Abstract: This invention relates to a method and system for providing digital security by means of a reconfigurable physical uncloneable function, RPUF. The RPUF comprises a physical system constituted by distributed components arranged to generate a first response when receiving a first challenge at a point of the physical system. The physical reconfiguring of the RPUF comprises redistributing the components such that they generate a second response, which differs from said first response, when again applying the first challenge at the point. The reconfiguration step is further utilized in providing secure storage for digital items. The digital item is data of any kind, including data that needs to be accessed and updated, i.e. which is dynamic in nature. The method is exemplified by implementations such as secure storage of a key, a secure counter and a seed generator.

Abstract: A method and apparatus for providing a security system. The method includes the steps of providing an identity card for use by a person entering a secured area of the security system, reading the identity card at an entry point to the secured area, randomly generating an alphanumeric key upon the occurrence of a predetermined event, writing the alphanumeric key into the identify card at the entry point, reading the card within the secured area as a request for access to a computer and granting access to the computer by the person, but only when an alphanumeric key is found on the card that matches the generated alphanumeric key.

Abstract: A method for calibrating a temperature float of a one time password token and a device thereof are provided in the invention relating to the information security field. The method includes steps: the one time password token measures a current ambient temperature at intervals of a first predetermined time, retrieves a data table for a characteristic value relating to the measured temperature, and calibrates a current time value inside the token according to the characteristic value at intervals of a second predetermined time. The one time password token includes a timer module, a measuring module, a retrieving module, a table storing module, a calibrating module, a triggering module, a generating module and a displaying module. The invention calibrates time differentiation of the one time password token caused by the temperature float.

Abstract: A method, device and system for securely managing debugging processes within a communication device, such as a set top box or other multimedia processing device. For example, a security processor (SP) within the communication device manages the lifetime (LT) of any access token issued for use in activating debugging privileges within the communication device. The security processor authenticates an issued access token and securely delivers appropriate debug authorization information to the device controller. The security processor uses its secure, internal timer to count down the lifetime and update the remaining lifetime of the issued access token during the processing of each command by the security processor. In addition to securely managing the issuance of the access token and it's remaining lifetime, the updating process reduces any impact on the normal communications within the device. The method overcomes the issue of the communication device not having a secure internal clock.

Abstract: This invention provides a system, method and computer program product to allow a user to access administrative security features associated with the use of a security token. The administrative security features provide the user the ability to unlock a locked security token, diagnose a security token, activate and deactivate a security token, request a replacement security token or temporary password or report the loss of a security token. The invention comprises a client application which integrates into the standard user login dialog associated with an operating system. A portion of the user dialog is linked to a remote server to access the administrative services.

Abstract: A token calculates a one time password by generating a HMAC-SHA-1 value based upon a key K and a counter value C, truncating the generated HMAC-SHA-1 value modulo 10^Digit, where Digit is the number of digits in the one time password. The one time password can be validated by a validation server that calculates its own version of the password using K and its own counter value C?. If there is an initial mismatch, the validation server compensate for a lack of synchronization between counters C and C? within a look-ahead window, whose size can be set by a parameter s.

Abstract: An information processing device having an activation verification function comprises: a module recording portion which stores plural system programs, a security chip having the function of checking the validity of the system programs and a verification portion which inspects the activation states of the system programs. The security chip executes validity checking processing using verification data provided by the system programs. If the security chip cannot confirm the validity of the system programs, the verification portion acquires activation-state information about activated system programs from the activated system programs. If pre-stored verification-information initial values for valid system programs and the acquired activation-state information match with each other, the verification portion determines that the current activation states of the system programs are valid, and the subsequent activation processing for the system programs is advanced.

Abstract: Embodiments of the present invention relate generally to application security. In an embodiment, a method for altered token sandboxing includes creating a process based on a naked token and suspending the process. The method further includes obtaining an impersonation token and resuming the process with the impersonation token. The method further includes acquiring resources needed for the process with the impersonation token. The method also includes replacing the impersonation token with the naked token. In a further embodiment, the method further includes executing the suspended process with the naked token and the acquired resources. In another embodiment, a system for user-mode, altered token sandboxing includes a security module, an acquisition module and a replacement module. In a further embodiment, the system may include an execution module. In another embodiment, the system may include a request module.

Abstract: A method and terminal for implementing hot-plug of a smart card are disclosed. The method includes: during the process of playing mobile multimedia, a descrambling library sending request information for obtaining a program key to a smart card driving module, which judges whether a smart card is in a plug-in state or a pull-out state after receiving the request information: if in the plug-in state, the smart card driving module forwarding the request information to the smart card, receiving response information returned by the smart card, forwarding the response information to the descrambling library, and meanwhile forwarding the response information to a virtual smart card module to save; if in the pull-out state, the smart card driving module forwarding the request information to the virtual smart card module, which returns the saved response information to the smart card driving module, which forwards the response information to the descrambling library.

Abstract: Example embodiments herein include a license manager process that receives a license query from a server device. The license query requests usage data associated with a permanent license on a client device. In response to receiving the license query, the license manager procures the usage data associated with the permanent license on the client device. The license manager then transmits the usage data associated with the permanent license to the server device. Furthermore, the license manager receives a revocation request from the server device. In this manner, the revocation request is received in response to transmitting the usage data associated with the permanent license to the server device. In turn, the license manager revokes the permanent license that was indicated in the revocation request to disable use of the respective application on the client device.

Abstract: An image forming apparatus is disclosed that includes multiple application modules configured to perform image processing including scanning, printing, and copying of an image; multiple service modules configured to perform an image forming operation and to control the image forming apparatus; a nonvolatile configuration information storage part configured to contain first configuration information of the application modules and the service modules; a configuration information comparison part configured to read second configuration information of the application modules and the service modules and compare the first configuration information and the second configuration information before starting the application modules and the service modules; and a notification part configured to notify the manager of the image forming apparatus of the difference between the first configuration information and the second configuration information in response to detection of the difference.

Abstract: Techniques are described for managing access to computing-related resources that, for example, may enable multiple distinct parties to independently control access to the resources (e.g., such that a request to access a resource succeeds only if all of multiple associated parties approve that access). For example, an executing software application may, on behalf of an end user, make use of computing-related resources of one or more types that are provided by one or more remote third-party network services (e.g., data storage services provided by an online storage service) —in such a situation, both the developer user who created the software application and the end user may be allowed to independently specify access rights for one or more particular such computing-related resources (e.g., stored data files), such that neither the end user nor the software application developer user may later access those resources without the approval of the other party.

Abstract: An access control system and method are provided, which include a plurality of authorities, a plurality of access control elements and an access control list. Each authority associates at least one of a plurality of proof of knowledge operations with at least one of a plurality of proof of knowledge credentials. Each access control element identifies a Boolean combination of at least one of the authorities. The access control list identifies one or more of the access control elements by which a method to be executed can be authenticated.

Abstract: A first server in a system includes confirmation requesting unit 110 that receives an authentication request from a predetermined apparatus 400 coupled through a public line and that sends a user confirmation request to a second server in the case where user authentication is successful. A second server includes a user facility identifying unit 210 that receives the user confirmation request from the first server and identifies location information of the user facility of the user and a confirmation result notifying unit 211 that receives a utilization request from a measuring apparatus linked through a dedicated line and identifies disposition location information of the measuring apparatus and that sends a notification of success of user confirmation including the identification information of the user to the first server 100 if the disposition location information of the measuring apparatus is identical to the user facility location information.

Abstract: Methods and computer-readable media are provided for refreshing a page validation token. In response to a request for a form from a client, a server responds with the requested form, a page validation token, and a page token refresh program. The client executes the page token refresh program in response to a request to post the contents of the form to the server computer. The page token refresh program determines whether a preset period of time has elapsed since server computer generated the page validation token. If the period of time has not elapsed, the form is posted to the server with the page validation token and processed by the server computer. If the page timeout has elapsed, the page token refresh program refreshes the page validation token prior to posting the form by requesting an updated page validation token from the server.

Abstract: Systems and methods are configured to manage data sets associated with a transaction device. For example, a method is provided for facilitating the management of distinct data sets on a transaction device that are provided by distinct data set owners, wherein the distinct data sets may include differing formats. The method includes the steps of: adding, by a read/write, a first data set to the financial transaction device, wherein the first data set is owned by a first owner; adding, by the read/write device, a second data set to the financial transaction device, wherein the second data set is owned by a second owner; and storing the first data set and the second data set on the financial transaction device in accordance with an owner defined format. The first and second data sets are associated with first and second owners, respectively, and are configured to be stored independent of each other.

Abstract: A mechanism is provided for secure PIN management of a user trusted device. A user trusted device detects a memory card coupled to the user trusted device. The user trusted device receives user input of an external PIN (ext_PIN). The user trusted device identifies a key (K) associated with the external PIN, wherein the key is stored in the persistent memory. The user trusted device computes a card PIN (card_PIN) using a function (f) and the key as stored on the persistent memory, wherein the card PIN is computed using the following equation: card_PIN=f(K, ext_PIN). The user trusted device unlocks the memory card using the card PIN, thereby forming an unlocked memory card.

Abstract: An authentication method of an electronic device is disclosed. A plurality of key inputs is received from a user via activation of input keys. At least one key input from the key inputs is validated based on a predefined criterion to obtain a password. The password is compared to a registered password to obtain an authenticated password.

Abstract: A method, system, and computer usable program product for securing a data communication against attacks are provided in the illustrative embodiments. A segment in the data communication is received at a first application executing in a first data processing system. The segment is formed according to a data communication protocol and includes an option. The option includes a current clue and a next clue. The current clue is compared with a saved next clue, the saved next clue being a next clue in a previous segment. The segment is accepted as being a valid segment in the data communication if the current clue matches the saved next clue. A part of the segment is sent to a consumer application.

Abstract: Systems, methods, and technologies for configuring a conventional smart card and a client machine, and for performing a smart card authorization using the configured smart card and client. Further, the combination of methods provides for mutual authentication—authentication of the client to the user, and authentication of the user to the client. The authentication methods include presenting a specified token to the user sufficient to authenticate the client to the user and thus protect the user-provided PIN. Security is strengthened by using an integrity key based on approved client system configurations. Security is further strengthened by calculating a PIN? value based on a user-specified PIN and a modifier and using the PIN? value for unlocking the smart card.

Abstract: A method and system for restricted service access is described. To access adult content, the user has to enter an administrator personal identification number into a mobile device. Upon receipt of the administrator personal identification number, an access code is generated, which is provided to a content provider. The content provider can calculate a valid time window and/or request an acknowledge message from a central server. If the current usage is within the valid time window or otherwise verified, access to the content is allowed. Thus, children are prevented from accessing adult content, while adult access is permitted.

Abstract: An information processing apparatus capable of non-interactively executing an application and an application execution method are disclosed. In response to an issuance request of an access control token, if a user type described in a definition file is included in user types defined in the information processing apparatus, the information processing apparatus issues an access control token in accordance with a user type and executes process by an application, in a case that the user type of the access control token is contained in the user types that have the execution authority for the process by the application.

Abstract: Embodiments of the present invention provide a method, apparatus and system for selecting a wireless communication device for establishing a connection. The method according to some exemplary embodiments of the invention may include selecting a communication device for establishing a connection by determining whether one or more security-related characteristics of the communication device satisfy a security policy corresponding to a selected security class. Other embodiments are described and claimed.

Abstract: Information processing apparatus and method, recording medium, and program are provided. An information processing apparatus includes the following elements. A receiver receives a command requesting for the execution of predetermined processing. A storage unit stores data and first information indicating, among a plurality of stages in a lifecycle of the information processing apparatus, the current stage determined by the stored data and second information indicating an executable command in the current stage, the executable command being determined for each of the plurality of stages. A determining unit determines on the basis of the first information and the second information whether the command received by the receiver is an executable command in the current stage.

Abstract: Identity authentication systems and techniques are disclosed which solves the problem associated with limited processing power and smart card technology in the handling of biometric authentication. By distributing the processing of an identity authenticating process between a smart card and a computer terminal, the complicated calculation involved in a biometrics matching process can be carried out to allow verification using biometric parameters stored on smart cards. There is disclosed a system and technique for user authentication, together with a system and technique for distributed processing. A registration method is also described.

Abstract: The disclosure describes various systems and methods for access control. One such method includes providing an access control module that includes a base portion and an update portion. The update portion is electrically coupled to the base portion via a detachable electrical connector, and wherein operation of the access control module is based at least in part on an interaction between the base portion and the update portion.

Abstract: Systems and methods for managing access to a computer account of a computer system that is not associated with a human user. The system comprises a password repository for storing a password for the computer account. The password is preferably encrypted with at least two secrets. The system also comprises a first data storage device for storing the first secret and a second data storage device for storing the second secret. The system additionally comprises a computer device in communication with the password repository and the first and second data storage devices for managing access to the computer account. The computer device is programmed to, in response to a request to perform an action under the computer account: (i) retrieve the first secret from the first data storage device; (ii) retrieve the second secret from the second data storage device; and (iii) decrypt the password with the first second secrets.

Abstract: A system, method and computer program product are provided for managing authentication information for a user. According to the method, a master digital key is received from the user, and authentication of the user is obtained based on the master digital key. There is received from the user a selection of one identity from among a plurality of identities that are stored for the user. Authentication information for the user is provided into an application or web page based on the one identity selected by the user. In one embodiment, the authentication information is provided by recognizing a web page for which authentication information is stored, and automatically filling the authentication information for the user into appropriate elements of the web page.

Abstract: Systems and methods for emulating credentials are disclosed. In some cases, the systems include an access credential reader and an access credential writer. The access credential reader is communicably coupled to the access credential writer. The access credential reader is operable to receive information from an access credential, and to transfer at least a portion of the information to the access credential writer. The access credential writer is operable to transfer at least the portion of the information to an emulation access credential.

Abstract: A system and method for managing communication. The system and method applying to but not limited to settop boxes (STBs) and other devices used to interface services. The management including any number of features and processes associated with achieving Quality of Service (QoS) across different domains and according to network limitations associated with the same.

Abstract: Techniques for resource access authorization are described. In one or more implementations, an application identifier is used to control access to user resources by an application. A determination is made whether to allow the application to access the user resources by comparing an application identifier received from an authorization service with a system application identifier for the application obtained from a computing device on which the application is executing.

Abstract: Embodiments provide a security infrastructure that may be configured to run on top of an existing operating system to control what resources can be accessed by an applications and what APIs an application can call. Security decisions are made by taking into account both the current thread's identity and the current thread's call chain context to enable minimal privilege by default. The current thread context is captured and a copy of it is created to be used to perform security checks asynchronously. Every thread in the system has an associated identity. To obtain access to a particular resource, all the callers on the current thread are analyzed to make sure that each caller and thread has access to that resource. Only when each caller and thread has access to that resource is the caller given access to that resource.

Abstract: A method for providing a secret that is provisioned to a first device to a second device includes generating a One-Time Password at the first device using the secret and obtaining an identifier of the secret. The method also includes providing the One-Time Password and the identifier to the second device and sending the One-Time Password and the identifier to a remote provisioning service. The method also includes verifying that the One-Time Password corresponds to the secret, and sending to the second device an encrypted secret and a decryption key for decrypting the encrypted secret. The encrypted secret and the decryption key may be sent using different communications methods. The method also includes decrypting the encrypted secret using the decryption key to provide the secret and storing the secret at the second device.

Abstract: A method for requesting a certificate from a certificate issuer for a public key that is associated with a corresponding private key stored by a storing entity, the method comprising: generating by means of a generating entity a certificate request message indicative of a request for a certificate; and transmitting the certificate request message to the certificate issuer; the certificate request message including an indication of the relationship between the storing entity and the generating entity.

Abstract: A computer device provides an execution environment that supports a plurality of processes. A plurality of key resources are associated with a security application that may perform process elevation to grant privileged access rights to a user process. A security module controls access to the key resources using an access control list. An anti-tamper mechanism creates a protection group as a local security group and adds a deny access control entry to the access control list. The anti-tamper mechanism intercepts the user process and creates a revised access token identifying the user process as a member of the protection group. The security module matches the protection group in the revised access token of the user process against the deny access control entry in the access control list of the key resources thereby restricting access by the user process even though the user process otherwise has privileges to access those resources.

Abstract: A method and apparatus for secure authentication of a hardware token is disclosed. In one embodiment, a host computer fingerprint is used to generate a partial seed for a challenge-response authentication which is performed on the hardware token. In another embodiment, the host computer fingerprint is used as a personal identification number for the hardware token.

Abstract: Some embodiments provide a system that authenticates a user. During operation, the system obtains an identifier for the user from an identification card associated with the user and displays a set of images to the user. Next, the system receives an image sequence comprising a sequence of images selected by the user from the set of images. Finally, the system authenticates the user based on the identifier and the image sequence.

Abstract: Techniques for multiple biometric smart card authentication are provided. At least two biometric readings are obtained from a requesting user. Both biometric readings are verified before access to resources of a smart card are made available to the requesting user.

Abstract: Techniques for facilitating the exchange of information and transactions between two entities associated with two wireless devices when the devices are in close proximity to each other. A first device uses a first short range wireless capability to detect an identifier transmitted from a second device in proximity, ideally using existing radio capabilities such as Bluetooth (IEEE802.15.1-2002) or Wi-Fi (IEEE802.11). The detected identifier, being associated with the device, is also associated with an entity. Rather than directly exchanging application data flow between the two devices using the short range wireless capability, a second wireless capability allows for one or more of the devices to communicate with a central server via the internet, and perform the exchange of application data flow. By using a central server to draw on stored information and content associated with the entities the server can broker the exchange of information between the entities and the devices.

Abstract: A method and system for managing role-based access control of token data using token profiles having predefined roles is described. In one method, a token processing system (TPS) assigns a TPS client a token profile for a group of multiple tokens, the token profile being stored in a profile data structure. The token profile specifies at least one of multiple predefined roles for the TPS client, each role associated with predefined access to entries of a token database. The TPS receives a request from the TPS client over a network to perform an operation on the entries of the token database that correspond to the group, and allows the TPS client access to the token database to perform the operation when permitted by the predefined roles specified in the token profile on the entries of the token database that correspond to the group identified by the token profile.

Abstract: A power on certification method for a personal computer (PC) and a power on certification system thereof are described. The power on method includes the following steps. At least one booting certification device is connected to a PC. The PC is booted, and a basic input output system (BIOS) is run. The BIOS is made to retrieve recognition information of the booting certification device through a verification procedure, so as to judge whether the recognition information is consistent with verification information stored in the PC. After the booting certification device passes through the verification procedure, the PC completes other procedures in the BIOS, and enters an operating system.

Abstract: A method A method and system for managing role-based access control of token data using token profiles is described. In one method, a token processing system (TPS) receives a request from a TPS client over a network to perform an operation on entries of a token database. The TPS identifies a subset of the multiple groups that corresponds to the entries indicated in the request of the TPS client, determines to which of the identified groups the TPS client belongs using token profiles. For each group the TPS client belongs, the TPS determines a corresponding role for the TPS client from the token profiles. For each group the TPS belongs, the TPS allows the TPS client access to the entries of the respective group to perform the operation when the TPS client has the appropriate role assigned within the respective group.

Abstract: A method distributes personalized circuits to one or more parties. The method distributes a generic circuit to each party, encrypts a unique personalization value using a secret encryption key, and transmits each encrypted personalization value to the corresponding party. Each party then stores the encrypted personalization value in their circuit. The stored encrypted personalization value allows a piece of software to be properly executed by the circuit. A semiconductor integrated circuit is arranged to execute a piece of software that inputs a personalization value as an input parameter. The circuit comprises a personalization memory arranged to store an encrypted personalization value; a key memory for storing a decryption key; a control unit comprising a cryptographic circuit arranged to decrypt the encrypted personalization value using the decryption key; and a processor arranged to receive the decrypted personalization value and execute the software using the decrypted personalization value.

Abstract: A method and apparatus are provided for controlling access to a secure area. The method includes the steps of providing a plurality of user credentials, generating a Boolean equation based upon the plurality of user credentials where the generated Boolean equation provides a predetermined response to each user credential of the plurality of credentials, saving the generated Boolean equation in a memory in place of the user credentials and recognizing a user credential of the plurality of user credentials by reference to the Boolean equation.

Abstract: A secure method and apparatus for data exchange that allows a client's or patient's financial data, medical records, and other information to be stored on a card-shaped compact disk, with multiple levels of encryption to preserve privacy. The trusted record disc can be read on any computer with a network or internet connection, but access to the information on the disc is restricted according to a password protected hierarchical encryption policy. In order to obtain access to the restricted information, an individual user needs to enter a unique password that is sent to a central server. The server confirms the password and returns an electronic key to the user's computer. The electronic key unlocks the encryption and allow the user to view only the information that is permitted (under federal patient, financial privacy or other laws). Thus, in the medical setting, physicians can review the patient's entire medical record and make changes to it.

Abstract: Technologies are generally described for a hardware cryptographic unit that employs hardware public physically unclonable functions. A source computer can encrypt a message using a simulation of a hardware cryptographic unit. The encrypted message can then be sent to a destination computer. The destination computer can then use the hardware cryptographic unit to decrypt the message. The source computer can use a simulation of the hardware cryptographic unit to transform an input value into a simulation output. The simulation output can be transmitted from the source computer to the destination computer where all possible input values can be rapidly run through the hardware cryptographic unit until the output of the hardware cryptographic unit matches the simulated output. The input value that generated the matching output is now a shared secret between the source computer and destination computer without ever having been transmitted in the clear over the communication channel.

Abstract: Method and apparatus for authorizing a calling card telephone call are described. In one example, a telephone calling card includes a planar body having a memory system, an input circuit, a controller, and a display. The memory system is configured to store key code information. The input circuit is configured to receive a personal identification number (PIN). The controller is configured to derive a key code from the key code information using the PIN. The display is configured to present the key code. The user may then use the key code for purposes of authorizing a call made using a calling card. The key code may change from time-to-time as the user uses the calling card. Since the user's PIN is not entered into a telephone by the user, the calling card is less susceptible to unauthorized and/or fraudulent use by third parties.

Abstract: A method, a system, and a computer-readable medium are provided for identifying a user on a computing device using biometric hand data. An indication is received that a hand of a user has been placed on a touchscreen of a computing device. The locations of a plurality of user contact points made between the hand of the user and the touchscreen that define a user hand framework are determined. The user hand framework is matched with a corresponding stored hand framework, defined by a plurality of stored contact points, from a data repository. Finally, the user is identified based on the corresponding hand framework.

Abstract: Embodiments of the invention provide a portable consumer device configured to store dynamic authentication data in memory. The portable consumer device also includes an interface for transmitting data to and receiving power from an external device. The dynamic authentication data is read from the memory by a read-write device located on the portable consumer device. The authentication data is updated and the updated data may be written into memory using the read-write device. In some embodiments, an authentication value read from the memory may be used to generate another authentication value based on an algorithm. The portable consumer device is further configured to transmit authentication data to an external device. The process of reading, updating, generating, transmitting, and rewriting the authentication data may occur each time external power is provided to the portable consumer device via the interface.

Abstract: A biometrics-enabled smart card for use in transactional or identity applications (e.g., credit cards and identity cards). The biometric smart card includes a substrate, a biometric sensor capable of reading biometric information through the substrate, and a microprocessor to process, store, and authenticate biometric information. The substrate has a Young's modulus of at least abut 50 GPa and a thickness of up to about 0.5 mm.