Abstract: Systems and methods for partitioning memory into multiple secure and open regions are provided. The systems enable the security level of a given region to be determined without an increase in the time needed to determine the security level. Also, systems and methods for identifying secure access violations are disclosed. A secure trap module is provided for master devices in a system-on-chip. The secure trap module generates an interrupt when an access request for a transaction generates a security error.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting an item has been transferred from a first user to a second user; and presenting, via the computing device, one or more highlighted portions of the item, the one or more highlighted portions being highlighted in response, at least in part, to said determining. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: A user authentication apparatus safely uses resources by forming a communication channel between a plurality of execution environments through user authentication in a portable terminal providing the plurality of execution environments based on a virtualization solution, and prevents private information from being illegally leaked by hacking by not directly exposing a PIN number or a password a user inputs using a virtual keyboard and a keyboard coordinate when authenticating the user.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting one or more portions of one or more items and that was in possession of a first user has been transferred from the first user to a second user; and marking, in response to said determining, the one or more portions of the one or more items to facilitate the computing device in returning to the one or more portions upon the computing device being at least transferred back to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: The invention provides a method and system for presenting information in a web document using a program applet to restrict further copying or redistribution. The web document includes a first region in which a graphical element or other information is displayed, and a second region covering the first region in which a program applet is invoked by a server for the web document. The program applet is dynamically created upon access, and assigned a serial number. The program applet contacts the server for permission to display the graphical element or other information; thus, the server can control, by granting or denying permission, when and if the program applet displays the graphical or other information.

Abstract: A system and method for processor-based security is provided, for on-chip security and trusted computing services for software applications. A processor is provided having a processor core, a cache memory, a plurality of registers for storing at least one hash value and at least one encryption key, a memory interface, and at least one on-chip instruction for creating a secure memory area in a memory external to the processor, and a hypervisor program executed by the processor. The hypervisor program instructs the processor to execute the at least one on-chip instruction to create a secure memory area for a software area for a software module, and the processor encrypts data written to, and decrypts data read from, the external memory using the at least one encryption key and the verifying data read from the external memory using the at least one hash value. Secure module interactions are provided, as well as the generation of a power-on key which can be used to protect memory in the event of a re-boot event.

Abstract: Systems, devices, and techniques for providing shortcuts to applications of a computing device are described. In one example, a method includes outputting, for display at a screen, a plurality of input nodes while the computing device is in a locked state and receiving an indication of a selection of a set of the plurality of input nodes in a defined order. The method may also include determining that the selection matches a predetermined selection order of the input nodes, the predetermined selection order being associated with the computing device. The method may also include, responsive to the determining, outputting, for display in place of at least one of the plurality of input nodes at the screen, an icon representative of an operation executable by the computing device, receiving an indication of a selection of the icon, and responsive to receiving the indication, executing the operation.

Abstract: Systems and methods are described that relate to authentication and/or binding of multiple devices with varying security profiles. In one aspect, a first device with a higher security profile may vouch for the authenticity of a second device with a lower security profile when the second device requests access for content from a content provider. The vouching process may be implemented by allowing the first device to overlay its digital signature on a registration request that has been signed and transmitted by the second device. The second device with the lower security profile may access content from the content provider or source for a predetermined time period, even when the second device does not access content through the first device.

Abstract: End-to-end authentication capability based on public-key certificates is combined with the Session Initiation Protocol (SIP) to allow a SIP node that receives a SIP request message to authenticate the sender of request. The SIP request message is sent with a digital signature generated with a private key of the sender and may include a certificate of the sender. The SIP request message my also be encrypted with a public key of the recipient. After receiving the SIP request, the receiving SIP node obtains a certificate of the sender and authenticates the sender based on the digital signature. The digital signature may be included in an Authorization header of the SIP request, or in a multipart message body constructed according to the S/MIME standard.

Abstract: A method for imputing different usernames and passwords using an input device with a display to use different protected assets that requires the inputting of a preselected username into a username enter box and the inputting of a preselected password into a password entry box immediately prior to use. The method includes the steps of designating two or more username keys on said input device, each said username key being assigned with a unique letter or number located on said input device and to a unique username made of a plurality of alpha-number characters, designating two or more password keys on the input device each being assigned with a letter or number located on said input device and to a unique password made of a plurality of alpha-number characters. Next the protected asset is then accessed and the username key and keyword key assigned to the asset is imputed.

Abstract: In one embodiment, the present invention includes a system on a chip (SoC) that has a first agent with an intellectual property (IP) logic, an interface to a fabric including a target interface, a master interface and a sideband interface, and an access control plug-in unit to handle access control policy for the first agent with respect to incoming and outgoing transactions. This access control plug-in unit can be incorporated into the SoC at integration time and without any modification to the IP logic. Other embodiments are described and claimed.

Abstract: A computationally implemented method includes, but is not limited to: determining which of a plurality of users detected in proximate vicinity of a computing device has primary control of the computing device, the computing device designed for presenting one or more items; ascertaining one or more particular formats for formatting the one or more items based, at least in part, on said determining; and presenting, via the computing device, the one or more items in the one or more particular formats. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: Various embodiments disclosed herein are directed to gaming devices having a secured basic input/output system (BIOS) and methods for determining the validity of the gaming device's BIOS. According to one embodiment, the gaming device includes a secured module for authenticating the BIOS of the gaming device. During the boot-up process, the secured module issues a challenge to the BIOS. The BIOS generates a response to the challenge, and the secured module determines whether the BIOS response matches the calculated response of the secured module. If the BIOS response matches the secured module response, the gaming device continues the boot process. Otherwise, the boot process is halted by the gaming device.

Abstract: Methods, apparatuses and storage medium associated with securely provisioning a digital content protection scheme are disclosed. In various embodiments, a method may include forming a trust relationship between a media application within an application execution environment of a device and a security controller of the device. The application execution environment may include an operating system, and the operating system may control resources within the application execution environment. Additionally, the security controller may be outside the application execution environment, enabling components of the security controller to be secured from components of the operating system. Further, the method may include the security controller in enabling a digital content protection scheme for the media application to provide digital content to a digital content protection enabled transmitter within the application execution environment for provision to a digital content protection enabled receiver.

Abstract: A system and a method are disclosed for a computer implemented method to unlock a mobile computing device and access applications (including services) on a mobile computing device through a launcher. The configuration includes mapping one or more applications with a guest access code. The configuration receives, through a display screen of a mobile computing device, an access code, and determines whether the received access code corresponds with the guest access code. The configuration identifies the mapped applications corresponding to the guest access code and provides for display, on a screen of the mobile computing device, the identified applications.

Abstract: A method for authenticating a computing device or hardware component includes computer-implemented process steps for assigning a unique identifier to the hardware component, generating a baseline fingerprint for the hardware component using algorithm-processing characteristic configuration data determined from the hardware component as input, wherein the baseline fingerprint is capable of being regenerated from the hardware component so long as configuration of the hardware component is not changed, transmitting the identifier in association with the baseline fingerprint for storage in a computer-readable data structure, and generating a data signal, in response to a query comprising the assigned identifier, indicating whether the stored baseline fingerprint for the assigned identifier matches a second fingerprint regenerated from the hardware component at a time after the baseline fingerprint is generated.

Abstract: In a communication system in which two communication entities seek to have a private or confidential communication session, a trust relationship needs first be established. The trust relationship is based on the determination of a shared secret which in turn is generated from contextual information. The contextual information can be derived from the circumstances surrounding the communication session. For example, the contextual information can include topological information, time-based information, and transactional information. The shared secret may be self-generated or received from a third party. In either event, the shared secret may be used as key material for any cryptographic protocol used between the communication entities.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting an item has been transferred from a first user to a second user; and presenting, via the computing device, one or more highlighted portions of the item, the one or more highlighted portions being highlighted in response, at least in part, to said determining. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: Methods and systems to authenticate and load a plurality of boot logic modules in corresponding access protected memory regions of memory, and to maintain the access protections in run-time environments. Access protection may be implemented with access control list (ACL) policies expressed in terms of page boundaries to distinguish between read, write, and execute access requests.

Abstract: An image processing apparatus includes a request determining unit receiving an operation event indicating a request to use an image processing function and determining whether the request is from a guest user based on the received operation event; a guest login processing unit generating guest login information including a guest user identifier and access right information of the guest user if the request is from the guest user and sending a login request to request a login process for the guest user based on the guest login information; an access control unit disabling access control on the image processing function in response to the login request based on the access right information in the guest login information; and a usage history recording unit recording a usage history of the image processing function in association with the guest user based on the guest user identifier in the guest login information.

Abstract: Particular embodiments of a computing device associated with a user may detect an event using a sensor of the computing device. The event may be a lock-triggering event or an unlock-triggering event. The computing device may assess a state of the device. The computing device may also access further information associated with the user. The computing device may also monitor activity on the computing device to detect further events if such further monitoring is warranted. Based on the gathered information, the computing device may update a lock status of the device to lock or unlock access interfaces of the computing device, functionality of the computing device, or content accessible from the computing device. If the event comprised the computing device detecting an attempt by a third party to use the device, the device may attempt to identify the third party to determine if they are authorized to use the device.

Abstract: A computationally implemented method includes, but is not limited to: determining which of a plurality of users detected in proximate vicinity of a computing device has primary control of the computing device, the computing device designed for presenting one or more items; ascertaining one or more particular formats for formatting the one or more items based, at least in part, on said determining; and presenting, via the computing device, the one or more items in the one or more particular formats. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: Methods and systems for dynamically bundling portions into secured destination files are provided. Example embodiments provide a Dynamic Digital Rights Bundling System (“DDRBS”), which dynamically bundles a set of portions each variously containing digital rights management components, user interface controls, and content, into a secured destination file in response to a designated content request. In one embodiment, the DDRBS comprises a bundling engine, a translation engine, a merging engine, and an assortment of data repositories. These components cooperate to dynamically assemble and provide customized secured destination files comprising the requested content together with specialized user interface and digital rights management controls. This abstract is provided to comply with rules requiring an abstract, and it is submitted with the intention that it will not be used to interpret or limit the scope or meaning of the claims.

Abstract: Systems and methods for weak authentication data reinforcement are described. In some embodiments, authentication data is received in a request to authenticate a user. In response to detecting weak authentication data, the systems and methods determine whether the user was previously authenticated as a human user. An example embodiment may include initiating an authentication process based on determining that the user was previously authenticated as a human user.

Abstract: A method and apparatus for recognizing a user in an electronic device and automatically controlling an output value of the electronic device is provided. The method includes detecting user related data using at least one sensor, determining whether the user is a user who is previously registered in the electronic device using the detected user related data, and automatically adjusting at least one output value of the electronic device when the user is determined as the user who is previously registered in the electronic device, wherein at least the one sensor includes at least one of a camera sensor, a touch sensor, and a microphone sensor.

Abstract: An electronic device and a method for releasing a screen locked state thereof are provided. The electronic device includes a touch screen, an operating unit, a display unit and a sensing unit that are coupled to each other and apply the method for releasing a screen locked state. The method for releasing a screen locked state includes: defining a prompt area and a signal input area on the touch screen, in which the prompt area has a plurality of prompt objects; an indication object in the signal input area indicating one of the prompt objects; receiving a touch track signal to indicate different prompt objects; detecting a click signal to acquire the indicated prompt object; and when the acquired prompt objects satisfies a preset arrangement order, releasing the screen locked state.

Abstract: An approach to securing an execution stack (or cloud architecture) is provided. For example, an image is separated into a plurality of layers to form a trusted execution stack. Each of the plurality of layers is hardened to secure key cloud components of the trusted execution stack.

Abstract: An unlocking system and an unlocking method of an electronic device are provided. When the electronic device in a lock state is moved during an unlock operation, the electronic device analyzes the movement of the electronic device based on its acceleration and direction and calculates a movement vector along each axis and draws an unlocking graphic. The electronic device determines whether the unlocking graphic is the same as a preset unlocking graphic. If the unlocking graphic is the same as a preset unlocking graphic, the electronic device is changed from the lock state to an unlock state.

Abstract: A programmable display device includes a communication driver, a file system process unit that accesses the portable storage medium storing backup/restore target information that includes a target control device and target setting information respectively specifying the control device on which the backup/restore process is performed out of the control devices connected to the programmable display device and setting information, and a setting-information obtaining/writing process unit that accesses the control device via the communication driver based on the backup/restore target information and performs the backup/restore process of the setting information by accessing the portable storage medium via the file system process unit.

Abstract: Acquiring access to a token controlled system resource, including: receiving, by a token broker, a command that requires access to the token controlled system resource, where the token broker is automated computing machinery for acquiring tokens and distributing the command to the token controlled system resource for execution; identifying, by the token broker, a first need state, the first need state indicating that the token broker requires access to the token controlled system resource to which the token broker does not possess a token; requesting, by the token broker, a configurable number of tokens to gain access to the token controlled system resource, without dispatching an operation handler for executing the command until at least one token is acquired; assigning, by the token broker, an acquired token to the operation handler; and dispatching, by the token broker, the operation handler and its assigned token for executing the command.

Abstract: Methods, devices, and systems for managing sensitive data are provided. The management tool may be provided on a user input device, as opposed to being provided in memory or in a peripheral that can be read from a program running on a computing platform. The management tool may be maintained in a read/write isolation mode where no data is transmitted outside of the management tool unless the user input device is disengaged from the computing platform, at which point data may be transmitted from the management tool for ultimate delivery to the computing platform.

Abstract: A firmware cipher component is provided which can be configured and programmed to efficiently implement a broad range of cryptographic ciphers while accelerating their processing. This firmware cipher component allows an ASIC to support multiple cipher algorithms while accelerating the operations beyond speeds conventionally achieved by software or firmware only solutions. This system combines cryptographic specific custom instructions with hardware based data manipulation accelerators. The cryptographic specific custom instructions and hardware accelerators may support both block and stream ciphers. Thus, the system may be reconfigured, allowing the cipher algorithm to change without halting the system. Further, embedding the Firmware Programmable Cipher within an ASIC may allow future capabilities to be supported in secure applications.

Abstract: A computer device capable of locking screen, including a display unit and a processing unit, is illustrated. The display unit is used for displaying one of a locking interface and a program interface of a designated program which is in use. The processing unit is configured for receiving a locking command of a locking application of the computer device, in order to keep the designated program being in use and the display unit displaying only the program interface, and for controlling the display unit to display only the locking interface when the designated program is not in use.

Abstract: The methods and systems described herein provide for preventing a non-trusted virtual machine from reading the graphical output of a trusted virtual machine. A graphics manager receives a request from a trusted virtual machine to render graphical data using a graphics processing unit. The graphics manager assigns, to the trusted virtual machine, a secure section of a memory of the graphics processing unit. The graphics manager renders graphics from the trusted virtual machine graphical data to the secure section of the graphics processing unit memory. The graphics manager receives a request from a non-trusted virtual machine to read graphics rendered from the trusted virtual machine graphical data and stored in the secure section of the graphics processing unit memory, and prevents the non-trusted virtual machine from reading the trusted virtual machine rendered graphics stored in the secure section of the graphics processing unit memory.

Abstract: An information processing apparatus of this invention displays an operation window which allows selection of any of multiple applications. Each of the applications includes multiple functions with use authorization being set for each of the functions. The information processing apparatus displays, upon accepting selection of a specific application having some of the multiple functions for which use authorization which requires authentication of a user is set, an authentication window for authentication of the user. The authentication window allows use of the specific application to be selected without authentication of the user, by permitting use of a function, of the multiple function of the specific application, for which use authorization requiring no authentication of the user is set.

Abstract: An authentication apparatus includes: a database section that stores a password; an entry section through which a password is entered; a storage section that stores an entered password which is entered through the entry section; an authentication section that authenticates whether the password and the entered password match with each other; and a determining section that determines whether or not a re-entered password is to be subjected to an authentication processing performed by the authentication section when the re-entered password is entered through the entry section after the authentication section determines that the password and the entered password do not match with each other.

Abstract: Methods, devices, systems and computer program products for providing secure communications between managed devices in a firewall protected area defined by a firewall and a network management station (NMS) in a network segregated from the firewall protected area are provided. Management information associated with managed devices in the firewall protected area is obtained from the managed devices by a de-militarized zone (DMZ) controller. The obtained management information is transmitted from the DMZ controller through the firewall to a gateway module associated with the NMS. Communications between the DMZ controller and the gateway module are enabled by a single firewall rule.

Abstract: A system and method for changing safety-relevant data for a control device is provided wherein an authorized user inputs new or altered safety-relevant data, which is received on a data processing installation. A first checksum for the safety-relevant data is established and stored along with the safety-relevant data in at least one data record on the data processing installation. An enable code may also be stored in the at least one data record. This enable code may be produced by a code generator and encrypted by a key module. The data processing installation then reads back the safety-relevant data from a memory in the data processing installation, thereby allowing a comparison of the received safety-relevant data and the read back safety-relevant data. A second checksum is generated in a case where the comparison resulted in no differences. The second checksum may also be stored in the at least one data record.

Abstract: A method and apparatus for managing passwords for accessing data in a storage is provided. The method comprises generating and storing a password, generating and providing to the storage a request to access data in response to receiving a first request to access data in the storage, retrieving and providing the password to the storage in response to the request for a password. The apparatus comprises an initialization module and a storage access module. The initialization module is configured to generate and store a password. The storage access module is configured to generate and provide a request to access data in response to receiving a first request to access data in the storage, receive a request for a password, retrieve the password in response to the request for a password, and provide the password to the storage to obtain access to the data in the storage.

Abstract: A system and method for display device access management. An alphanumeric key is generated and displayed on a display device. The key is entered into the system by a user within sight of the display device and authenticated by the system. Media sent to the display device by the user is then displayed on the display device.

Abstract: Systems and methods may provide implementing one or more device locking procedures to block access to a device. In one example, the method may include receiving an indication that a user is no longer present, initiating a timing mechanism to set a period to issue a first device lock instruction to lock a peripheral device, relaying timing information from the timing mechanism to a controller module associated with the peripheral device; and locking the peripheral device upon expiration of the period.

Abstract: An information processing apparatus includes a user interface, an authentication unit, a controller, a restriction unit, and an authentication termination unit. The user interface accepts a first operation for setting a parameter from a user. The authentication unit authenticates the user. The controller controls the user interface to display the set parameter. The restriction unit restricts, in a case where a first condition is met after the user has been authenticated by the authentication unit, the user interface from accepting the first operation. The authentication termination unit terminates the authentication of the user in a case where a second condition is met while accepting of the first operation is being restricted by the restriction unit. The controller controls the user interface not to display the set parameter in a case where the second condition is met while accepting of the first operation is being restricted by the restriction unit.

Abstract: A method for managing offline authentication. The method may include 1) identifying an attempt, by a user, to access a client device, wherein accessing the client device requires the user to be authenticated, 2) determining whether the client device is offline, 3) in response to determining that the client device is offline, authenticating the user using offline authentication, wherein offline authentication does not require an active network connection with a remote authentication service, 4) upon successful authentication of the user using offline authentication, allowing the user to access the client device, 5) monitoring the network-connection state of the client device, 6) detecting that the client device is online, and then 7) in response to detecting that the client device is online, locking the client device in order to require the user to reauthenticate using online authentication, wherein online authentication requires the active network connection with the remote authentication service.

Abstract: A mobile communication device and a data verification system applying a smart card having double chips are applicable to data verification processing when the mobile communication device drives the smart chip to perform transaction with a front end access device. The mobile communication device includes a wireless communication unit, a processing unit and a smart chip. When the processing unit receives a transaction request sent by the front end access device or the processing unit executes a transaction procedure, the processing unit performs data verification processing during transaction through the smart chip.

Abstract: An information processing device verifies the authorization of an application that has issued an access request to access a device. When an application on a universal OS issues a processing request to a secure device driver, a secure VMM and an application identification unit on a management dedicated OS lock a page table of the application and refer to the page table to generate a hash value. The application is determined to be authorized or unauthorized by comparing the generated hash value with a reference hash value.

Abstract: A portable computer terminal having an operating system configured to switch from a first state to a second state in response to a first command from a user and to switch from the second state to the first state in response to a second command from the user, the second command including inputting an identification code of the user, the operating system being capable, in the first state, of causing execution in interactive manner of an application selected from a set of applications, the operating system being capable, in a second state, of causing execution in interactive manner of an application of said set of applications in compliance with an access condition, wherein the access condition is determined as a function of said first command.

Abstract: If the validity of authorization information read from a USB key is verified (S1 to S4), use-information that indicates “used” is written in both of the nonvolatile memory and the USB key (S7). In a case of an initial use of an image forming apparatus (Cp=1, S8), a screen for selecting whether to perform a secure format on a hard disk device or not is displayed on a control panel (S9). If an instruction from the control panel indicates performing a secure format (S10), or if the use of the image forming apparatus is not a first time (Cp>1, S8), overwrite process on the hard disk with dummy data device is performed (S13, S14), and a logical format is performed regardless of a selection on the screen (S16).

Abstract: This is generally directed to identifying unauthorized users of an electronic device. In some embodiments, an unauthorized user of the electronic device can be detected by identifying particular activities that may indicate suspicious behavior. In some embodiments, an unauthorized user can be detected by comparing the identity of the current user to the identity of the owner of the electronic device. When an unauthorized user is detected, various safety measures can be taken. For example, information related to the identity of the unauthorized user, the unauthorized user's operation of the electronic device, or the current location of the electronic device can be gathered. As another example, functions of the electronic device can be restricted. In some embodiments, the owner of the electronic device can be notified of the unauthorized user by sending an alert notification through any suitable medium, such as, for example, a voice mail, e-mail, or text message.

Abstract: A processor-implemented method, system, and/or computer program product secures data stores. A non-contextual data object is associated with a context object to define a synthetic context-based object. The synthetic context-based object is associated with at least one specific data store in a data structure, where the specific data store contains data that is associated with data contained in the non-contextual data object and the context object. An ambiguous request is received from a user for data related to an ambiguous subject-matter. The context of the ambiguous request from the user is determined and associated with the synthetic context-based object that is associated with said a specific data store, where that specific data store contains data related to the context of a now contextual request from the user. The user is then provided access to the specific data store while blocking access to other data stores in the data structure.

Abstract: A system for managing adaptive security zones in complex business operations, comprising a rules engine adapted to receive events from a plurality of event sources and a security manager coupled to the rules engine via a data network, wherein upon receiving an event, the rules engine determines what rules, if any, are triggered by the event and, upon triggering a rule, the rules engine determines if the rule pertains to security and, if so, sends a notification message to the security manager informing it of the triggered event, and wherein the security manager, on receiving a notification message from the rules engine, automatically establishes a new security zone based at least in part on the contents of the notification message, is disclosed.