Abstract: An approach to securely distributing and running virtual machines is described that addresses the inherent insecurity of mobile virtual machines by authenticating a user before establishing a specialized virtualization runtime environment that includes a filesystem driver inserted into the host operating system to provide secure access to a virtual machine by authorized hypervisors only. Further described is the creation of a SecureVM package that includes the various components used to perform the operations of installation, user authentication and establishment of the specialized virtualization runtime environment.

Abstract: A system and method is disclosed for authenticating a removable data storage device (RDSD) by implementing a removable trusted information module (TIM) comprising a non-volatile storage medium operable to securely store passwords, digital keys, digital certificates and other security credentials (“security credentials”). An RDSD enclosure comprising a disk storage drive, one or more interfaces, one or more connectors, and a TIM is implemented to be connected, disconnected and reconnected to a plurality of predetermined information handling systems. The RDSD is authenticated by the TIM initiating comparison and cryptographic operations between its contents and the contents of authentication files comprising the RDSD. Once the RDSD has been authenticated, the TIM performs similar operations to authorize access and usage of its contents by the information handling system. Other cryptographic operations are performed to determine whether the integrity of data files has been compromised.

Abstract: According to one embodiment, when sending a transmission target main data 21, an authentication-tag generator unit 13 generates an authentication tag 23 by using a main data 21 and a key data 22 stored in a key-data storage unit 12. A transmitter/receiver unit 14 adds the authentication tag 23 to the main data 32 sends as a transmission data. When receiving the received data 24a, the transmitter/receiver unit 14 divides the received data into a main data 21a and an authentication tag 23a. The authentication-tag generator unit 13 generates an authentication tag 23b for comparison. A received-data authentication unit 15 determines whether or not those the received authentication tag 23a and the authentication tag for comparison 23b match with each other. A different key data is used every time upon the authentication-tag generation and use time of each key data during a set period is restricted.

Abstract: A secure, layered logout of a user session is implemented in a web-based management tool, such as a middleware appliance. A logout strategy is provided to include a set of security levels of varying sensitivity, with each security level having a set of permissions associated therewith and that are enforced upon a timeout. Preferably, each succeeding security level in the set of security levels is reached as time increases from an idle time associated with the user session. Upon expiration of a timeout associated with a security level, the set of permissions associated with the security level are then enforced against at least one managed object while the user session continues. As each next security level is reached, the set of permissions associated with the security level are then enforced (with respect to the managed object or against one or more other managed objects), once again while the user session continues.

Abstract: An improved adaptive authentication technique involves defining a window array which stores the number of distinct fact values per time unit over a predetermined number of time units. Each element of the window array has a value set to the number of distinct fact values over a time unit. The window array is stored in a database. Under the improved technique, upon a user initiating an authorization request, the risk engine extracts the request and the window array from the database into a cache on the authorization server. The risk engine uses the request which contains a value of the fact to adjust values of the elements of the window array and, once the adjusting is completed, computing the fact velocity which is used in the determination of a risk score for the request.

Abstract: An information processing device includes: a local memory unit for storing data including an encrypted content; a memory for storing data including key information used to reproduce the encrypted content; and a data processing unit performing a process of writing data to the local memory unit and the memory, and a process of reproducing the encrypted content, wherein the data processing unit performs a process of writing encrypted content downloaded from a server or encrypted content copied from a medium to the local memory unit, and performs a process of decoding the encrypted content or a validity authenticating process using the data stored in the local memory unit and the data stored in the memory when reproducing the encrypted content written to the local memory unit.

Abstract: A client computer that is connectable to a host computer by a network, includes a communication part to communicate with the host computer; a user input part; a system part to perform a function depending on an application; and a controller to control the system part to be put into a locking state to stop performing operations input by a user from the user input part if a locking signal is received from the host computer through the communication part, and to control the communication part to unlock the locking state if an unlocking signal is received from the host computer through the communication part.

Abstract: A method and apparatus for providing software security is provided. In the software security method, an installation file of software that includes at least one execution file and at least one data file which are stored in a user terminal is executed. Accordingly, at least one virtual execution file corresponding to the at least one execution file and at least one virtual data file corresponding to the at least one data file are installed in a user area of the user terminal, and the at least one execution file, the at least one data file, and a controller for controlling the at least one virtual execution file and the at least one execution file are installed in a security area of the user terminal.

Abstract: To limit access to a document according to a plurality of types of access authorities set to the document when a server apparatus for limiting access to the document having a setting of a plurality of types of access authorities to operate the document cannot limit access to the document according to the access authority, an apparatus includes a conversion unit configured to convert a document into a plurality of documents having a setting corresponding to each of the plurality of types of access authorities, and a generation unit configured to merge the plurality of documents formed through conversion by the conversion unit, so as to be handled as one document, to generate one merged document.

Abstract: A computerized method prevents information displayed on a screen of a display device from being viewed by unauthorized persons. Images in front of the screen are captured at regular intervals using an image capturing device of the display device. Faces are recognized from each of the captured images using facial recognition technologies. Whether or not the screen is in a state of being viewed by one or more unauthorized persons is determined according to the faces recognized as such in each of the captured images. A predetermined anti-viewing display is displayed on the screen to prevent the information being displayed on the screen from being viewed by any unauthorized person, when the screen is determined to be in the state of being viewed by any unauthorized person.

Abstract: Methods, systems, and apparatus for voice authentication and command. In an aspect, a method comprises: receiving, by a data processing apparatus that is operating in a locked mode, audio data that encodes an utterance of a user, wherein the locked mode prevents the data processing apparatus from performing at least one action; providing, while the data processing apparatus is operating in the locked mode, the audio data to a voice biometric engine and a voice action engine; receiving, while the data processing apparatus is operating in the locked mode, an indication from the voice biometric engine that the user has been biometrically authenticated; and in response to receiving the indication, triggering the voice action engine to process a voice action that is associated with the utterance.

Abstract: Systems, methods and products directed toward providing security in hybrid information handling device environments are described herein. One aspect an information handling device comprising: one or more processors; and one or memories storing program instructions accessible by the one or more processors; wherein, responsive to execution of program instructions stored in the one or more memories, the one or more processors are configured to: ascertain a resume request for resuming to a secondary operating environment; and prior to resuming the information handling device to the secondary operating environment, initiate a primary operating environment security application. Other embodiments are described herein.

Abstract: Systems and methods for secure control of a wireless mobile communication device are disclosed. Each of a plurality of domains includes at least one wireless mobile communication device asset. When a request to perform an operation affecting at least one of the assets is received, it is determined whether the request is permitted by the domain that includes the at least one affected asset, by determining whether the entity with which the request originated has a trust relationship with the domain, for example. The operation is completed where it is permitted by the domain. Wireless mobile communication device assets include software applications, persistent data, communication pipes, and configuration data, properties or user or subscriber profiles.

Abstract: Security elevation techniques are described. In an implementation, a request is received for additional security access beyond that which is currently specified for a program. An identity that describes the program is checked with a plurality of conditions. The security level is automatically elevated to grant the additional security access when the identity corresponds to one of the conditions that indicates that the security level is to be automatically elevated.

Abstract: A device, system, and method are provided for simply and securely pairing a wireless peripheral device with a host device or system. The device, claim, and method and other peripheral devices provide for improved simplification and security of the pairing process involved with establishing a secure wireless connection between a peripheral device and a host. Simplification is improved because actions required by the user to complete the pairing process are minimized, and security is improved because of a greatly increased ability on the part of the user to ensure that pairing process is conducted in a secure environment. The pairing may be applicable to any number of host devices and peripheral devices. The host device may be a desktop computer, notebook computer, tablet computer, or similar device, and the peripheral device may be a keyboard, mouse, game controller, or personal digital assistant (PDA).

Abstract: An information processing device includes an authenticating part to authenticate a user; an operating part for setting information, an authentication canceling part to cancel an authentication of the user, an operation condition memory part to cause a second memory part to memorize the setting information memorized in a first memory part, and a reproducing part to confirm whether or not the setting information is memorized in the second memory part when the authenticating part authenticates the user. In a case where memorized, the reproducing part reads the setting information from the second memory part, and to reproduce an operation condition based on the read setting information. In a case where not memorized, the reproducing part displays a non-user condition specification screen for the user's selecting one of multiple functions.

Abstract: Utilizing an image on a computing device to serve as a template for locking/unlocking the computing device. The image includes a plurality of portions that are defined and thereafter identified and presented to a user via a touch screen. A user selects portions/zones that are defined within the image in a specified sequence and this sequence is stored as a lock/unlock code for unlocking the computing device. In an embodiment, in addition to the specified sequence of selections, a movement or sequence of movements may be also be stored as part of the lock/unlock code.

Abstract: A system, method, and program product is provided that establishes a shared secret between a computer system and a peripheral device such as a removable nonvolatile storage device or a printer. After establishing the shared secret, the peripheral device is locked. After the peripheral device is locked, an unlock request is received and the shared secret is sent to the peripheral device. The peripheral device then attempts to verify the shared secret. If the shared secret is successfully verified, then the peripheral device is unlocked allowing use of the device by using an encryption key that is made available by the verified shared secret. On the other hand, if the shared secret is not verified, then the peripheral device remains locked and use of the device is prevented.

Abstract: A service provider server has management means which manages a user ID corresponding to a service user and a device IDs corresponding to an information processing terminals of the service user in association with each other.

Abstract: A system and method for permitting user access to a computer controlled device. A display device displays a group of items to the user. Some of the items are known to the user and some are unknown to the user. An input device receives user input from the user. The user input indicates the presence or absence of the known items within the group of items without specifically identifying which items are known and which items are unknown. A computer is programmed to automatically compare the user input to a predetermined answer. If the user input is correct an access device allows access. In one preferred embodiment the user input includes a count of the number of known items within the group of items. In another preferred embodiment the group of items includes subgroups. The user input includes an identification of which subgroup has the largest number of known items. In another preferred embodiment the group of items is displayed in a grid. The known items are displayed in a pattern within the grid.

Abstract: Systems, methods, apparatus, and computer readable media are provided for disposable component authentication with respect to a biological fluid processing device instrument. An example instrument authentication system includes a computer facilitating configuration and operation of the biological fluid processing instrument using a disposable component. A first interface is provided by the computer and is used by a service technician to configure the biological fluid processing instrument for a number of disposable components and to provide a service technician with a validation code. A key generator is to accept the validation code from the service technician and generate an authentication key in response to the entered validation code. A second interface is provided by the computer, the second interface prompting the service technician to enter an authentication key, wherein the authentication key authorizes use of a certain number of disposable components for the biological fluid processing instrument.

Abstract: A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested isolated environments enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies.

Abstract: A system and method for use with a voice-capable system, includes but is not limited to a method including receiving one or more user-centric authentication preferences, and preparing one or more categories of authentication questions based on the one or more user-centric authentication preferences.

Abstract: In one embodiment of the invention, a method is provided for protecting against attacks on security of a programmable integrated circuit (IC). At least a portion of an encrypted bitstream input to the programmable IC is decrypted with a cryptographic key stored in the programmable IC. A number of failures to decrypt the encrypted bitstream is tracked. The tracked number is stored in a memory of the programmable IC that retains the number across on-off power cycles of the programmable IC. In response to the number of failures exceeding a threshold, data that prevents the decryption key from being used for a subsequent decryption of a bitstream is stored in the programmable IC.

Abstract: In a multi-domain environment, an access control apparatus belonging to a first domain obtains access control information for controlling usage of a function of an image forming apparatus corresponding to a user belonging to the first domain. When the user belonging to the first domain instructs usage of a function of an image forming apparatus belonging to a second domain, the access control apparatus belonging to the first domain requests an access control apparatus belonging to the second domain to add authentication information managed by the second domain to the access control information. The access control apparatus belonging to the first domain transmits access control information including the added authentication information to a client computer.

Abstract: Disclosed are a system and method for managing delivery of pushed web content to communication devices. In an embodiment, the method comprises: uniquely identifying a communication device to which the pushed web content is to be delivered; establishing a pushed web content service linking the pushed web content to the communication device; receiving a pushed web content service request; and permitting delivery of content to the communication device via the pushed web content service based on verification of the identity of a trusted pushed web content provider. The method may further comprise uniquely identifying the pushed web content provider with an assignable unique pushed web content identification.

Abstract: A device and method for placing the device in a locked state having an associated set of permitted tasks so as to permit the device owner to share the device with others but maintain security over aspects of the device. A task change request is evaluated to determine whether the requested task is permitted and, if so, the requested task is allowed; if not, then an authorization process is invoked to prompt the user to input authorization data. Upon verification of the authorization data, the device may be unlocked and the requested change implemented. The permitted tasks may designate specific applications, specific operations or functions within applications or at the operating system level, one or more currently open windows, and other levels of granularity.

Abstract: The described embodiments relate generally to methods and systems for user authentication for a computing device. In one embodiment, the method comprises: enabling receipt of input in relation to selection of a plurality of authenticators for consecutive use by the computing device to authenticate a user; and storing reference information identifying the selected plurality of authenticators in a memory of the computing device. The computing device may comprise a mobile device.

Abstract: A sharing management method for sharing a terminal with plural users includes: after completion of login to an operating system of the terminal or after booting up the operating system, starting to record log data for predetermined events; and after the completion of the login to the operating system or after booting up said operating system, prohibiting an operation other than predetermined operations including user authentication in a sharing management program, wherein the user authentication is other than authentication in the operating system. Then, the log data after the user authentication succeeded includes a user identifier in the sharing management program, which relates to a user whose user authentication succeeded. As a result, while ensuring the security in the terminal apparatus shared by plural users, it is possible to rapidly carry out user switching.

Abstract: A system for binding a subscription-based computer to an internet service provider (ISP) may include a binding module and a security module residing on the computer. The binding module may identify and authenticate configuration data from peripheral devices that attempt to connect to the computer, encrypt any requests for data from the computer to the ISP, and decrypt responses from the ISP. If the binding module is able to authenticate the configuration data and the response to the request for data from the ISP, then the security module may allow the communication between the computer and the ISP. However, if either the configuration cycle or the response cannot be properly verified, then the security module may degrade operation of the computer.

Abstract: The invention relates to a method of securing a changing scene composed of at least one element and intended to be played back on a terminal. According to the invention, such a method comprises the following steps: creation (10) of at least one security rule, defining at least one authorization to modify said scene and/or at least one element of said scene and/or an authorization to execute at least one command in a context of playing back said scene on said terminal; allocation (10) of a security policy, comprising at least one of said security rules, to said scene and/or to at least one of said elements of said scene.

Abstract: A technique allows software developers to develop applications for a smart phone or other terminal by unlocking the terminal so that it can run unsigned applications. A developer registers with a web-based service, agrees to registration terms, and provides authentication credentials. Data which verifies the authentication credentials is provided back to the developer's computer. The terminal is connected to the developer's computer, and via a user interface, the developer requests registration of the terminal. In response, the terminal receives the data from the developer's computer, and provides the data and a unique terminal identifier to the service. If authorized, the service returns a persistent token or license which is stored at, and used to unlock, the terminal. The service can also provide a command which enforces an expiration date. The terminal checks in with the service to determine if the account is in good standing, and is re-locked if warranted.

Abstract: A computer-implemented method for securing access to kernel devices may include (1) identifying a context proxy privileged to access a secure device interface for a device, (2) receiving a request from the context proxy to allow a user-mode process to access a non-secure device interface for the device, (3) receiving a request from the user-mode process to access the non-secure device interface, and then (4) allowing the user-mode process to access the non-secure device interface directly based on the request from the context proxy. Various other methods and systems are also disclosed.

Abstract: An apparatus and method for aggregating and accessing data according to user information are provided. According to one aspect, an interface device for providing data between a first device and a second device comprises an input, an output, logic, and a repository for storing personal data and data associated with one or more users. The input of the interface device receives data in a first format from the first device. The logic receives a data request, identifies a second device for receiving the data, identifies a second format for the second device, and translates the data to the second format. The translated data is then transmitted to the second device via the output. The logic may further collect, aggregate, and transmit the aggregated data to a requesting device. The input may be a product identification input device. The second device may be billed for the data services.

Abstract: According to one embodiment, electronic device includes: display controller; user presence determination module; user authentication module; and controller. The user presence determination module determines presence of a user based on image data received from the camera while dominating access to a camera. The user authentication module dominates access to the camera, if the display is put in a screen lock state and to perform a user authentication based on the image data. The controller turns off the display if the user present determination module determines that the user is absent and while the display has not been put in the screen lock state, and to cause the user presence determination module to release the access to the camera and to put the display in the screen lock state before turning on the display if it is determined after the display is turned off that the user is present.

Abstract: The present invention relates to a method for authorizing a program sequence. Carrying out software authorization is basically known from the prior art, for example by inputting appropriate license keys, or in a recurring manner via challenge response protocols. Latency results in the program sequence when challenge response protocols are used. Furthermore, the use of external modules for the authorization represents a large outlay in materials, costs, and administrative effort. The object of the present invention, therefore, is to extend the known authorization methods in such a way that, despite centralization and the associated high latency and optionally faulty communication, an undisturbed program sequence is made possible, also with protection of base functionalities.

Abstract: According to one embodiment, an information processing apparatus comprises a wireless communication device, a display, a logon process module, and a display control module. The logon process module is configured to cause the display to display a logon screen, in a logon process of identifying a user account which uses an operating system. The display control module is configured to cause the display to display, together with the logon screen, a state of an access point detected by the wireless communication device.

Abstract: Methods, systems, and computer program products for protecting information on a user interface based on a viewability of the information are disclosed. According to one method, a viewing position of a person other than a user with respect to information on a user interface is identified. An information viewability threshold is determined based on the information on the user interface. Further, an action associated with the user interface is performed based on the identified viewing position and the determined information viewability threshold.

Abstract: A method, apparatus, and system for accessing at least a portion of a device based upon an access input. An access input is received. The access input includes information for gaining access to one or more functions of the device. A user access mode of the device is changed from a first access mode to a second access mode based upon at least in part on the access input. An application is selected in the device in response to changing from the first access mode to the second access mode. At least a portion of the output of the selected application is provided.

Abstract: An administrator may set restrictions related to the operation of a virtual machine (VM), and virtualization software enforces such restrictions. There may be restrictions related to the general use of the VM, such as who may use the VM, when the VM may be used, and on what physical computers the VM may be used. There may be similar restrictions related to a general ability to modify a VM, such as who may modify the VM. There may also be restrictions related to what modifications may be made to a VM, such as whether the VM may be modified to enable access to various devices or other resources. There may also be restrictions related to how the VM may be used and what may be done with the VM. Information related to the VM and any restrictions placed on the operation of the VM may be encrypted to inhibit a user from circumventing the restrictions.

Abstract: A first message comprising a received indication of a management key block (MKB) and a received indication of an authorization table (AT) is received at a first network device from a second network device. The received indications of the MKB and AT are validated by comparing them to generated indications of the MKB and AT, respectively. A response is generated based on the validation of the received indications and transmitted from the first network device to the second network device. The generated indications and response are stored. A second message comprising a second received indication of the MKB and a second received indication of the AT is received at the first network device from the second network device. The first network device communicates with the second network device in accordance with the stored response on determining that the second received indications match corresponding stored indications.

Abstract: A method of authenticating a user of a computing device is proposed, together with computing device on which the method is implemented. In the method a modified base image is overlaid with a modified overlay image on a display. The modified overlay image comprises a plurality of numbers. At least one of the modified base image and modified overlay image is moved by the user. Positive authentication is indicated in response to the base image reference point on the modified base image being aligned, in sequence, with two or more numbers from the overlay image that equal a pre-selected algebraic result when one or more algebraic operator is apply to the numbers.

Abstract: An access request authentication method, an authorization information generation method, an access request authentication system, and a hardware device. The access request authentication method includes: obtaining the current clock information; receiving a first access request, where the first access request includes a first input code; and determining whether to authorize the first access request based on the current clock information and the first input code.

Abstract: Systems, methods, and computer program products are provided for user authentication required for conducting online financial institution transactions. The disclosed embodiments leverage the capabilities of platforms other than conventional personal computers and laptops, such as gaming consoles and wireless devices. Unique intrinsic user activities, such as controller motions or activities, built-in hardware signatures or other input data are used as the authentication mechanism, so as to provide a higher degree of security in the overall authentication process by lessening the likelihood of password replication or interception during network communication.

Abstract: A method for unlocking an electronic device, a first image in a first area and a second image in a second area selected on a touch panel of the electronic device are received. The method combines the first image and the second image to obtain a selected combination image, and unlocks the electronic device upon the condition that the selected combination image is stored in a storage unit of the electronic device.

Abstract: A workflow request having a set of device specific operations and credentials is obtained. The workflow request is parsed to locate at least one of the set of device specific operations and credentials. The located device specific operations and credentials are replaced with at least one logical device operation and logical credentials to create a generalized credential and protocol workflow.

Abstract: The present invention is an image forming device capable of executing an authentication print printing. The image forming device includes: an authentication print detecting unit which detects whether to execute a job as the authentication print printing by referencing predetermined data; an authentication unit; a user authentication unit which outputs the result of the user authentication; a job executing unit; a user interface; and a user interface input mode switching unit which switches an information input/output mode of the user interface, wherein, an instruction to execute a first process can be received, and wherein the first process includes processes in which: the execution of the authentication print printing starts based on the result of the user authentication output by the user authentication unit; and the result of the user authentication is invoked so that the information input/output mode of the user interface is switched to a login mode.

Abstract: A method may include receiving, at a service server, a request for services from a requesting device. The service server may identify one or more service options responsive to the request and send a list of the identified service options to the requesting device. The service server may receive a selected service option from the requesting device. The service server may collect payment information for the selected service option from the requesting device and providing accounting information to a service provider of the selected service option based on the payment information.

Abstract: An authentication method and an input device are provided in which a password which a user has inputted in person can be easily reproduced, and it is unlikely for a password leak to occur even when peeped at. An authentication password includes position identification information disposed in an arbitrary position in an input section of an input device. Position identification information corresponding to a first indicated position of an input trajectory inputted from the input section is acquired. Based on the input trajectory, trajectory information representing repetitions of the trajectory from the first indicated position and movement information representing a movement direction with respect to the first indicated position are calculated.

Abstract: A computer-implemented method and system for binding digital rights management executable code to a software application are disclosed. The method and system include identifying a host code block in the host code section, copying the host code block from the host code section to a stub code block in the stub code section, and re-routing at least one reference of the host code block to be a reference of the stub code block.