Abstract: This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.

Abstract: A host controller associates each virtual machine with at least one label from a hierarchy of labels, where each label represents a distinct virtual machine parameter. The host controller also associates a user with one or more roles and with one or more labels from the hierarchy of labels, where each role defines at least one action permitted to be performed with respect to virtual machines. The host controller further facilitates control over user actions pertaining to virtual machines based on the roles and the labels associated with the user.

Abstract: Verifying a user includes: receiving a service request; generating a text based first dynamic password upon receiving the service request; converting the first dynamic password into sound information; transmitting the sound information to a user terminal over a communication network; receiving over the Internet a second dynamic password entered by the user based on the sound information, the second dynamic password being a text based password; comparing the first and second dynamic passwords for consistency; and indicating that verification is successful if the first and the second dynamic passwords are consistent.

Abstract: A 3D object is protected by a first device that receives the 3D object, generates translation vectors that are added to the points of the 3D object to obtain a protected 3D object, and outputs the protected 3D object. The protected 3D object is unprotected by a second device by receiving the protected 3D object, generating translation vectors that are subtracted from the points of the protected 3D object to obtain an unprotected 3D object, and outputting the unprotected 3D object. Also provided are the first device, the second device and computer readable storage media.

Abstract: A wireless communications system may include a user-wearable device including a clasp having open and closed positions, a first wireless security circuit (WSC), and a first controller coupled to the clasp and the first WSC. The system may further include a mobile wireless communications device including a portable housing, an input device(s), a second WSC carried by the portable housing and configured to communicate with the first WSC when in close proximity therewith, and a second controller carried by the portable housing and coupled to the second WSC and the input device(s). The second controller may be configured to enable mobile wireless communications device(s) function based upon a manual entry of an authentication code via the input device(s), and bypass the manual entry and enable the mobile wireless communications device function(s) based upon a communication from the user-wearable device and a position of the clasp.

Abstract: Methods and systems for enabling communication of information within a network are disclosed herein and comprise receiving at a first communication device located within a network, configuration information from a network service provider for configuring a plurality of communication devices located within said network. The first communication device located within the network can be configured based on at least a portion of the received configuration information. In response to a user input at a second communication device located within the network, at least a portion of the received configuration information can be communicated from the first communication device to the second communication device located within the network. The network service provider can be coupled to the first communication device via a wired connection. The network can comprise a wireless network.

Abstract: A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.

Abstract: A method, apparatus and program product for attesting a component of a system during a boot process. The method comprises the steps of: verifying that the system is in a trusted state; in response to verifying that the system is in a trusted state, requesting an enrollment of the system wherein the requesting step further comprises the step of: retrieving enrollment data associated with the system; retrieving current input data associated with the component of the system; comparing the current input data against the enrollment data in order to determine whether the system can retain its trusted state; wherein in response to the comparing step, if the current input data matches the enrollment data, the system retains its trusted state; and accepting the trusted state until receipt of a notification, from the system having a retained trusted state, of an update to the system.

Abstract: A system and method for troubleshooting errors that occur during token requests. An identity provider generates a session ID and uses the session ID when logging events that occur during handling of the request. Multiple servers, processes, or threads may use the same session ID. The session ID may be sent with an error message to the requester. An ID of one or more servers that processed the request may also be sent to the requester. Upon receiving the error message, the requester may provide the error information to an administrator, who uses the information to retrieve associated logged events.

Abstract: To provide hardware protection against timing based side channel attacks, a processor's microarchitecture enables an OS to determine which applications have the privilege to read timestamp and performance counters. Using a white list of applications, and an authentication mechanism to authenticate applications, a legitimate Protection Required Application (PRA) may temporarily prevent other applications from reading timestamp and performance counters while it executes (or excutes sensitive operations).

Abstract: A method is disclosed for adjusting a security interface display on an electronic device. The method comprises a user of an electronic device requesting a change in the display of an interface for entering security code information on the device. The device presents to the user a variety of options related to the manner in which the graphical elements of the security interface may be displayed. The user may select any one or more of the display options. The electronic device thereafter displays a security interface with graphical elements displayed according to the user's selection.

Abstract: A request is received from a security tool, the request relating to an event involving data records in a storage device. An application programming interface (API) is used to interface with secure storage functionality of the storage device, the secure storage functionality enabling a set of secure storage operations. A security operation is caused to be performed at the storage device involving the data records based at least in part on the request. In one aspect, the set of secure storage operations can include a direct read operation, a direct write operation, a copy-on-write operation, and a save-attempted-write operation.

Abstract: Systems and methods of delivering data from a range of input devices may involve detecting an availability of data from an input device, wherein the input device is associated with a default input path of a mobile platform. An input device driver can be invoked in a security engine in response to the availability of the data if a hardware component in the default input path is in a secure input mode, wherein the security engine it associated with a secure input path of the mobile platform. Additionally, the input device driver may be used to retrieve the data from the input device into the security engine.

Abstract: A method and apparatus for improved digital rights management is provided.

Abstract: A method for authenticating the identity of a handset user is provided. The method includes: obtaining, a login account and a password from the user; judging whether the login account and the password are correct; if the login account or the password is incorrect, refusing the user to access an operating system of the handset; if the login account and the password are correct, sending the login account and the password to a cloud server, wherein the login account and the password correspond to a face sample image library of the user stored on the cloud server; acquiring an input face image of the user; sending the input face image to the cloud server; authenticating, by the cloud server, the identity of the user according to the login account, the password and the input face image.

Abstract: An approach is provided for increasing the functionality of a user device when the device is in an, at least in part, locked state. The approach involves presentation of a first user interface and rendering of at least a portion of a second user interface associated with the first user interface while the user device is in an, at least in part, locked state wherein the second user interface is associated with one or more applications and/or one or more services. Further, one or more interactions with the first user interface and/or with the at least a portion of the second user interface are detected and processed for at least changing the device to an, at least in part, unlocked state.

Abstract: A control unit for controlling a card reader. The control unit includes an authentication management unit for transmitting/receiving information to/from a host and each of a first encryption magnetic head device and a second encryption magnetic head device to mutually authenticate each other. The authentication management unit includes (1) a commanding means for commanding one of the first encryption magnetic head device and the second encryption magnetic head device to create lower-level information for authentication, according to a request on authentication from the host, (2) a sharing means for transmitting the lower-level information for authentication received from the above-mentioned one device to the other device for the purpose of sharing it and (3) a transmission means for transmitting the lower-level information for authentication, having been shared in all of the first encryption magnetic head device and the second encryption magnetic head device, to the host.

Abstract: There is provided a method to activate and restict control of a device. A first step involves positioning a secondary device on a human body which generates an authorization key. A second step involves using the human body as a local transmitter to transmit the authorization key from the secondary device to the device which is to be activated and controlled.

Abstract: In response to a trigger indicating to prevent access to confidential information on a specific user's mobile device, access is prevented to all parties, until a successful reauthorization occurs. Preventing access can comprise storing encrypted confidential information and removing the decryption key. In order to subsequently access the confidential information, a reauthorization attempt is made. The current geo-location of the mobile device at the time of the attempt is compared to at least one authorized geo-location associated with the specific user. In response to a) the password and user identifier being correct and to b) the current geo-location of the mobile computing device being an authorized geo-location associated with the specific user, the attempt to reauthorize is successful, whereas otherwise the attempt is unsuccessful. Only in response to a successful attempt is access to the confidential information re-allowed.

Abstract: Trusted execution of a self-modifying executable is facilitated. An attempt to access a data portion of a self-modifying executable during execution of the self-modifying executable is detected. The self-modifying executable includes the data portion, for storing data to be accessed during execution of the self-modifying executable, and an instruction portion including instructions for execution of the self-modifying executable. The attempt to access the data portion is retargeted to a separate portion of memory space that is separate from another portion of memory space in which the self-modifying executable is loaded for execution. Meaningful measurability of the integrity of the self-modifying executable is thereby provided.

Abstract: When output data is created, image data for preview image is generated based on the output data. Based on the image data, a preview image corresponding to the output data is displayed.

Abstract: A system and method for authenticating a peer device onto a network using Extensible Authentication Protocol (EAP). The key lifetime associated with the keying material generated in the peer device and the authentication server is communicated from the authenticator to the peer device within the EAP Success message. The peer device, having been provided with the key lifetime, can anticipate the termination of its authenticated session and initiate re-authentication prior to expiry of the key lifetime.

Abstract: Embodiments of the present disclosure provide methods and systems for securely installing software on a computing device, such as a mobile device. In one embodiment, the device executes an installer that securely installs the software. In order to perform installations securely, the installer configures one or more secure containers for the software and installs the software exclusively in these containers. In some embodiments, the installer randomly determines the identifiers for the containers. These identifiers remain unknown to the software to be installed. Instead, an installation framework maintains the correspondence between an application and its container. Other methods and apparatuses are also described.

Abstract: This document describes tools capable of enabling cloud-based movable-component binding. The tools, in some embodiments, bind protected media content to a movable component in a mobile computing device in a cryptographically secure manner without requiring the movable component to perform a complex cryptographic function. By so doing the mobile computing device may request access to content and receive permission to use the content quickly and in a cryptographically robust way.

Abstract: User accounts, authentication information and user home directories are stored on an external storage media that can be transferred from one device to another. Measures are included for detecting tampering of stored information and for preventing possibly conflicting or damaging account and file information from entering a host device.

Abstract: Disclosed are a processor and processing method that provide non-hierarchical computer security enhancements for context states. The processor can comprise a context control unit that uses context identifier tags associated with corresponding contexts to control access by the contexts to context information (i.e., context states) contained in the processor's non-stackable and/or stackable registers. For example, in response to an access request, the context control unit can grant a specific context access to a register only when that register is tagged with a specific context identifier tag. If the register is tagged with another context identifier tag, the contents of the specific register are saved in a context save area of memory and the previous context states of the specific context are restored to the specific register before access can be granted.

Abstract: A method of extending an integrity measurement in a trusted device operating in an embedded trusted platform by using a set of policy commands to extend a list of Platform Configuration Registers (PCRs) for the device and the current values of the listed PCRs and an integrity value identifying the integrity measurement into a policy register, verify a signature over the integrity value extended into the policy register, and, if verification succeeds, extend a verification key of the trusted platform, plus an indication that it is a verification key, into the policy register, compare the integrity value extended into the policy register with a value stored in the trusted platform, and, if they are the same: extend the stored value, plus an indication that it is a stored value, into the policy register, and extend the integrity measurement in the trusted device if the value in the policy register matches a value stored with the integrity measurement.

Abstract: Techniques for multi-level authentication for medical data access are supported. A system may include a central medical information management system that provides restricted access to medical data. An accessing device supports multiple different authentication levels. For example, the accessing device may use a combination of device identifiers, passwords, and quick access codes to ensure access only by authorized users.

Abstract: Systems and methods for providing authentication using an arrangement of dynamic graphical images. The graphical images can be arranged as a grid or matrix for presentation on a device display for authentication of a user. The kinds of graphical images can be derived from a designated authentication category and non-authenticating categories. A series of password elements corresponding to the graphical images can be displayed with the graphical images. The user may enter the series of one or more password elements corresponding to graphical images from the authentication category which combine to form a password entry. An authentication server can compare the password entry to an authentication password corresponding to the particular arrangement of dynamic graphical images. The selection of graphical images, their arrangement and their corresponding password elements, may dynamically change in between authentication processes.

Abstract: The present invention is to enable a user to input authentication information without burden, such that the user only has to memorize part of the authentication information even when inputting lengthy authentication information in order to ensure high-level security. When an operation of inputting and arranging authentication information in an information arrangement region is performed in a state where an arrangement status of a specified portion in the information arrangement region is set in advance as partial-authentication reference information in a reference authentication information memory, a CPU detects an arrangement status of the specified portion from an overall arrangement status in the information arrangement region, and performs, as partial authentication, processing of matching the detected arrangement status of the specified portion and the arrangement status of the specified portion set as the partial-authentication reference information.

Abstract: Computer-implemented methods and systems for using tiered signing certificates to manage the behavior of executables are disclosed. In one example, a method for performing such a task may include: 1) identifying an executable file, 2) identifying a signing certificate associated with the executable file, 3) identifying, within the signing certificate, a privilege level associated with the executable file, and then 4) managing behavior of the executable file in accordance with the privilege level associated with the executable file. Corresponding methods and systems for generating tiered signing certificates for executable files are also disclosed.

Abstract: Example embodiments disclosed herein relate to a storage device. The storage device may include a mechanism that monitors for receipt of cached authentication data from a host computing device upon resuming operation from a standby mode of the host computing device. The storage device may further include a mechanism that unlocks the storage device in response to receipt of the cached authentication data from the host computing device. In addition, the storage device may include a mechanism that monitors for receipt of re-authentication data and a mechanism that locks the storage device when a predetermined period of time has passed since resuming operation from the standby mode without receipt of the re-authentication data. Related computing devices, methods, and machine-readable storage media are also disclosed.

Abstract: A method for emitting a message relating to a determined type of information to be exchanged between an aircraft and a ground base reception method, and corresponding devices. The method determines a level of a securement associated with the determined type by a correspondence table, and emits the message according to a protocol having the determined level of securement.

Abstract: In one embodiment, a processor can enforce a blacklist and validate, according to a multi-phase lockstep integrity protocol, a device coupled to the processor. Such enforcement may prevent the device from accessing one or more resources of a system prior to the validation. The blacklist may include a list of devices that have not been validated according to the multi-phase lockstep integrity protocol. Other embodiments are described and claimed.

Abstract: Described are a system and method for presenting security information about a current site or communications session. Briefly stated, a browsing software is configured to receive a certificate during a negotiation of a secure session between a local device and a remote device. The certificate includes security information about a site maintained at the remote device. The security information is displayed to a user of the browsing software in a meaningful fashion to allow the user to make a trust determination about the site. Displaying the security information may include presenting a certificate summary that includes the most relevant information about the certificate, such as the name of the owner of the site and the name of the certificating authority of the certificate.

Abstract: The present application discloses systems and methods for systems and methods of creating, administrating, assigning, and managing lockout-tagout (LOTO) procedures and other safety compliance procedures.

Abstract: A method for gaining access or entry to a system. The method comprises (a) beginning a secure system act by a user; (b) beginning counting of time intervals concurrent with execution of step (a); (c) ending the secure system act by the user; (d) capturing a final time interval count concurrent with execution of step (c); (e) determining whether the secure system act matches a correct secure system act; (d) determining whether the final time interval count matches a correct final time interval count; and (e) granting the user access or entry to the system responsive affirmative results of step (d).

Abstract: A computationally implemented system and method that is designed to, but is not limited to: determining which of a plurality of users detected in proximate vicinity of a computing device has primary control of the computing device; and providing a particular level of access, via the computing device, to one or more items, the particular level of access to be provided to the one or more items being in response, at least in part, to said determining. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: Systems and techniques for mediating user communications. A user persona manager maintains one or more user profiles and manages user interactions with other parties and with service providers based on user preferences associated with the user profile or profiles selected for a particular interaction. The persona manager receives a single set of user authentication information to establish the user identity, and provides previously stored information to other parties and service providers as appropriate, and otherwise conducts user interactions involving communications initiated by or on behalf of the user. The persona manager also examines interactions initiated by others, selects user profiles appropriate to the interactions, and routes and responds to the interactions based on information stored in the user profiles.

Abstract: Systems and methods for authenticating access to multiple data stores substantially in real-time are disclosed. The system may include a server coupled to a network, a client device in communication with the server via the network and a plurality of data stores. The server may authenticate access to the data stores and forward information from those stores to the client device. An exemplary authentication method may include receipt of a request for access to data. Information concerning access to that data is stored and associated with an identifier assigned to a client device. If the identifier is found to correspond to the stored information during a future request for access to the store, access to that store is granted.

Abstract: A system, device and method to securely notify a user of a compromise of a device are provided. The system, device and method may include a detection device adapted for determining a compromise of the device communicatively coupled to the first path, a user database including at least information regarding the device and other devices associated with the user, and the secure signal path to at least one of the other devices.

Abstract: The subject matter of this specification can be embodied in, among other things, a method that includes receiving at a computing device that is in a locked state, one or more user inputs to unlock the device and to execute at least one command that is different from a command for unlocking the device. The method further includes executing in response to the user inputs to unlock the device an unlocking operation by the device to convert the device from a locked state to an unlocked state. The method further includes executing the at least one command in response to receiving the user inputs to execute the at least one command. The at least one command executes so that results of executing the at least one command are first displayed on the device to a user automatically after the device changes from the locked state to the unlocked state.

Abstract: Authorizing an application to access web services or other electronic services is contemplated. Authorization of application may include requiring the application to successfully obtain an appToken and a userToken. The appToken may be provided by an application administrator to attest to an authenticity or level of trust with the application. The userToken may be issued by an identity provider (IdP) attest to an authenticity or level of trust with a user of the application. A service provider sourcing the services may analyze the appToken and userToken to determine content available to application.

Abstract: An access control system and method with location validation are provided. The method can include receiving a request from an authentication factor, identifying a location module associated with the authentication factor, identifying a location of the location module, and determining whether the location module is within a predetermined distance from the authentication factor or a control system, including an access panel of the control system, that received the request from the authentication factor. When the location module is within the predetermined distance from the authentication factor or the control system that received the request from the authentication factor, the method can include granting the request received from the authentication factor.

Abstract: Narrowcast communication to one or more narrowcast communication recipients is provided through the use of an extensible method and apparatus. A narrowcast communication sender determines a set of attributes that define who will be eligible to receive a narrowcast communication. The set of attributes characterize potential recipients according to qualities such as interests, location, or another descriptor of a potential narrowcast communication recipient. Through the use of a privacy sphere, attributes associated with the narrowcast communication are matched to the qualities of potential recipients to identify the network addresses of the narrowcast communication recipients. The narrowcast communication is then transmitted to those network addresses. The narrowcast communication can be then expired from recipients who are no longer eligible to receive it and transmitted to recipients who become eligible to receive the narrowcast communication.

Abstract: Disclosed is a novel system, computer program product, and method for allowing access to an application on a handheld device. This is also known as logging on or password entry. The method begins with detecting a change in at least one of orientation and position of a handheld device relative to a given plane. At least one of a keyboard, a touch screen, a gesture, and voice recognition engine input is received. Based on a combination of the at least one of orientation and position of the handheld and the user input received matching a previously stored value, unlocking access to an application running on the handheld device. The detecting of the change in orientation or position or both can occur simultaneously with the user input or previous to the user input or after the user input.

Abstract: A method for producing an electro-biometric signature allowing legal interaction between and the identification of persons utilizing biometric features. The method includes inputting a user's biometric features in a pre-determined sequence and checking that no feature is entered repeatedly.

Abstract: A mobile terminal includes a near-field communication device capable of performing near-field wireless communication with an external device, and a controller configured to instruct the external device or the near-field communication device to execute a command. The near-field communication device has a storage unit, a first mutual authentication unit for authenticating the controller and for requesting the controller to authenticate the near-field communication device, a first communication key setting unit for setting a first communication key, a second mutual authentication unit for authenticating the external device and for requesting the external device to authenticate the near-field communication device, and a second communication key setting unit for setting a second communication key.

Abstract: A decision service manager authenticating at a managed system hosting a decision service, in case of a successful authentication, the decision service manager sending a first status request to the managed system and receiving, in response to the first status request, a first indication of a current status of the managed system and authenticating at a target managed system, in case of a successful authentication at the target managed system, the decision service manager sending a second status request to the target managed system and receiving a second indication of a current status of the target managed system, the decision service manager performing a deployment readiness check comprising comparing the first and the second indication, and if a current status of the target managed system allows the target managed system to host the decision service, automatically deploying the decision service to the target managed system.

Abstract: Systems and methods using drawings as security information are disclosed. According to an aspect, a computing device may include a touchscreen display configured to receive information for drawing a security picture. Further, the computing device may include a security manager configured to determine one or more characteristics associated with input of the gesture information. The security manager may also be configured to authenticate a user based on the drawn security picture and the one or more characteristics associated with input of the gesture information.