Abstract: The enrollment process for purchasing multiple digital certificates configured using different cryptographic algorithms or hashing algorithms is streamlined. A certificate purchaser wishing to purchase two or more certificates is prompted to provide answers to common enrollment questions, such as the purchaser's contact information, payment details, web server software, and the like, using a simplified and streamlined enrollment process. Each certificate is optionally configured using a different hashing algorithm.

Abstract: The present invention discloses methods, media, and systems for handling hard-coded credentials, the system including: an interception module configured for: intercepting credential usage upon receiving an application request for application credentials in order to provide access to a host application; a configuration/settings module configured for reading system configurations and settings for handling the application credentials; a credential-mapping module configured for: applying appropriate credential-mapping logic based on the system configurations and settings; and upon determining that the application credentials need to be replaced, obtaining appropriate credentials from a secured storage.

Abstract: A method and system is provided to authorize a user to access in a service of higher trust level. The method includes the steps of defining first password, assigning a second password to a user, generating a value for each constituent of second password on operating an exclusivity relationship, calculating the score for the second password on summing the generating value, combining trust levels of multiple users to attain a higher trust level in aggregate, and obtaining access in a service if the aggregated trust level of users are equal to or more than the predetermined trust level of the service. The present technique provides flexibility of authenticating and authorizing a user to access in a service to perform desirable functions thereon. The present technique eliminates the requirement of tokens, pins, dongles etc. while attaining a higher trust level to perform a task which belongs to a higher trust level.

Abstract: A method includes storing a security credential associated with a communication network on a portable storage device. The method also includes detecting removal of the portable storage device from a specified location. The method further includes allowing at least one communication device to communicate over the communication network using the security credential. In addition, the method includes revoking the security credential after a specified time period has elapsed. The portable storage device could represent a card, and the specified location could represent a card reader/writer. Also, the communication network could represent a wireless network, and the security credential could represent a cryptographic key.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens. The apparatus may receive a subject token indicating an attempt to authenticate a user. The apparatus may determine at least one token-based rule based at least in part upon a token in the plurality of tokens and the subject token. The at least one token-based rule may indicate a plurality of attributes required to access a resource. The apparatus may determine a second plurality of attributes represented by the plurality of tokens and the subject token. The apparatus may determine at least one missing attribute, which may be in the plurality of attributes but not in the second plurality of attributes. The apparatus may then request the at least one missing attribute, and in response, receive at least one token representing the at least one missing attribute.

Abstract: A system for automatically completing fields in online forms, such as login forms and new user registration forms, which employs a Master Cookie File containing sets of records associated with the user, his or her accounts or web sites, and registered values associated with form tags (e.g. username, password, address, email, telephone, etc.). When the user encounters another form, the MCF is automatically searched for matching values and form tags, primarily from the same account or web site, or alternatively from other accounts or sites. A flowing pop-up menu is displayed nearby the form fields from which the user can select values to automatically complete the form. Automatic account information updating, value expiration management, mapping of favorite values, and sharing of values are optional, enhanced functions of the invention.

Abstract: An approach is provided where an HTTP request is received and a Request for Security Token (RST) is created. Parameters are selected from the request and mappings are retrieved corresponding to the parameters. Context attributes are created in the RST corresponding to the parameters. A context attribute type value is set based on an HTTP section where the parameter is located within the HTTP request. The RST is sent to a security token service for processing. In another approach, a Request Security Token Response (RSTR) is received and an HTTP response is created. RSTR parameters are selected and parameter mappings are retrieved corresponding to the selected RSTR parameters from a mapping table with a TYPE value being identified based on the retrieved parameter mapping. Context attributes are added to the HTTP response based on the identified TYPE values. The HTTP response is transmitted to a remote computer system.

Abstract: A method and system for data loss prevention controls and protects sensitive data from being printed in an unauthorized manner. A method for controlling printing activities implemented in a computer system comprises intercepting a print job comprising print data intended for a printer driver, delaying performance of the print job, analyzing content of the print data to determine whether to allow or cancel the print job based on a security policy, and resuming or canceling the print job based on the analysis of the content of the print data.

Abstract: An approach is provided for managing access rights of users to information spaces using signatures stored in a memory tag. A signature manager caused reading of a memory tag to initiate a request, from a device, for an initial access to an information space. The request includes an authorization signature associated with the device. The signature manager determines a level of access to the information space by comparing the authorization signature against a lattice of signature primitives associated with the information space. The signature manager then modifies the authorization signature based on the determination and stores the modified authorization signature for validation of subsequent access to the information space by the device.

Abstract: A method for modifying one or more system resources is provided. One or more licenses for modifying one or more system resources on a client device can be acquired. An authenticator can be generated and stored on a remote server. The authenticator can be transferred to the client device. The client device can be connected to the remote server and the remote server can authenticate the client device via the authenticator. The remote server can confirm the availability of one or more licenses, and based on the availability of one or more licenses, modify one or more system resources disposed in, on, or about the client device. After modifying the one or more system resources the remote server can decrement the remaining license count.

Abstract: A mechanism is provided for automatically logging into a cloud based system that does not accept token log-on credentials generated by a single sign-on service. In an embodiment, a one-time password is automatically generated and persisted. The generated password is used to log in automatically to a cloud based system that does not accept tokens generated by the web-ID providers and for connecting to other services. Examples of such systems may include Windows, Linux, and iOS.

Abstract: Various embodiments include at least one of systems, methods, software, and data structures for communicating security credentials between Customer Information Control System (CICS) regions in a container of a CICS channel data structure. Some embodiments include receiving a dataset from a first CICS application executing within a first CICS region, the dataset received from the first CICS application for transmission to a second CICS application in a second CICS region. When the dataset includes a channel data, populating a container of the channel data with credential data to authenticate the dataset within the second CICS region and forwarding the dataset to a CICS transformer process of the first CICS region to transform and communicate the dataset to the second application in the second CICS region.

Abstract: A low-cost Multi Function Peripheral (MFP) prevents a user from forgetting to cancel an authenticated state. The MFP includes a scanner unit, a printer unit, a touch screen, and a reset key for initializing various settings. When the user is authenticated, the MFP accepts various operations. Under a state in which the user is authenticated, when the reset key is operated, a control unit executes a logout process.

Abstract: Detection of user accounts associated with spammer attacks may be performed by constructing a social graph of email users. Biggest connected components (BCC) of the social graph may be used to identify legitimate user accounts, as the majority of the users in the biggest connected components are legitimate users. BCC users may be used to identify more legitimate users. Using degree-based detection techniques and PageRank based detection techniques, the hijacked user accounts and spammer user accounts may be identified. The users' email sending and receiving behaviors may also be examined, and the subgraph structure may be used to detect stealthy attackers. From the social graph analysis, legitimate user accounts, malicious user accounts, and compromised user accounts can be identified.

Abstract: A token calculates a one time password by generating a HMAC-SHA-1 value based upon a key K and a counter value C, truncating the generated HMAC-SHA-1 value modulo 10^Digit, where Digit is the number of digits in the one time password. The one time password can be validated by a validation server that calculates its own version of the password using K and its own counter value C?. If there is an initial mismatch, the validation server compensate for a lack of synchronization between counters C and C? within a look-ahead window, whose size can be set by a parameter s.

Abstract: An image forming apparatus is disclosed that includes multiple application modules configured to perform image processing including scanning, printing, and copying of an image; multiple service modules configured to perform an image forming operation and to control the image forming apparatus; a nonvolatile configuration information storage part configured to contain first configuration information of the application modules and the service modules; a configuration information comparison part configured to read second configuration information of the application modules and the service modules and compare the first configuration information and the second configuration information before starting the application modules and the service modules; and a notification part configured to notify the manager of the image forming apparatus of the difference between the first configuration information and the second configuration information in response to detection of the difference.

Abstract: Techniques are described for managing access to computing-related resources that, for example, may enable multiple distinct parties to independently control access to the resources (e.g., such that a request to access a resource succeeds only if all of multiple associated parties approve that access). For example, an executing software application may, on behalf of an end user, make use of computing-related resources of one or more types that are provided by one or more remote third-party network services (e.g., data storage services provided by an online storage service) —in such a situation, both the developer user who created the software application and the end user may be allowed to independently specify access rights for one or more particular such computing-related resources (e.g., stored data files), such that neither the end user nor the software application developer user may later access those resources without the approval of the other party.

Abstract: A security module generates a random image having a plurality of password-element indicators therein. The random image is provided to a user. The user selects portions of the random image. The security module determines whether the selected portions of the random image correspond to a password for the user. The security module grants access if the selected portions of the random image correspond to the user's password. However, if the selected portions of the random image do not correspond to the user's password, the security module may generate another random image having a plurality of password-element indicators therein, wherein each of the random images are computationally de-correlated.

Abstract: An authentication method of an electronic device is disclosed. A plurality of key inputs is received from a user via activation of input keys. At least one key input from the key inputs is validated based on a predefined criterion to obtain a password. The password is compared to a registered password to obtain an authenticated password.

Abstract: The described embodiments relate generally to methods and systems for user authentication for a computing device. In one embodiment, the method comprises: enabling receipt of input in relation to selection of a plurality of authenticators for consecutive use by the computing device to authenticate a user; and storing reference information identifying the selected plurality of authenticators in a memory of the computing device. The computing device may comprise a mobile device.

Abstract: A method and apparatus for client credential based authentication of messages between a client and a server, the client and server both knowing the client credential, the method comprising the steps of: utilizing the client credential to create a key; and using the key to authenticate messages between the client and the server.

Abstract: A system, peripheral device, and method for authenticating an encryption key before transmitting encrypted messages containing sensitive information are provided. Authentication of a client device during the coordination of data transfer among multiple computer devices is possible by providing a peripheral device that does not have a direct connection to a network, but rather, any message to be transmitted over the network must be relayed through a client device. Any sensitive information to be transferred to a remote device is inserted into a message, then the message is encrypted in the peripheral device. This prevents any process running on the client device from fooling the client device into communicating confidential information to a third party rather than the desired remote computer, because the client device never sees the sensitive information in an unencrypted form; only the peripheral device has access to the sensitive information in an unencrypted form.

Abstract: An application program of the portable device receives a command of an owner when the portable device is powered on. The application program notifies a basic input/output system to set a protection variable, and notifies the owner to set a password in a setup menu of the basic input/output system after the application program receives the command of the owner. A keyboard controller turns off the portable device to enable the protection variable after the basic input/output system sets the protection variable and the setup menu of the basic input/output system stores the password. After the protection variable is enabled, whenever the portable device is powered on, the basic input/output system checks a password inputted to the portable device at least once and the basic input/output system executes a corresponding operation according to a check result.

Abstract: Systems, apparatuses, and methods disclosed herein allow a requesting party to control use of another user's mobile station. In some aspects, a server is configured to communicate with a plurality of remote computer systems and target mobile stations. The server includes a memory device and a processor configured to access data and logic instructions embedded on the memory device. The server authenticates a requesting party accessing the computer server from one of the remote communication systems. The requesting party is not a user of a selected one of the target mobile stations. The server receives selective availability attributes for the selected one of the target mobile stations from the requesting party. The selective availability attributes indicate conditions under which the target mobile station is enabled or disabled to operate, and features that are available on the target mobile station under a plurality of conditions when the target mobile station is enabled.

Abstract: A method and system for collecting account access statistics from information provided by client certificates. In one embodiment, the method comprises requesting client certificates from remote terminals that request to access a computing resource. The method further comprises updating the account access statistics based on information provided by presence or absence of the client certificates and contents of the client certificates for the client certificates that are present.

Abstract: A method for simulation aided security event management, the method includes: generating attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items; wherein the generating of attack simulation information is responsive to a network model, at least one attack starting point and attack action information; identifying security events in response to a correlation between simulation data items and event data; and prioritizing identified security events.

Abstract: A system and method for provisioning digital identity representations (“DIRs”) uses various techniques and structures to ease administration, increase accuracy, and decrease inconsistencies of a digital-identity provisioning system. Various methods are provided for creating new DIRs, requesting DIRs, notifying principals of available DIRs, and approving issuance of new DIRs.

Abstract: Embodiments of methods, apparatuses, devices, and/or systems for data copyright management are described. According to one embodiment of this disclosure, data copyright management may include displaying, storing, copying, editing, and/or transferring digital data. According to an embodiment, data copyright management may include protecting digital data copyrights. Various embodiments of this disclosure may use cryptographic keys to implement portions of the data copyright management disclosed.

Abstract: A mechanism is provided for automatically logging into a cloud based system that does not accept token log-on credentials generated by a single sign-on service. In an embodiment, a one-time password is automatically generated and persisted. The generated password is used to log in automatically to a cloud based system that does not accept tokens generated by the web-ID providers and for connecting to other services. Examples of such systems may include Windows, Linux, and iOS.

Abstract: A computer-implemented subsystem and method is disclosed for receiving user qualification data, comparing that data to certification criteria, and providing user certification according thereto, in the context of a system for designing a structure. A variety of users may be certified, including architects, designers, component and service providers, permitting authorities, builders, financers, future tenants, etc. A wide variety of certifications may be provided including by trade, by attributes of the structure, by intended use of the design system, etc. Certification may be based on general experience, references, time spent with the design system, training completed, examination passed, other certifications, etc. Certification may be stand-alone or may be part of an ongoing continuing education process. The design system may limit actions a user may perform on a design based on certification and certification level.

Abstract: Systems and methods for emulating credentials are disclosed. In some cases, the systems include an access credential reader and an access credential writer. The access credential reader is communicably coupled to the access credential writer. The access credential reader is operable to receive information from an access credential, and to transfer at least a portion of the information to the access credential writer. The access credential writer is operable to transfer at least the portion of the information to an emulation access credential.

Abstract: A content distribution system may be provided for reviewing content such as video games, music, movies, or the like that may be shared by the system. The content distribution system may receive a credential from a user and authenticate the user based on the credential to permit access to the system. The content distribution system may also receive content generated by the user if the user may be authenticated. The content distribution system may provide the received content to a content evaluation entity, for example. The content distribution system may receive a review for the content from the content review entity and then may determine whether the content passes a review process based on the review, for example. The content distribution system may provide additional access to the content if the content passes the review process.

Abstract: Systems and methods for managing access to a computer account of a computer system that is not associated with a human user. The system comprises a password repository for storing a password for the computer account. The password is preferably encrypted with at least two secrets. The system also comprises a first data storage device for storing the first secret and a second data storage device for storing the second secret. The system additionally comprises a computer device in communication with the password repository and the first and second data storage devices for managing access to the computer account. The computer device is programmed to, in response to a request to perform an action under the computer account: (i) retrieve the first secret from the first data storage device; (ii) retrieve the second secret from the second data storage device; and (iii) decrypt the password with the first second secrets.

Abstract: Systems, apparatus, methods and articles of manufacture provide for controlling access to one or more enterprise resources, including one or more functions of an enterprise device, or other computing device, based on information about one or more activities of a user. Some embodiments provide for determining an intuitive challenge question having a corresponding response, such as an intuitive password.

Abstract: A message that includes an end user license agreement is received at a client from a service in a distributed computing system. The client determines whether to accept the end user license agreement. The message is processed if the end user license agreement is accepted.

Abstract: Capability access management techniques for processes are described. In one or more implementations, a token is formed having one or more security identifiers that reference capabilities described in a manifest for the executable code responsive to an input received to initiate execution of executable code installed on the computing device. The one or more processes formed through execution of the executable code on the computing device are associated with the token, the token usable to manage access of the one or more processes to the capabilities of the computing device.

Abstract: A method of access control in an electronic device includes monitoring for input at the electronic device, for each input determined to be one of a plurality of predefined gestures including gestures from a touch-sensitive input device or from a movement sensor, mapping the input to a respective Unicode character and adding the respective Unicode character to a passcode to provide an entered passcode, comparing the entered passcode to a stored passcode, and changing an access state at the electronic device if the entered passcode matches the stored passcode.

Abstract: A network memory system for ensuring compliance is disclosed. The network memory system comprises a first appliance configured to encrypt first data, store the encrypted first data in a first memory device. The first appliance also determines whether the encrypted first data exists in a second appliance and transmits a store instruction comprising the encrypted first data based on the determination that the encrypted first data does not exist in the second appliance. The second appliance is further configured to receive a retrieve instruction comprising an index at which the encrypted first data is stored, process the retrieve instruction to obtain encrypted response data, and decrypt the encrypted response data.

Abstract: A method and system for utilizing the biometric factors reflected in the typing as a kind of physiological password, to create a rhythmic password specific to the user, and to authenticate based on the rhythmic password. The method includes providing an original training text to a user, receiving an input training text provided by the user according to the original training text, extracting rhythmic characteristic values between adjacent text units of the input training text, and generating a rhythmic password of the user based on the extracted rhythmic characteristic values between adjacent text units. The invention utilizes the rhythm of a user inputting text can bring multiple advantages, including enhanced security of the password, and saving the user's cost of memorizing the password.

Abstract: A method for creating a password on an electronic computing device is disclosed. On the electronic computing device, a first password is obtained. The first password comprises a string of one or more characters. A first character is appended to the first password to form a second password. A hash function is applied to the second password to generate a first hashed password. The first hashed password comprises a first bit string. A determination is made as to whether the first hashed password includes a predefined sequence of bits. When it is determined that the first hashed password includes the predefined sequence of bits, the second password is designated as an auditable password.

Abstract: A computing device and computing device implemented method for setting a security level of the computing device. The method may comprise the computing device presenting a challenge to a user of the computing device. The challenge requiring the user to register a password with the computing device. The computing device may receive the password through a user input interface of the computing device in response to the challenge. The computing device may process the received password to calculate a password strength value and evaluate the password strength value to assign the security level. In an aspect, the security level may assign a higher security level when the password strength value is relatively high. In an aspect, the security level may allow for an expanded range of user selectable security options when the password strength value is relatively high.

Abstract: Computer systems and environments implemented herein permit a local machine increased participation in authorizing access to protected content. An operating system attests to a computing environment at a corresponding computer system. If the computing environment is one permitted to access protected content, the operating system is permitted to regulate further (e.g., application) access to protected content in accordance with a procreation policy. As such, authorization decisions are partially distributed, easing the resource burden on a content protection server. Accordingly, this computing environment can facilitate more robust and efficient authorization decisions when access to protected content is requested.

Abstract: A method and system for managing role-based access control of token data using token profiles having predefined roles is described. In one method, a token processing system (TPS) assigns a TPS client a token profile for a group of multiple tokens, the token profile being stored in a profile data structure. The token profile specifies at least one of multiple predefined roles for the TPS client, each role associated with predefined access to entries of a token database. The TPS receives a request from the TPS client over a network to perform an operation on the entries of the token database that correspond to the group, and allows the TPS client access to the token database to perform the operation when permitted by the predefined roles specified in the token profile on the entries of the token database that correspond to the group identified by the token profile.

Abstract: A method A method and system for managing role-based access control of token data using token profiles is described. In one method, a token processing system (TPS) receives a request from a TPS client over a network to perform an operation on entries of a token database. The TPS identifies a subset of the multiple groups that corresponds to the entries indicated in the request of the TPS client, determines to which of the identified groups the TPS client belongs using token profiles. For each group the TPS client belongs, the TPS determines a corresponding role for the TPS client from the token profiles. For each group the TPS belongs, the TPS allows the TPS client access to the entries of the respective group to perform the operation when the TPS client has the appropriate role assigned within the respective group.

Abstract: According to one embodiment, an information processing apparatus includes a main body, an authentication unit which performs an authentication process, upon power-on of the main body, if authentication information is registered in the main body, the authentication process including a process to authenticate a user based on authentication information input by the user and the authentication information registered in the main body, and a forced-registration unit which performs a forced-registration process to request the user to register new authentication information and inhibit the main body from operating until the new authentication information is registered, upon power-on of the main body.

Abstract: A comprehensive platform for merchandising intellectual property (IP) and conducting IP transactions is disclosed. A standardized data collection method enables IP assets to be characterized, rated and valuated in a consistent manner. Project management, workflow and data security functionality enable consistent, efficient and secure interactions between the IP Marketplace participants throughout the IP transaction process. Business rules, workflows, valuation models and rating methods may be user defined or based upon marketplace, industry or technology standards.

Abstract: A context-aware role-based access control system and a control method thereof. The context-aware role-based access control system includes: a context-aware user assignment manager (CAUAM) for performing a role assignment function, a role delegation function, or a role revocation function for a user according to a context of the user, based on a preset context request condition; a context-aware permission assignment manager (CAPAM) for performing a permission modification, a permission restoration, and a personalized permission modification for a permission, which the role has, according to changes in the context of the user; an information repository for storing a user profile and context information; and an access control manager (ACM) for controlling the context-aware user assignment manager, the context-aware permission assignment manager, and the information repository, and processing an access control request.

Abstract: A method and apparatus are provided for controlling access to a secure area. The method includes the steps of providing a plurality of user credentials, generating a Boolean equation based upon the plurality of user credentials where the generated Boolean equation provides a predetermined response to each user credential of the plurality of credentials, saving the generated Boolean equation in a memory in place of the user credentials and recognizing a user credential of the plurality of user credentials by reference to the Boolean equation.

Abstract: This document describes tools that constrain a login to a subset of access rights. In one embodiment, the tools generate a constrained password by executing a cryptographic algorithm on a user ID, general password, and one or more desired constraints. The constrained password is used in place of the general password to gain access rights that are a subset of the access rights that would be granted if the general password were used instead.

Abstract: A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.