book, an online profile page, or the like. The user's digital address book carries an “acquaintance pattern” that changes dynamically in time. This pattern comprises the information in the user's contact list entries. In this approach, the entropy inherent in this information is distilled into a unique acquaintance digest (or “fingerprint”) by normalizing the contact list data, and then applying a cryptographic function to the result.

Abstract: In some embodiments, techniques for computer security comprise presenting a data field in a spoof-resistant manner, receiving field data, and securing field data. In some embodiments, the integrity of an input device may be verified. In some embodiments, techniques for computer security comprise hashing a credential and a characteristic associated with a data recipient, and performing password-authenticated key agreement using the hashed value. In some embodiments, techniques for computer security comprise monitoring an input, determining that the input is associated with confidential information, and enabling secure data entry.

Abstract: Generally speaking, systems, methods and media for authenticating a user to a server based on previous authentications to other servers are disclosed. Embodiments of a method for authenticating a user to a server may include receiving a request to authenticate the user to the server and determining whether authenticating the user requires matching an authentication plan. If a plan is required, the method may also include accessing a stored authentication plan with authentication records each having expected information relating to user access to a different server. The method may also include receiving an indication of the user's current authentication plan from an authentication store where the plan has authorization records each having current information relating to user access. Embodiments of the method may also include comparing the stored authentication plan with the received current authentication plan to determine whether they match and, in response to a match, authenticating the user.

Abstract: For enabling single sign-on among applications, a linkage ID indicating connection between the authentication apparatus 1 including the client function and the server apparatus 2 is shared among a plurality of applications. For that, a SV information management unit Aa of the authentication apparatus 1 having the client function manages the linkage ID by storing it in a predetermined storing unit. An AP information management unit Ab manages and stores connection information between applications in a predetermined storing unit, wherein the connection information includes an application name corresponding to an application. Then, an AP decision unit determines whether an application name included in a received linkage ID request is registered in the AP information management unit Ab, obtains the linkage ID from the SV information management unit Aa when the application name is registered in the AP information management unit Ab, and returns the linkage ID to a source of the linkage ID request.

Abstract: A shared secret may be shared between a patient and the patient's healthcare provider. The healthcare provider may submit the shared secret to the database system via a provider interface to generate a validation code. The validation code may be later submitted to the database system by the patient via a patient interface to cause the database system to prompt the patient to submit the shared secret. Upon submission of the shared secret to the database system, the patient may be prompted to approve or deny a request of the healthcare provider to access the electronic medical record of the patient. Access may be granted to the healthcare provider upon approval of the request by the patient.

Abstract: A system for performing authentication of a first user to a second user includes the ability for the first user to submit multiple instances of authentication data which are evaluated and then used to generate an overall level of confidence in the claimed identity of the first user. The individual authentication instances are evaluated based upon: the degree of match between the user provided by the first user during the authentication and the data provided by the first user during his enrollment; the inherent reliability of the authentication technique being used; the circumstances surrounding the generation of the authentication data by the first user; and the circumstances surrounding the generation of the enrollment data by the first user.

Abstract: A method and apparatus for secure generation of a short-term key SK for viewing information content in a Multicast-broadcast-multimedia system are described. A short-term key is generated by a memory module residing in user equipment (UE) only when the source of the information used to generate the short-term key can be validated. A short-term key can be generated by a Broadcast Access Key (BAK) or a derivative of BAK and a changing value with a Message Authentication Code (MAC) appended to the changing value. A short-term key (SK) can also be generated by using a private key and a short-term key (SK) manager with a corresponding public key distributed to the memory module residing in the user equipment (UE), using a digital signature.

Abstract: A system and a method are provided for activating one or more security functions of a mobile electronic device. The system and method provide for the activation of one or more security functions when the mobile electronic device is stored in a mobile electronic device holder. Security functions include, for example, closing a data item currently being displayed on the mobile electronic device, erasing decrypted information stored on the mobile electronic device, locking the mobile electronic device, and performing a secure garbage collection operation.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens associated with a session. The session may facilitate access to a resource by a user. The session may be identified by a session token. The apparatus may determine, based on a token-based rule, a second plurality of tokens required to facilitate determination of a risk token. The risk token may be used to facilitate determination of an access decision to the resource. The apparatus may determine that the plurality of tokens comprises the second plurality of tokens and generate a dataset token that represents the plurality of tokens. The apparatus may then communicate the dataset token to facilitate the generation of the risk token. The apparatus may receive the risk token and correlate it with the session token to facilitate determination of the access decision.

Abstract: In accordance with the teachings of the present invention, a system and method for transporting an ancillary data packet in the active area of a video stream are provided. In particular embodiments of the present invention, the method includes coupling a playback server and a digital video projector with a DVI link; placing an ancillary data packet of link encryption metadata in a false line of video in an active area of a frame of video at the playback server, a remainder of the active area comprising true lines of video; transmitting the ancillary data packet from the playback server to a digital video projector through the DVI link; extracting the ancillary data packet from the frame of video at the digital video projector; and displaying the remainder of the active area of the frame of video at the digital video projector.

Abstract: A digital data sampler operating in a computer processor selects and stores digital data samples from a data stream used for generating audio-visual output during a session with a client operated by a user. The session generates the data stream independently of the data sampler. The data sampler may collect parameter data correlated to a probability will be remembered by the user at some future time, for each sample. The data sampler may store the data samples and parameter data as shared secret data for use in a future authentication session. During a future authentication session, an authentication device selects test data from the shared secret data to generate sensible output in an authentication process. The authentication process grants access to a controlled resource in response to user input indicating specific knowledge of the shared secret data selected from a presentation of similar sensible outputs.

Abstract: The present invention with an apparatus enables biometric based access control to services and/or resources that comprises a crypto processor, a biometric processor, a fingerprint controller, a frame hash engine, a display repeater and/or a display controller, a touch-panel controller and a biometric touch-display panel. The frame hash engine and/or the display controller computes a frame hash of the frame displayed on the biometric touch-display panel. When a fingerprint is captured, in the registration scenario, the biometric processor extracts biometric identity and stores it in a service biometric credential repository identity, and submits a registration proof to the server; in the service access scenarios, the biometric processor verifies user identity by matching fingerprint, and submits an access identity to the server.

Abstract: Methods, systems, and computer-readable media are disclosed for access control. A particular method receives a resource access identifier associated with a shared computing resource and embeds the resource access identifier into a link to the shared resource. The link to the shared resource is inserted into an information element. An access control scheme is associated with the information element to generate a protected information element, and the protected information element is sent to a destination computing device.

Abstract: A mobile, wireless biometric identification system includes a biometric capture device, associated software and processes which enable a commercially available wireless communication device, such as a smartphone, using a commercially established wireless communication networks, to capture a digital image of a human biometric (iris, fingerprint, etc.) for transmission via a secure connection to a central server. The capture device is designed to focus on the difficult task of capturing the highest possible quality image for encoding and comparison, while the overall system is designed to leverage the existing cellular communication network. At the server level, the server system receives the image, encodes the image to a biometric template, and compares the encoded template to a plurality of reference templates stored in a database to identify the individual. Identification data is then transmitted back to the smartphone device and displayed.

Abstract: A method, apparatus and computer program product for controlling access to host access credentials required to access a host computer system by a client application is provided. The host access credentials are stored in a restricted access directory. The method comprises authenticating directory access credentials received from a client application. The authenticated client application then requests the host access credentials and a determination as to whether the authenticated client process is authorized to access the requested host access credentials, and, if authorized, these are provided to the client application.

Abstract: A method and apparatus are disclosed for configuring access privileges in a system of networked devices. A plurality of access identities is selected and information of access privileges of each of the selected access identities to accessible functions of networked devices is retrieved. The access privileges of the selected access identities for each one of said accessible function of each one of said networked devices is accumulated. The accumulated access privileges are presented for each one of said accessible function of each one of said networked devices in an interface allowing editing of the accumulated access privileges. Change in accumulated access privileges to a specific function in a specific networked device is indicated, and the specific function of the specific networked device is configured for allowing access by the selected users in accordance with the indicated change of accumulated access privileges.

Abstract: System and methods provide tracking capabilities by one or a plurality of satellites for a mobile terrestrial terminal. A user requests that a satellite track a particular mobile terrestrial terminal. If the user privilege level allows for this level of control, the satellite adjusts to track the identified terminal. One method for tracking involves the use of a steerable antenna in which the antenna steers to maintain a footprint over the identified mobile terminal. Another method for tracking involves moving the satellite itself to maintain a footprint over the identified mobile terminal. The tracking functionality may utilize a closed loop tracking method.

Abstract: A data transfer method performed at a proxy server includes intercepting a data request from a client computer that is directed to a target server, encrypting profile information, augmenting the data request by adding the encrypted profile information to the data request, and sending the augmented data request to the target server. A data transfer method that is performed at an information server includes receiving a data request from a proxy server, extracting profile information added to the data request by the proxy server, using the extracted profile information to generate a response, and sending the response to the proxy server.

Abstract: An information processing apparatus determines whether a device accesses a box region of the information processing apparatus. When it is determined that the box region is accessed, a box ID entry screen is displayed on the device. The information processing apparatus determines whether a box ID is entered by a user of the device. If it is determined that a box ID is entered, then device information about the device is obtained. After the device information is obtained, the information processing apparatus determines whether the device possesses a hardware keyboard. If it is determined that the device possesses a hardware keyboard, a password authentication screen is displayed on the device. If it is determined that the device does not possess a hardware keyboard, an image authentication screen is displayed on the device.

Abstract: A data transfer method performed at a proxy server includes intercepting a data request from a client computer that is directed to a target server, encrypting profile information, augmenting the data request by adding the encrypted profile information to the data request, and sending the augmented data request to the target server. A data transfer method that is performed at an information server includes receiving a data request from a proxy server, extracting profile information added to the data request by the proxy server, using the extracted profile information to generate a response, and sending the response to the proxy server.

Abstract: A method and apparatus for providing a user device with a unique identifier for reinforcing the security of communication with a server includes displaying a CAPTCHA image including a security key received from a server in response to a connection attempt to the server; receiving a security key input by the user, the security key being included in the CAPTCHA image; computing a hash value using the security key input by a user; transmitting the hash value to the server; and registering, when a connection response is received from the server in response to the hash value, the security key based on hash value as a unique identifier necessary for connection with the server.

Abstract: A method for providing an additional layer of authentication prior to accessing a user's account even though the user's credentials have previously been verified. User accounts are often accessed via a sign-in page that verifies the user's credentials. Upon detecting a device accessing the sign-in page, an identifier associated with the device is obtained. One such type of identifier is the IP address assigned to the device. Based on the identifier, it is determined whether the device is trusted or not. Even thought the user's credentials are verified via the sign-in page, if the device is not trusted, a second authentication page is presented to the user prior to proceeding to the account. The second authentication page presents at least one security question. The security question is based on information contained in the user's account (e.g., contact information, event information, electronic messages, etc.). The user is required to correctly answer the security question in order to access the account.

Abstract: A recording medium, such as a high-density and/or read-only recording medium, such as BD-ROM, which contains copy protection information encoded in intermittent or alternate wobbled pits, and to methods and apparatuses for forming, recording, and reproducing data on the recording medium.

Abstract: A method includes: establishing a first connection between a first ID token and a first computer system via a second computer system for reading at least one first attribute from the first ID token, establishing a second connection between a second ID token and the first computer system via the second computer system for reading at least one second attribute from the second ID token, sending the first and second attributes from the first computer system to a third computer system, receiving the data from the third computer system by the first computer system, writing the data into the second ID token via the second connection by the first computer system thereby storing the data in the second ID token, where the first connection still exists, wherein the first and the second connection are respectively connection with end-to-end encryption and a connection oriented protocol.

Abstract: Various methods and systems are provided for inserting a user-selected pattern below a main application display when sensitive information is being requested or to be communicated. The border of the main application layer may also be modified at this time, either with or without the underlying pattern. This visual change provides the user an assurance that the application or site is authentic and not a phishing attack. The user-selected patterns are stored in secure areas, such as a secure element on the user device or in a cloud accessible by the application or site.

Abstract: Techniques for enabling video conferencing with interactive sharing of drawings and/or other information. In one set of embodiments, a system is provided that includes a drawing surface, a video camera embedded or integrated into the drawing surface, and a front projector. The drawing surface can capture drawings made on the surface by a user, and the video camera can capture a video stream of the user. The system can send digital information representing the captured drawings and the video stream to a remote system. The system can also receive digital information representing drawings made by a remote user and a video stream of the remote user from the remote system. The front projector can project a video signal onto the drawing surface that incorporates the captured drawings, the drawings made by the remote user, and the video stream of the remote user.

Abstract: A system and method for changing safety-relevant data for a control device is provided wherein an authorized user inputs new or altered safety-relevant data, which is received on a data processing installation. A first checksum for the safety-relevant data is established and stored along with the safety-relevant data in at least one data record on the data processing installation. An enable code may also be stored in the at least one data record. This enable code may be produced by a code generator and encrypted by a key module. The data processing installation then reads back the safety-relevant data from a memory in the data processing installation, thereby allowing a comparison of the received safety-relevant data and the read back safety-relevant data. A second checksum is generated in a case where the comparison resulted in no differences. The second checksum may also be stored in the at least one data record.

Abstract: A facility is described for analyzing access control configurations. In various embodiments, the facility comprises an operating system having resources and identifications of principals, the principals having access control privileges relating to the resources, the access control privileges described by access control metadata; an access control scanner component that receives the access control metadata, determines relationships between principals and resources, and emits access control relations information; and an access control inference engine that receives the emitted access control relations information and an access control policy model, analyzes the received information and model, and emits a vulnerability report.

Abstract: In one embodiment, a method for using credentials for a mobile node to protect the transfer of posture data is provided. A network access device receives a message from a mobile node for access to a network. The message includes posture data encrypted using credentials for the mobile node. The credentials may be found in a storage card that is used to identify the mobile node. The network access device determines decryption information for the mobile node. For example, the credentials for the mobile node may be stored in a home location register (HLR) and are retrieved. The posture data is then decrypted using the credentials. The posture data is processed in a network admission control procedure for allowing access to the network. For example, a policy for access to the network may be installed based on the posture data.

Abstract: A system and method is provided for a distributed computing system where a user can login to a client computer and access a number of different applications installed on web servers. These applications are then provided access to data in mainframe systems without a user having to enter mainframe user id or password information for gaining access to the mainframe system. The system and method can utilize a sign on object which is installed onto the client computer. The sign on object operates to obtain and transmit a security token which authorizes access to the mainframe system, and the security token does not require the use of the cookie data. This system and method can pass the security token through the web server and the web application in an encrypted form which limits security risks.

Abstract: An information processing system includes a plurality of information processing apparatuses, each apparatus including a transmission unit and a verification unit, and a plurality of authentication servers connectable to the plurality of information processing apparatuses via one or more networks.

Abstract: A method and system for managing secure information within a portable computing device are disclosed. The portable computing device includes a program module for communicating with a secure element that is part of the portable computing device. The secure element may receive messages utilizing the decrypted crypto keys derived from a non-padded cipher in order to establish a secure communications channel. The secure element may store at least one of a substantial encryption key for server authentication and a substantial encryption key for decrypting encrypted data stored locally within the portable computing device. If an incorrect password is entered after a predetermined number of times, the secure element may activate security measures which may permanently disable the secure element. To establish secure communications between the secure element and a CPU of the portable computing device, a password based encryption algorithm utilizing a non-padded cipher may be employed.

Abstract: An authentication apparatus includes: a database section that stores a password; an entry section through which a password is entered; a storage section that stores an entered password which is entered through the entry section; an authentication section that authenticates whether the password and the entered password match with each other; and a determining section that determines whether or not a re-entered password is to be subjected to an authentication processing performed by the authentication section when the re-entered password is entered through the entry section after the authentication section determines that the password and the entered password do not match with each other.

Abstract: A system and method for providing, as a service over a computer network (especially a packet-switched computer network) to a body of merchants connected to the computer network, verification of consumer identification based on data provided over the computer network by scanning devices attached to the computers operated by consumers.

Abstract: Computing devices utilizing trusted execution environments as virtual smart cards are designed to support expected credential recovery operations when a user credential, personal identification number (PIN), password, etc. has been forgotten or is unknown. A computing device generates a cryptographic key that is protected with a PIN unlock key (PUK) provided by an administrative entity. If the user PIN cannot be input to the computing device the PUK can be input to unlock the locked cryptographic key and thereby provide access to protected data. A computing device can also, or alternatively, generate a group of challenges and formulate responses thereto. The formulated responses are each used to secure a computing device cryptographic key. If the user PIN cannot be input to the computing device an entity may request a challenge. The computing device issues a challenge from the set of generated challenges.

Abstract: A device with a touch-sensitive display may be unlocked via gestures performed on the touch-sensitive display. The device is unlocked if contact with the display corresponds to a predefined gesture for unlocking the device. The device displays one or more unlock images with respect to which the predefined gesture is to be performed in order to unlock the device. The performance of the predefined gesture with respect to the unlock image may include moving the unlock image to a predefined location and/or moving the unlock image along a predefined path. The device may also display visual cues of the predefined gesture on the touch screen to remind a user of the gesture.

Abstract: A user identification method and a system thereof. A user device delivers a certificate packet with a unique serial number to a certificate server, and receives a reply packet with a password from a password server. The user device then uses the password and the unique serial number to produce a user terminal identification code, and then delivers an identification packet with the user terminal identification code to the certificate server. After receiving the certificate packet, the certificate server delivers an inquiry packet with the unique serial number to the password server, and then the password server inquires about password and expiration time thereof according to the unique serial number. After receiving the identification packet, the certificate server verifies the validity of the user terminal identification code and the expiration time with a database to determine if the user is admitted to proceed to the subsequent transaction.

Abstract: A first storage device provides a host device with access to a private memory area by communicating a password between the first storage device and a second storage device via the host device using a double-encryption scheme. In one embodiment, a host device receives a twice-encrypted password from a first storage device, sends the twice-encrypted password to a second storage device, receives a once-encrypted password from the second storage device, decrypts the once-encrypted password to obtain the password, and sends the password to the first storage device. In another embodiment, a first storage device sends a twice-encrypted password to a host device, receives the password from the host device after the twice-encrypted password is decrypted by a second storage device and the host device, and provides the host device with access to the private memory area only if the password matches one that is stored in the first storage device.

Abstract: A user identification method and a system thereof are provided. A user device delivers a certificate packet with a user identification number to a certificate server, and receives a reply packet with a code from a password server. The user device uses the code to produce a user terminal identification code, and delivers an identification packet with the user terminal identification code to the certificate server. After having received the certificate packet, the certificate server delivers an inquiry packet with the user identification number to the password server, for the password server to inquire about the password and expiration time according to the user identification number. After having received the identification packet, the certificate server verifies the validity of the user terminal identification code and the expiration time with a database to determine whether the user is allowed to proceed to the subsequent transaction.

Abstract: A service broker for asynchronous execution of software. The broker functions include dynamically loading working modules from a specified directory, publishing the working module commands, receiving service requests from clients, and upon successful authentication and authorization, dispatching the requests to module command queues for scheduling and execution. The modules are invoked in separate domains so that management functions can control the modules independently. A management application facilitates interactive user scheduling of the actions being invoked. This can also be accomplished automatically according to business rules, for example. The management application also facilitates checking the progress on an action that is occurring, displaying errors that occur during the command execution, results of an action can also be displayed, and scheduling of requests.

Abstract: Aspects and embodiments of the present disclosure provide devices and methods for biometric authentication of a user during access control transactions. In one aspect, an access control processor device, comprising a biometric input sensor configured to receive user biometric information; a biometric verification processor configured to authenticate the input user biometric information; and a communication element configured to activate when the biometric information entered into the biometric verification system is authenticated and maintain an inactive status for the communication element on the payment processor device when the biometric information entered into the biometric verification system is not authenticated.

Abstract: All operations available on an intranet are securely performed from an outside of the intranet without taking out a file on the intranet from the intranet. A file on the intranet is not taken out, but, instead of this, image information on a target computer 1 is transmitted to an operational computer 4 with the http protocol, the https protocol, or the SSL protocol, and keyboard information, pointing information, or the like are transmitted from an operational computer 4 to the target computer 1. Consequently, the target computer 1 is operated.

Abstract: Cookies differentiate users and maintain data related to a user during navigation. Cookies are used for activities such as authenticating, session tracking, and maintaining specific information about users. An embodiment receives a first access request from a mobile device that corresponds to a first attempt by the mobile device to access the mobile network. The mobile device is authenticated using a set of authentication credentials provided by the mobile device. A gateway cookie is created that includes a second set of authentication credentials associated with the mobile device. The gateway cookie is provided to the mobile device and stored on the mobile device. A second access request, received from the mobile device, includes the gateway cookie and the second access request corresponds to a second attempt by the mobile device to access the mobile network. The mobile device is authenticated using the gateway cookie.

Abstract: A server system receives and installs multiple claim provider plug-ins. Each of the claim provider plug-ins implements the same software interface. However, each of the claim provider plug-ins can provide claims that assert different things. Claims provided by the claim provider plug-ins can be used to control access of users to a resource.

Abstract: A method and system for protecting identity information comprises determining identity information required by a resource utilized by a user, determining strength of the identity information used by the user to access the resource, and performing an action in view of the strength.

Abstract: A method for unique authentication of a user including federating an identity of said user for said service provider and an identity of the user for an identity provider, the federating including the steps of generating a user alias for that service provider and sending said identity provider a masked alias deduced from said alias, the identity provider associating said masked alias for that service provider with the identity of the user for the identity provider and sending the user elements for calculation by the user of a signature of a message containing the non-masked alias calculating said signature and sending the service provider said message with said signature, and the service provider verifying said signature, authenticating the user, and associating said alias with the user's identity.

Abstract: When a first MFP that manages first and second conversion values of user authentication information accesses a second MFP, the first MFP queries about which conversion value is used by the second MFP to execute user authentication processing. The first MFP transmits information based on a conversion value in accordance with the query result to the second MFP. Then, the second MFP executes user authentication processing using information based on a conversion value in accordance with the query result and a conversion value managed by the second MFP.

Abstract: Systems and methods for managing a user identity on a mobile device are provided. The system comprises the mobile device comprising a user agent and a client application, the user agent and the client application in communication with each other. The system further comprises an identity provider in communication with the mobile device, and a client service in communication with the mobile device. The user agent is configured to communicate with the identity provider and retrieve the user identity for the client application, and the client application is configured to transmit the user identity to the client service.

Abstract: A peripheral device includes an interface for connection to a wired or wireless LAN, a local interface for wireless connection, and a control unit configured to check a legitimacy of a user based on a user-specific certificate stored in a communication-function-equipped device upon being accessed through the local interface by the communication-function-equipped device using near-field wireless communication, and to allow a predetermined process to be performed upon successful authentication of the legitimacy.