Abstract: An arrangement on monitoring of authentication, in particular for motor vehicles, includes a first communication apparatus and at least a second communication apparatus, between which a wireless communication channel can be set up. The communication apparatus items have means for authentication and encryption, with which the exchangeable data may be encrypted via the communication channel. The items of communication apparatus have storage means in which one of the digital keys usable for authentication and encryption can be stored, and in that in the storage device there is either in addition to the digital key and/or in the individual key at least one piece of information regarding at least one past communication between the first communication apparatus and the second apparatus that can be stored in memory.

Abstract: An image processing apparatus using an authentication technique that enables user authentication suited to application characteristics and user authorities, thus ensuring security and enhancing usability at the same time. An authority of a user authenticated in a first authentication process for authenticating the user is obtained. When the obtained authority of the user is a predetermined authority, control is provided to give the predetermined authority to the user authenticated in the first authentication process. When the authority of the user is not the predetermined authority, control is provided to authenticate the user in a second authentication process for authenticating the user more securely than in the first authentication process, and when the second authentication process is successful, give the obtained authority to the user.

Abstract: A chip including a processor for performing a predetermined operation, a provider for providing a clock signal, with which the processor is clocked, a counter for decrementing or incrementing a count based on the clock signal, a monitor for signaling the predetermined operation to be prevented, depending on the count, and a non-volatile storage for non-volatily storing the count.

Abstract: Systems and methods of providing a secure access layer in a mobile phone and a computer system coupled to the mobile phone to provide authentication for transmitting data between the phone and the computer system.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting one or more portions of one or more items and that was in possession of a first user has been transferred from the first user to a second user; and marking, in response to said determining, the one or more portions of the one or more items to facilitate the computing device in returning to the one or more portions upon the computing device being at least transferred back to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: An electronic device generates an access signal according to user input. The electronic device includes a processor, a key circuit to generate a key signal according to press of the user, a storage unit to store data, a clock generator circuit to generate a clock signal, and a protection circuit. The protection circuit generates an enable signal or a disable signal according to the key signal and the clock signal to control the storage unit to unlock or lock, and transmits the access signal to the storage unit to access the data.

Abstract: A set of security claims for a communication channel are obtained, the set of security claims including one or more security claims each identifying a security characteristic of the communication channel. The security claims are stored, as is a digital signature generated over the set of security claims by an entity. The security claims and digital signature are subsequently accessed when a computing device is to transfer data to and/or from the communication channel. The set of security claims is compared to a security policy of the computing device, and the entity that digitally signed the set of security claims is identified. One or more security precautions that the computing device is to use in transferring data to and/or from the communication channel are determined based at least in part on the comparing and the entity that has digitally signed the set of security claims.

Abstract: A security system may include a plurality of electronic devices, each having a unique identification (ID) associated therewith and configured to generate a temporary security code based upon the unique ID. The system may further include at least one mobile wireless communications device including a first Near-Field Communication (NFC) circuit, and a mobile controller configured to receive the temporary security code from a given electronic device from among the plurality of electronic devices. The system may also include an access control device associated with a personnel access position and including a second NFC sensor and a security controller. The security controller may be configured to receive the temporary security code from the first NFC sensor via NFC communications, selectively grant personnel access based upon the received temporary security code, and determine the unique ID associated with the given electronic device.

Abstract: Particular embodiments of a computing device associated with a user may detect an event using a sensor of the computing device. The event may be a lock-triggering event or an unlock-triggering event. The computing device may assess a state of the device. The computing device may also access further information associated with the user. The computing device may also monitor activity on the computing device to detect further events if such further monitoring is warranted. Based on the gathered information, the computing device may update a lock status of the device to lock or unlock access interfaces of the computing device, functionality of the computing device, or content accessible from the computing device. If the event comprised the computing device detecting an attempt by a third party to use the device, the device may attempt to identify the third party to determine if they are authorized to use the device.

Abstract: The information processing device connects with an external device by a first connection unit and a second connection unit different from each other. An identification information specific to the information processing device is transmitted from the information processing device to the external device via the first connection unit, and further transmitted from the external device to the information processing device via the second connection unit. The information processing device compares the specific identification information received from the external device with specific identification information for comparison, stored in advance, to determine whether or not the information processing device and the external device are in a simultaneous connection state in which the information processing device and the external device are connected by the first connection unit and the second connection unit.

Abstract: An embodiment includes a method executed by at least one processor comprising: determining a first environmental factor for a mobile communications device; determining a first security authentication level based on the determined first environmental factor; and allowing access to a first module of the mobile communications device based on the first security authentication level. Other embodiments are described herein.

Abstract: A storage device protection system including a protection control unit, a detection unit, an account/password input unit, an ID acquiring unit, and an encryption unit is provided. The detection unit determines whether a storage device and a key storage device are both coupled to a host. The account/password input unit receives an administrator ID and an administrator password. The ID acquiring unit obtains IDs of the storage device and the key storage device. The encryption unit encrypts the administrator ID, the administrator password, and the IDs of the storage device and the key storage device into encryption data. The protection control unit stores the encryption data into the key storage device and sets an access mode of the storage device as a protection status according to the administrator ID and the administrator password. Thereby, the storage device can be effectively unlocked by using the key storage device.

Abstract: Techniques are disclosed for dynamically mitigating a noncompliant password. The method comprises obtaining a password; generating one or more quality scores for the password using a password policy for an authentication and authorization service; determining whether the password has sufficient score quality; in response to determining that the password does not have sufficient score quality, granting to the user a different level of access to the service than if the password meets the quality criteria; wherein the method is performed by one or more computing devices.

Abstract: The subject matter of this specification can be embodied in, among other things, a method that includes specifying, with uniform resource identifiers (URIs), substantially all data accessible by applications on a device. The method also includes receiving at a universal interface a request from an application on the device for data that is specified by a URI associated with the request. Substantially all requests for data from applications on the device are received at the universal interface. The method also includes determining, based on the URI associated with the request, a content provider responsible for managing the requested data, and outputting the requested data to the application using the determined content provider to obtain the requested data based on the URI associated with the request.

Abstract: A secure data storage system includes a mechanism that can be activated to inhibit access to stored data. In one embodiment, access to stored data can be prevented without having to erase or modify such data. An encryption key, or data used to generate the encryption key, is stored in an MRAM module integrated within the data storage system. The data storage system uses the encryption key to encrypt data received from a host system, and to decrypt the encrypted data when it is subsequently read by a host system. To render the stored data inaccessible, an operator (or an automated process) can expose the MRAM module to a magnetic field of sufficient strength to erase key data therefrom.

Abstract: Improved techniques for facilitating emergency access to one or more contacts stored on a portable electronic device are disclosed. One or more contacts on the portable electronic device are designated as emergency contacts. While the portable electronic device is password-locked, a request to display the one or more emergency contacts on the password-locked portable electronic device is received. Without requiring a password, the one or more emergency contacts are displayed on the portable electronic device.

Abstract: A restricted transmogrifying driver platform is described herein. In one or more implementations, a platform is provided that enables a restricted execution environment for virtual private network (VPN) drivers and other transmogrifying drivers. The platform may be implemented as an operating system component that exposes an interface through which drivers may register with the platform and be invoked to perform functions supported by the platform. The restricted execution environment places one or more restrictions upon transmogrifying drivers that operate via the platform. For instance, execution may occur in user mode on a per-user basis and within a sandbox. Further, the platform causes associated drivers to run as background processes with relatively low privileges. Further, the platform may suspend the drivers and control operations of the driver by scheduling of background tasks. Accordingly, exposure of the transmogrifying drivers to the system is controlled and limited through the platform.

Abstract: In one embodiment, a processor can enforce a blacklist and validate, according to a multi-phase lockstep integrity protocol, a device coupled to the processor. Such enforcement may prevent the device from accessing one or more resources of a system prior to the validation. The blacklist may include a list of devices that have not been validated according to the multi-phase lockstep integrity protocol. Other embodiments are described and claimed.

Abstract: An information processing device includes an external connection unit which connects to an external device; and a communication control unit which obtains data from a first virtual machine, transmits the data to a second virtual machine, and transmits, to the external connection unit, transmission completion information indicating that the data is already transmitted to the second virtual machine. The external connection unit (i) determines, based on the transmission completion information, whether or not a virtual machine is the second virtual machine to which the data is already transmitted, when the external connection unit receives, from the virtual machine, a request for a connection to the external device, and (ii) permits a connection between the virtual machine and the external device, when the external connection unit determines that the virtual machine is not the second virtual machine to which the data is already transmitted.

Abstract: An authentication method and system to combat confirmation bias provides for an authentication system that upon matching an access request to a record for a given user in an authentication system further interrogates a set of secondary sources to determine that the individual requesting access is in fact the correct user.

Abstract: An image processing apparatus which is capable of realizing security improvements without degrading the usability. A user is authenticated, and an operation screen accepting an operation input from the user is displayed. A job is executed according to an instruction of the user authenticated by the user authenticating unit. It is determined whether or not the job of which execution is instructed by the user, is being executed when the user authenticating unit authenticates the user. A first operation screen through which the user inputs an instruction for the job in execution is displayed when the job executing unit is executing the job, of which execution is instructed by the user, whereas another operation screen through which another user inputs an instruction for another job is displayed when not.

Abstract: A system and method for contextually interpreting image sequences are provided. The method comprises receiving video from one or more video sources, and generating one or more questions associated with one or more portions of the video based on at least one user-defined objective. The method further comprises sending the one or more portions of the video and the one or more questions to one or more assistants, receiving one or more answers to the one or more questions from the one or more assistants, and determining a contextual interpretation of the video based on the one or more answers and the video.

Abstract: A system is described that can perform a method for receiving a request to modify a universal integrated circuit card, generating a package comprising configuration data for modifying the universal integrated circuit card, instructing an over-the-air system to transmit the package encrypting the package with a transport key to generate an encrypted package, and transmitting the encrypted package to a communication device communicatively coupled to the universal integrated circuit card to provision the universal integrated circuit card. The system can also perform a method of providing a mobile network operator trusted service manager system information relating to the configuration data to enable the mobile network operator trusted service manager system to manage content and memory allocation of the universal integrated circuit card.

Abstract: A token or other storage device uses Internet identities to set file access attribute rights. Subsequently, requests to access a file can be controlled by confirming the Internet identity of the requestor by either validating the request with a known public key or retrieving the public key from an Internet identity provider. Files may be stored encrypted and may be re-encrypted with the public key associated with Internet identity making the request.

Abstract: The present invention provides a data management program for performing monitoring so that user data provided to the client cannot be copied and utilized for a purpose other than the intended purpose. When a storage device (8) storing user data (3) is connected to a client computer (12), a management program (4) prohibits writing to all of the external storage devices. The management program (8) makes settings prohibiting usage of a network (7). The management program (4) performs control by acquiring the file name, folder name, and attribute data of the execution file as well as the process name and process ID of the process being executed. The management program (4) has built-in driverware (50) which runs in the kernel mode (15) of an operating system (21) and serves to provide a common interface for the communication of device drivers (35, 36, 42 to 44) and an application program (20).

Abstract: Embodiments of the present invention include a system and method for implementing a presence system. According to an embodiment of the present invention, responsive to receiving a request for presence information associated with a presentity from a watcher, the presence system receives instructions indicating that an authorization instance other than the presentity shall be given an opportunity to change or verify an authorization rule associated with the request for presence information. As a consequence, the presence system notifies the authorization instance of the request for presence information, thereby enabling the authorization instance to change or verify the authorization rule. The presence system also makes a final decision on the authorization rule on the basis of the instructions and a notification indicating a change or verification of the authorization rule.

Abstract: A system that includes a memory to store registration information for a particular application hosted by a particular user device, where the registration information includes context information regarding the particular user device and an integrity code based on credentials associated with the particular application.

Abstract: A computer system includes a security processor, a first scan chain coupled to the security processor, a non-secure element, and a second scan chain coupled to the non-secure element. The computer system also includes one or more test access port controllers to control operation of the first and second scan chains, and further includes debug control logic, coupled to the one or more test access port controllers, to enable the one or more test access port controllers to activate debug functionality on the second scan chain but not the first scan chain in response to a predefined condition being satisfied.

Abstract: Disclosed are a method, a terminal, and a service device for providing a data security service for data stored in a terminal or a data security service for backup data of the data of the terminal, backed up onto a backup device.

Abstract: A method and a device are provided for accessing data files of a secure file server, wherein a user or a process is authenticated; wherein access to the data files of the secure file server takes place by way of an encryption module of the secure file server; wherein the encryption module comprises an encryption agreement of a centralized security application; and wherein the access of the authenticated user or process to the secure file server takes place by way of an encrypted protocol taking into consideration the encryption agreement. Such a device may be included in a corresponding computer network.

Abstract: Embodiments of the invention are directed to automatically populating a database of names and secrets in an authentication server by sending one or more lists of one or more names and secrets by a network management software to an authentication server. Furthermore, some embodiments provide that the lists being sent are encrypted and/or embedded in otherwise inconspicuous files.

Abstract: Systems and methods for secure control of a wireless mobile communication device are disclosed. Each of a plurality of domains includes at least one wireless mobile communication device asset. When a request to perform an operation affecting at least one of the assets is received, it is determined whether the request is permitted by the domain that includes the at least one affected asset, by determining whether the entity with which the request originated has a trust relationship with the domain, for example. The operation is completed where it is permitted by the domain. Wireless mobile communication device assets include software applications, persistent data, communication pipes, and configuration data, properties or user or subscriber profiles.

Abstract: In one embodiment, a processor includes a microcode storage including processor instructions to create and execute a hidden resource manager (HRM) to execute in a hidden environment that is not visible to system software. The processor may further include an extend register to store security information including a measurement of at least one kernel code module of the hidden environment and a status of a verification of the at least one kernel code module. Other embodiments are described and claimed.

Abstract: In one embodiment the present invention includes a computer-implemented method comprising receiving a request from a user to perform an action on a first object in a software application, accessing a predefined hierarchy of a plurality of different object definitions, accessing user authorization data, and granting the user permission to perform the action on said first object, wherein the permission is determined from the predefined hierarchy and the user authorization data, wherein determining the permission includes traversing the predefined hierarchy.

Abstract: A medical device customization system and method comprising medical device that receives signals from a biological probe having an operational parameter and that stores data based on the signals in a memory. The medical device receives a custom application and establishes a virtual machine to run the custom application.

Abstract: A method and system for validating a form, that includes providing, to a client, the form comprising a primary token, receiving, in response to the client loading the page form, a request for a secondary token, providing the secondary token in response to receiving the request, and receiving the form comprising the primary token and a secondary token from a client. The method further includes validating the form, where validating the form includes obtaining a first primary token hash from the secondary token, applying a first hash function to the primary token to obtain a second primary token hash, and determining that the first primary token hash and the second primary token hash match. The method further includes accepting the form upon validating the form.

Abstract: A time and sleep control system and method is disclosed. According to one embodiment, a computer-implemented method includes providing a first user interface on a computing device that provides digital content to a first user, providing a second user interface associated with an operating environment on the computing device to a second user, where the second user interface provides unrestricted access to the digital content, receiving a request that is configured to be provided by the second user to access the first user interface from the operating environment, where the request allows the second user to provide restricted access to the digital content on the first user interface, granting the request, and receiving a desired time duration on the computing device that is configured to be provided by the second user, where the desired time duration controls a length of time that the first user is allowed to access the first user interface.

Abstract: A method is performed by a computing device. The method includes, (a) at the computing device, wirelessly receiving an authentication code from an authentication card via near-field communications (NFC), (b) providing the authentication code received wirelessly via NFC to an authentication service configured to authenticate the user of the computing device based on the authentication code, and (c) in response to the authentication service authenticating the user based on the authentication code received wirelessly via NFC, providing the user with access to a resource via the computing device. Analogous computer program products and apparatuses are also provided described.

Abstract: Systems and methods for passporting credentials provide a mechanism by which a native app on a client device can invoke a service provider's core web site web addresses (URL) while keeping the existing session active and shared between the two experiences (native app and web flow) so that the end user does not need to re-login at each context switch. The mechanism can include a unique way for the web flow context to communicate conditions and pass control back to the native app context of the shared session.

Abstract: A system for selectively enabling a microprocessor-based system is disclosed. State information that describes the operating conditions or circumstances under which a user intends to operate the system is obtained. In the preferred embodiment of the invention, a valid hash value is determined, preferably based on the state information and preferably by locating the valid hash value within a table of valid hash values indexed by the state information. Candidate authorization information is obtained from the user, and a candidate hash value is generated by applying a hashing algorithm to the candidate authorization information, the state information, or a combination of the candidate authorization information and state information. The candidate hash value and the valid hash value are then compared, and the microprocessor-based system is enabled if the candidate hash value matches the valid hash value.

Abstract: A computer system includes a memory having a secure area and a plurality of processors using the memory. When an access-allowed program unit executed by one of the processors starts an access to the secure area, the program unit subject to execution by the other processors is limited to the access-allowed program unit.

Abstract: A method for controlling the execution of an applet for an IC Card including a java card platform, includes a phase for downloading the applet inside the IC Card, a phase for executing the applet through the java card platform and a phase for storing an identification platform number inside a memory portion of the IC Card. The phase for executing the applet has a first step for detecting the identification platform number to perform the phase for executing the applet with or without restrictions, respectively if the identification platform number is not or is detected by the step for detecting. The applet is a java card applet or a SIM toolkit applet.

Abstract: A method for supporting pre-boot log in is described herein. The method includes receiving a password, via an operating system of the computer system, selected by a user for use in a pre-boot log in. The method includes determining whether the password can be entered by the user prior to completion of booting of the computer system. If the password cannot be entered by the user prior to completion of the booting, the method includes signaling that the password is unacceptable.

Abstract: According to one embodiment, a device gives a higher priority to a user when first authentication is successfully carried out than when second authentication is successfully carried out. The device includes a nonvolatile memory which stores a first password used for the first authentication, a position detector which detects a present position of the device, a first display processor which display a first input screen for accepting a third password input when the device is activated, and a second display processor which displays a second input screen for accepting the third password input, when the third password, which is input by using an input module when the first screen is displayed, is determined to be the first password and the present position is out of the permissible range.

Abstract: A method for disambiguating entities on a multi-level security display includes receiving a selection of a particular security level and rendering entities having a different security level in a visually distinct way. Visual distinction may include not drawing the entities on the multi-level security display.

Abstract: Embodiments of the present invention provide an approach for protecting electronic devices against the use of unqualified and/or unauthorized (e.g., “grey market”) hardware components. Specifically, in a typical embodiment, a hardware component that a user is attempting to use with an electronic device will be detected. Then, the device information associated with the hardware component (e.g., serial number, vital product data (VPD), etc.) will be identified from the hardware component (e.g., as stored therein).

Abstract: An embodiment of the invention provides a method for controlling access to a system, wherein a request to access the system and metadata of the request are received from a user, the request including a user identification. The metadata includes: information obtained from a history of prior accesses to an application access system, information obtained from a history of prior accesses to a wireless authentication system, and/or confirmation of the user identification by an entity physically proximate to the user. A database is queried with the user identification and the metadata to identify relationship data. The relationship data indicates the relationship between the individual assigned the user identification and an entity owning the system, an entity leasing the system, and/or an entity operating the system. The relationship data is input into a rules engine; and, security measure(s) are selected with the rules engine based on the relationship data.

Abstract: This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.

Abstract: A host controller associates each virtual machine with at least one label from a hierarchy of labels, where each label represents a distinct virtual machine parameter. The host controller also associates a user with one or more roles and with one or more labels from the hierarchy of labels, where each role defines at least one action permitted to be performed with respect to virtual machines. The host controller further facilitates control over user actions pertaining to virtual machines based on the roles and the labels associated with the user.

Abstract: Verifying a user includes: receiving a service request; generating a text based first dynamic password upon receiving the service request; converting the first dynamic password into sound information; transmitting the sound information to a user terminal over a communication network; receiving over the Internet a second dynamic password entered by the user based on the sound information, the second dynamic password being a text based password; comparing the first and second dynamic passwords for consistency; and indicating that verification is successful if the first and the second dynamic passwords are consistent.