Abstract: A method is described by which the possessor of a secret certified in a particular manner can prove to a party with which the possessor of a secret needs to interact that it does indeed possess a secret formed in the proper manner. In the context of trusted computing apparatus, this can be used to show that the secret has been provided by a legitimate manufacturer of such apparatus. A method and an architecture for revocation operable in this context is also described.

Abstract: Visual voicemail enables a user to view a list of voicemail messages and caller information, and select which messages to hear. Currently, a handset accesses visual voicemail using a web interface over a point-to-point network connection with an intermediary gateway. The gateway initiates requests to the voicemail platform on behalf of the handset using a single generic password. There is no direct authentication between the handset client and the voicemail platform. In an embodiment of the invention, the handset requests a password from the voicemail platform using the web interface. The voicemail platform sends a password to the handset via a Short Message Service text message, which is an inherently secure means of communication. The handset then uses the password to request voicemail data from the voicemail platform via the web interface.

Abstract: A method for managing offline authentication. The method may include 1) identifying an attempt, by a user, to access a client device, wherein accessing the client device requires the user to be authenticated, 2) determining whether the client device is offline, 3) in response to determining that the client device is offline, authenticating the user using offline authentication, wherein offline authentication does not require an active network connection with a remote authentication service, 4) upon successful authentication of the user using offline authentication, allowing the user to access the client device, 5) monitoring the network-connection state of the client device, 6) detecting that the client device is online, and then 7) in response to detecting that the client device is online, locking the client device in order to require the user to reauthenticate using online authentication, wherein online authentication requires the active network connection with the remote authentication service.

Abstract: An architecture for a contactless smart card or payment device, where the smart card is intended for use in both commerce transaction payment and transit fare payment (or other venue access) environments. The payment device may function as both an electronic wallet for commerce transactions and as a transit system card, for access to and fare payment of transit services. Implementation of both functions may be achieved by use of a dynamic memory management system that permits data for both the payment and transit applications to be stored on the card, with the transit data and storage locations isolated from those used to store data intended for use in paying for commerce transactions. The transit application specific data may include access control data (keys, passwords, identification data) or data required for fare calculations (rates, historical data on system use), for example.

Abstract: Apparatus, systems, methods, and related computer program products for synchronizing distributed states amongst a plurality of entities and authenticating devices to access information and/or services provided by a remote server. Synchronization techniques include client devices and remote servers storing buckets of information. The client device sends a subscription request to the remote serve identifying a bucket of information and, when that bucket changes, the remote server sends the change to the client device. Authentication techniques include client devices including unique default credentials that, when presented to a remote server, provide limited access to the server. The client device may obtain assigned credentials that, when presented to the remote server, provide less limited access to the server.

Abstract: A removable-medium apparatus that outputs data, which is stored on a removable medium that can be freely mounted or removed. The removable-medium apparatus comprises: a judgment unit that determines whether or not ID information that is entered matches ID information that is stored on the removable medium; and a control unit that outputs the data stored on the removable medium when the judgment unit determines that the entered ID information matches the ID information stored on the removable medium, and does not output the data stored on the removable medium when the judgment unit determines that the ID entered information does not match the ID information stored on the removable medium.

Abstract: A method, computer program product and system of preventing the unauthorized rebooting of a server having a change record, reboot password and valid reboot key. The method includes authenticating that rebooting is authorized by the change record; responsive to entering a reboot password, authenticating that a valid reboot password has been entered; and responsive to entering a reboot key, authenticating by a computer processor that a valid reboot key has been entered.

Abstract: A method and apparatus for detecting behavioral changes in a security system is provided. The method includes the steps of providing a secured area having a plurality of security zones where access to each is controlled by an access controller, detecting entrances to at least some of the plurality of security zones by an authorized person through respective access controllers of the plurality of zones over a predetermined previous time period, forming a probability model of entry into each of the plurality of security zones from the detected entrances over the previous time period, detecting access requests for the authorized user from the access controllers during a current time period, and generating a security alert upon determining that an access request of the current access requests exceeds a probability threshold value associated with the probability model.

Abstract: A system for application access control is disclosed. First, a business coordinator needs to register a user developed tool (UDT) containing an application to be protected with the system via a software program. After registration, a random encrypted password is generated by the application access control server and stored in its back-end database as well as a local break-glass database corresponding to the UDT. When an entitled user accesses the application in the registered UDT later on, the system will check whether he/she is entitled to access the requested application. If yes, the system will retrieve the encrypted password for that application and thus launch the application.

Abstract: The disclosure provides a system and method of authenticating a user to a network. For the method, if a request for a resource initiated by the device is related to a restricted resource, then the method: redirects the request to the authentication server; initiates an authentication process at the server to request a user account and a password from the device to authenticate the device if it has not been authenticated; automatically provides the device with access to the restricted resource if the device previously had been authenticated to access the restricted resource; and provides a signal to the device indicating whether it has been authenticated to allow the device to update its graphical user interface to indicate an access status for the restricted resource. If the request relates to a non-restricted resource, then the method automatically provides the device with access to the non-restricted resource.

Abstract: The invention provides a method and apparatus for pseudonym generation and authentication. The method comprises the steps of: transmitting a user identity IDuser to a Personal Identity Manager (PIM); receiving a set of public parameters and a prime pseudonym Pprime corresponding to the ID user from the PIM; and selecting at least two random parameters, and generating a sub-pseudonym Ppseu with the at least two random numbers, the set of public parameters, and the prime pseudonym Pprime.

Abstract: A terminal for managing digital rights of a memory card inserted into the terminal and has a processor and a memory, the digital rights allowing the terminal to access digital contents. The terminal includes a processor configured to manage a digital rights and to exchange information with the memory card, the information including a terminal ID and a memory card ID; perform a mutual authentication procedure with the memory card; receive, from a contents provider, a trigger message which indicates to the terminal that a digital rights for the memory card is prepared in the contents provider; if a parameter included in the trigger message does not indicate the memory card, perform a procedure for obtaining a digital rights for the terminal; and if a parameter included in the trigger message indicates the memory card, perform a procedure for requesting a digital rights for the memory card.

Abstract: A method and system for selective encryption within a document. A portion of the document selected and marked for encryption is detected, the selected portion of the document including plaintext. The detected portion of the document selected for encryption is encrypted as ciphertext. The encrypted portion of the document is decrypted with a proper decryption key, wherein the decrypting includes decrypting the encrypted portion of the document in response to presentation of required data by the accessor. The required data includes the proper decryption key, a name of the accessor, and an employee number of the accessor. The portion of the document is displayed as decrypted.

Abstract: In one example embodiment, an information processing apparatus determines whether a target ID is a unique ID or a partial randomization ID that includes a first part being replaced by a different number and a second part being generated based on the unique ID. In response to the target ID being the partial randomization ID, the information processing apparatus generates an access key based on the second part of the partial randomization ID and a key. The information processing apparatus executes a mutual authentication process using the generated access key.

Abstract: A client-server communication protocol permits the server to authenticate the client without requiring the client to authenticate the server. After establishing the half-authenticated connection, the client transmits a request and the server performs or responds accordingly. A network management system and environment where this protocol can be used is also described and claimed.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for managing utility device operations. In one aspect, a utility apparatus includes a processing apparatus that manages data processing tasks for the utility apparatus. The utility apparatus also includes a communications apparatus, coupled to the processing apparatus, that is configured to transmit and receive data over a network. A metrology apparatus is coupled to the processing apparatus, the metrology apparatus being configured to measure and provide meter data that includes at least a measure of utilized utility services. A network apparatus is also coupled to the processing apparatus, the network apparatus being configured to coordinate communication between devices that belong to a home area network. A utility identification module interface is coupled to the processing apparatus, the utility identification module having an interface that removably receives a utility identification module.

Abstract: A piece of software code, as well as a series of semi-random character strings are embedded into a copy of a software application. The application executes the embedded code on activation and may also invoke the embedded code periodically thereafter. The embedded code generates a knowledge string from a seed string and then generates an activation code from the seed string and the knowledge string. The activation code is checked against an externally-supplied code to ensure that the codes match, indicating a non-pirated copy of the software application.

Abstract: In a control system comprising control device adapted for, on the one hand, receiving signal indicating a first biometric datum (W), and, on the other hand, obtaining a second biometric datum captured (w?), at the level of the control device, the first and second biometric date are compared. Next, it is decided whether the first and second biometric data correspond on the basis of the comparison. Thereafter, at least a secret cryptographic key part (H(w)) is generated by applying cryptographic function to the first biometric datum.

Abstract: A system and method for integrating the Internet front end-sign on processes of the various systems of a financial institution which allows a customer to view and access its various financial accounts with the institution. During the initial sign up for the online access to its accounts, a customer creates his/her User ID and password online during the same session. Once the customer has signed on (password) and verified ownership of at least one account, the system displays all of the customer's accounts that are available for access via the Internet website. The online ownership verification uses only a single account of the customer and the ownership verification criteria associated with the account. The account used for verifying a customer is first determined based on the accounts selected by the customer for accessing online. From the selected accounts, the system of the present invention creates a verification hierarchy with respect to the accounts.

Abstract: Technology is described to control a security device providing access to a restricted resource. The method can include generating a plurality of security access codes at a security locking device using at least one pre-configured symmetric key. The access codes may each be valid from predefined start times for varying time intervals. In a further operation, a candidate access code can be generated at a control server, using the same pre-configured symmetric key. The candidate access code from the control server can be provided to the security locking device. The security locking device can unlock when the candidate access code corresponds to at least one of a valid security access codes on the security locking device.

Abstract: The present invention in a preferred embodiment provides for systems and methods for ensuring and enabling secure access to one or more virtual locations or virtual data, by a user, wherein the said systems comprise of a) at least one authentication device; and b) at least one secondary device, wherein the secondary device may be a second authentication device or an access device; wherein an authentication device is associated with an authentication key which is used to generate an encrypted authentication code using a ‘unique device based encryption system and method’.

Abstract: A method includes: receiving a revocation list from a remote data server at a configuration device. The revocation list includes N cryptographic certificates associated with N computer software entities, respectively, that are not to be executed by any of a group of medical devices including a handheld medical device. N is an integer greater than or equal to zero The method further includes receiving data from the handheld medical device at the configuration device. The data includes a cryptographic certificate that is associated with a given computer software entity that is presently installed in memory of the handheld medical device for execution by the handheld medical device. The method further includes comparing the cryptographic certificate with the revocation list; and selectively executing a protective function by the configuration device when the cryptographic certificate is the same as one of the N cryptographic certificates of the revocation list.

Abstract: Systems and methods for authenticating a user of a service are disclosed. A host of a service provides a user interface that can be accessed via a display of a terminal. Upon successfully transmitting a first set of credentials, the host requests a random image to be generated by an authentication server. The authentication server transmits the random image to the host, as well as to a mobile device that is associated with the user of the service. The mobile device receives a picture message including the image. The user interface displays a list of images on the display. The user matches the received image with an image among the list of images, wherein a successful match follows in the user being granted access to the service. Consequently, an additional layer of security using a visual identification of a user is provided.

Abstract: Method, apparatus, and media for embedding a watermark in digital content. An exemplary method comprises receiving digital content in an encrypted form, receiving a decryption key associated with the digital content, receiving permitted use information specifying conditions under which the digital content is permitted to be rendered and indicating that a watermark is to be embedded in a rendered copy of the digital content, determining whether the conditions are satisfied, and rendering the digital content if the conditions are satisfied based on the determining, the rendering including generating a watermark based on the permitted use information and creating a rendered copy of the digital content having the watermark embedded therein.

Abstract: A computer system is provided comprising a non-volatile storage medium and a processor. The processor acquires authentication information from a first removable storage device, stores the authentication information into the non-volatile storage medium, and forbids data access of the computer system when detecting that a second removable storage device has been inserted and identification data of the second removable storage device is different from the authentication information.

Abstract: An apparatus and a method for storing an encrypted username and password. In one embodiment, a username is encrypted. A password associated with the username is encrypted. A user identifier associated with the username is encrypted. The encrypted username, the encrypted password, and the user identifier are stored in one or more database.

Abstract: Methods and systems for using a flexible serialization technique to determine whether certain protected content items (e.g., software) are eligible to be installed on a target computer system during an installation procedure are described. Consistent with some embodiments of the invention, a serial number entered by an end-user is decoded to identify a product identifier that corresponds with a select folder in a folder hierarchy on a storage medium that contains various payloads for installing digital content items on a target computer system. The folder that corresponds with the product identifier includes license configuration information that specifies a set of digital content items eligible for installation, based on the serial number entered by the end-user.

Abstract: An apparatus and method for preventing falsification of a client screen is provided, in which a web server dynamically generates URIs and provides them to clients, thus preventing the falsification of client screens due to a web injection attack or a memory hacking attack. The apparatus includes a random web generation unit for converting an identical web page into random URIs that are randomly generated, at a request of a plurality of clients, generating different random web sources, and providing the different random web sources to the respective clients. A web falsification determination unit compares display web source eigenvalues respectively generated by the clients with respect to any one of the random web sources with a generative web source eigenvalue for the one of the random web sources, thus determining whether screens corresponding to the random web sources displayed on the respective clients have been falsified.

Abstract: An encrypted file is decrypted to gain access to a stored hash value for a credentials setting component. A test hash value of the credentials setting component is formed. Before decrypting a set of encrypted credentials to form decrypted credentials, it is required that the test hash value of the credentials setting component match the stored hash value of the credentials setting component. The decrypted credentials are then passed to the credentials setting component to set credentials that instructions are to be executed under.

Abstract: A system may include a memory having a unique identifier that uniquely identifies the memory. A package may be communicatively coupled to the memory. The package may include a processor, an identifier storage, and a boot storage. The identifier storage may store the unique identifier from the memory. The boot storage may include instructions to control booting of the processor based on the unique identifier in the identifier storage.

Abstract: In one embodiment, there is provided a mobile communications device comprising: a processor; a communications subsystem operable to exchange signals with a wireless network; a storage element having application modules and data stored thereon, the data comprising at least user application data associated with the application modules and service data including data for establishing communications with the wireless network; and a security module operable to detect policy messages received by the device, and to perform a security action if a first policy message to enforce a first data protection policy is received and a subsequent policy message to enforce a second data protection policy is not received within a predetermined duration from the time at which the first policy message is received; wherein the security action comprises erasing or encrypting at least some of the data on the storage element.

Abstract: Unauthorized use of a biological pattern registered in a face image authorization system is made difficult. With respect to the previously registered biological pattern for authorization, additional information is held concerning a change that can be reproduced by a user having the biological pattern for authentication, and success or failure of the authentication is evaluated according to consistency between the biological pattern for authentication that is reproduced using the additional information and a pattern input at the time of authentication as an evaluation factor. By changing the additional information as necessary, unauthorized use of biological pattern data or the like is made difficult.

Abstract: A method and apparatus for client authentication using a pseudo-random number generation system. The pseudo-random number generation utilizes a secret key as well as state information as input into the hash function to generate a pseudo-random number. The state information that is part of the input can be any number of prior generated pseudo-random numbers. The authentication allows for synchronization of the client and server by exchanging state information. The authentication is not dependent on any absolute time and consequently the client and servers are not required to maintain a reliable shared time base.

Abstract: Provided is a method and apparatus for authenticating a password, wherein the method includes: generating at least one input grid cell into which a password is input from among a plurality of grid cells realized on a screen of a user terminal; and authenticating the password when the password is identical to a number of identification grid cells included in an authentication range predetermined based on the at least one input grid cell, wherein the identification grid cells are set to authenticate the password from among the plurality of grid cells. Accordingly, password information may be prevented from being exposed to a third person observer since a variable password is input whenever a user tries password authentication in a terminal.

Abstract: A method is used in managing analysis of activity data. Activity data is analyzed for a security investigation by using a content bundle. The content bundle specifies a set of actions. The set of actions are performed based on a set of inputs provided to the content bundle. Results of analysis of the activity data is provided in a format based on a set of outputs configured for the content bundle.

Abstract: An information processing device including a flow definition memory unit configured to store flow definition information in which a process flow of image data read by an image reading unit is defined, and an authentication screen generating unit configured to determine plural processing units that execute a part of the process flow based on the flow definition information, acquire item information indicative of items of authentication information corresponding to a part or all of the plural processing units which require authentication from the part or all of the plural processing units which require the authentication, and generate authentication screen definition information used for displaying an authentication screen integrating and showing the item information.

Abstract: A method of access control to a communication interface of an integrated circuit, includes intercepting an event transmitted between a communication interface and an application performed by the integrated circuit, and transmitting the intercepted event if a specific parameter of the application indicates that the application is authorized to use the communication interface.

Abstract: A method and apparatus are disclosed wherein a portable memory storage device is provided for interfacing with a communications port of the computer system. During operating system start up of the operating system of the computer, fields relating to security of the operating system are prompted for. The portable memory store retrieves from memory therein data for populating said fields and provides same to the computer system mimicking a data entry device other than a portable memory store.

Abstract: A user authentication system includes a profile generation unit at the side of a user terminal, and a profile storage unit and a confirmation/replication verification unit at the side of an authentication verification device. When authentication processing is executed in the user terminal, the profile generation unit aggregates input biometric information, registered biometric information, and information which duplicates collation processing contents, and sets a profile being an aggregation of data. The profile storage unit stores the profile at the outside of the user terminal with identification information of authentication processing. The confirmation/replication verification unit confirms the stored contents, and replicates collation processing. Accordingly, when verification is necessary, the validity of authentication processing in the user terminal is verified, and a service provider device is notified of this.

Abstract: A method and system, used with an extended USB computer system, for locking out USB mass storage devices at the desktop. For lockout activation, a switch at each host computer is set, and causes a host-side lockout process to deliver a downstream lockout signal to the host's associated portal. This signal causes a portal-side lockout process to disallow USB data from a mass storage device from entering the network.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: A projection display device that operates, in case that the second authentication information which is input does not match the first authentication information which is stored, operates in the second operation mode in which the projection display device projects in a state that an operation to change the environmental setting information is disabled to be received.

Abstract: An authentication framework is provided which enables dynamic user authentication that combines multiple authentication objects using a shared context and that permits customizable interaction design to suit varying user preferences and transaction/application requirements. For example, an automated technique for user authentication comprises the following steps/operations. First, user input is obtained. At least a portion of the user input is associated with two or more verification objects. Then, the user is verified based on the two or more verification objects in accordance with at least one verification policy operating on a context shared across the two or more verification objects. The user authentication technique of the invention may preferably be implemented in a flexible, distributed architecture comprising at least one client device coupled to at least one verification server.

Abstract: A system is provided that uses identity-based encryption (IBE) to allow a sender to securely convey information in a message to a recipient. A service name such as a universal resource locator based at least partly on the name of an organization may be associated with a local key server at the organization and a public key server external to the organization. Users at the organization may use the service name to access the local key server to obtain IBE public parameter information for performing message encryption and to obtain IBE private keys for message decryption. External to the organization, users may obtain IBE public parameter information and IBE private keys from the public key server using the same service name. The local key generator and the public key generator may maintain identical copies of the same IBE master secret.

Abstract: A biometric authentication device includes: a biometric information obtain portion obtaining biometric information of a user; a biometric condition determine portion determining good and bad of biometric condition of the user according to the biometric information of the user; a biometric matching portion performing a matching of registered biometric information registered in advance based on the biometric information; an alternate authentication portion performing an authentication based on information that is different from the biometric information; and an alternate authentication control portion switching validation and invalidation of the authentication by the alternate authentication portion according to a determination result of the biometric condition determine portion.

Abstract: A computer-implemented system and method for protecting a memory are provided. The system includes a memory section with privileged and non-privileged sections, a host gateway (HG) to generate a capability credential, a device controller (DC) to append the credential to data transmitted to the memory, and at least one IO device enabled to do direct memory access (DMA) transactions with the memory.

Abstract: A cellular wireless modem. The cellular wireless modem comprises a cellular radio transceiver, a short range communication interface, a processor, wherein the processor comprises a trusted security zone, a memory, wherein the memory stores an input forwarding application, and a trusted security zone extension application stored in the memory. When executed by the processor, the extension application provisions the input forwarding application to an intelligent appliance via the short range communication interface, receives input from the input forwarding application executing on the intelligent appliance via the short range communication interface, and transmits a message based on the input via the cellular radio transceiver.

Abstract: An image forming apparatus including a communication interface unit to access an external device storing at least one security provider corresponding to user authentication, a user interface (UI) unit to select the security provider, a storage unit to receive the selected security provider from the external device and store the received security provider, a control unit to install the stored security provider in the image forming apparatus, select at least one application to apply the installed security provider, and set the installed security provider as a user authenticator for the at least one selected application.

Abstract: A method and apparatus for real-time insertion of services into an IP telephony call session are disclosed. A client initiates a service request message to a second server. The service request message includes the client identity and a requested service available from a second server. The first server determines if the client is authorized to use the requested service. If the client is authorized to use the requested service, the second server delivers the requested service to the client.

Abstract: An improved PIN-based authentication technique for authenticating the user of a client machine to a server automatically generates a personal identification number (PIN) for the user based on user-specific authentication information, such as encrypted cookie information. The server provides user-specific authentication information to a client machine. When the user submits an authentication request, user-specific authentication information is collected and uploaded to the server. The user-specific authentication information is processed to form a PIN, and authentication of the user proceeds based on the PIN and any other authentication factors provided. Since the disclosed techniques compute PINs automatically based on information exchanged between a client machine and a server, the user is relieved of any burden associated with registering and remembering a PIN.