Abstract: A method of generating authentication seeds for a plurality of users, the method involving: based on a single master seed, generating a plurality of derivative seeds, each one for a corresponding different one of a plurality of users; and distributing the plurality of derivative seeds to a verifier for use in individually authenticating each of the plurality of users to that verifier, wherein generating each one of the plurality of derivative seeds involves mathematically combining the master seed and a unique identifier identifying the corresponding user.

Abstract: A portable device with password verification function includes several input units, a storage unit and a processing unit. The processing unit is electrically connected with the input units and the storage unit. Each of the input units is different from others. Password information is stored in the storage unit. The processing unit includes a receiving module and a password verification module. The receiving module receives several input signals from the input units respectively. The password verification module verifies if the input signals match the password information.

Abstract: A memory device that has a function used to continue or disrupt a supply of electric power used to retain data stored in a recording medium or a supply of operating electric power of a circuit used to read out data stored in a storage medium, using personal identification information is provided. When the recording medium is formed of a volatile memory, this memory device has a power supply used to manage a supply of electric power that is used for retention of the stored data using the personal identification information and to retain or erase stored data by continuation or disruption of a supply of electric power by use of the personal identification information.

Abstract: A device management system for managing a device based on management information is presented. The system includes a device monitoring unit for obtaining management information from a device, a relay server coupled to the device monitoring unit over a network, and a management server, coupled to the relay server over a network, configured to manage the device based on the management information. The device monitoring unit obtains the management information from the device and transmits the obtained management information without encryption. Upon receiving the management information, the relay server encrypts and transmits to the management server the received management information.

Abstract: A coprocessor includes a calculation unit for executing at least one command, and a securization device. The securization device includes an error detection circuit for monitoring the execution of the command so as to detect any execution error, putting the coprocessor into an error mode by default as soon as the execution of the command begins, and lifting the error mode at the end of the execution of the command if no error has been detected, an event detection circuit for monitoring the appearance of at least one event to be detected, and a masking circuit for masking the error mode while the event to be detected does not happen, and declaring the error mode to the outside of the coprocessor if the event to be detected happens while the coprocessor is in the error mode. Application in particular but not exclusively to coprocessors embedded in integrated circuits for smart cards.

Abstract: A computer system with an electronic lock includes an end-user unit and a mobile unit. The end-user unit has a communication port and an identification database coupling with the communication port and storing at least one identification code. The mobile unit has an identifying module with a logging code, with the mobile unit able to connect with the end-user unit through the communication port to connect the identifying module with the identification database of the end-user unit. When the mobile unit is coupled with the end-user unit, the end-user unit catches the logging code and executes an identifying process to determine whether the logging code is one of the at least one identification code in the identification database.

Abstract: Methods and systems for managing policies of portable data storage devices in conjunction with a third-party service are disclosed. One or more candidates of a plurality of members in an enterprise may be identifying via the third-party service. Each of the plurality of members may be associated with a respective portable data storage device. An indication provided by the third-party service of one or more candidate devices may be obtained. The one or more candidate devices may each be a portable data storage device associated with a respective candidate. Policies of the one or more candidate devices may be modified.

Abstract: The aim of the present invention is to provide a secure system-on-chip for processing data, this system-on-chip comprising at least a central processing unit, an input and an output channel, an encryption/decryption engine and a memory, characterized in that, said input channel comprises an input encryption module to encrypt all incoming data, said output channel comprising an output decryption module to decrypt all outgoing data, said central processing unit receiving the encrypted data from the input encryption module and storing them in the memory, and while processing the stored data, said central processing unit reading the stored data from the memory, requesting decryption of same in the encryption/decryption engine, processing the data and requesting encryption of the result by the encryption/decryption engine and storing the encrypted result, outputting the result to the output decryption module for decryption purpose and exiting the decrypted result via the output channel.

Abstract: A data loss prevention system, method, and computer program product are provided for determining whether a device is protected with an encryption mechanism before storing data thereon. In operation, data to be stored on a device is identified. Additionally, it is determined whether the device is protected with an encryption mechanism. Furthermore, there is conditional reaction, based on the determination.

Abstract: A communication device for managing a key necessary for secure near field communication includes an IC card function executing unit, a reader/writer function executing unit, a receiving unit, a determining unit, and a function execution controlling unit. The IC card function executing unit executes a function of an IC card. The reader/writer function executing unit executes a function of a reader/writer. The receiving unit receives a command. The determining unit determines whether the receiving command is intended for the IC card function or the reader/writer function. The function execution controlling unit controls the IC card function executing unit to execute the IC card function or the reader/writer function executing unit to execute the reader/writer function according to a result determined by the determining unit.

Abstract: A machine includes card stores to store information cards. For each card store, one or more card selectors can be provided. When performing a transaction involving information cards, a generic card selector, using a selector policy engine, can identify a card selector to use for the transaction. The identified card selector can be used to identify an information card in a card store to use in performing the transaction, which can be used to provide a security token to the relying party.

Abstract: A method of generating a device certificate. A method of generating a device certificate comprising, constructing a device certificate challenge at a device, sending information to a device certificate individualization server in response to the device certificate challenge, validating the device certificate challenge by the device certificate individualization server, and validating the device certificate response by the device.

Abstract: A security token includes (a) a personal data memory configured to store digital identity credentials related to personal data of a user; (b) an input appliance configured to check said personal data; (c) a key record data memory configured to store at least one identity credential of an authentication server or of an application operator; (d) a transmitter and receiver unit configured to create a secure channel directly or indirectly to said authentication server or application operator to handle said key record relating to said authentication server or application operator, respectively; (e) a control unit configured to control the transmitter and receiver unit and the key record data memory in view of said handling, wherein the control unit is configured to perform one of: interpreting, deciphering, creating, checking, renewing, withdrawing and further key record handling actions. A method for authentication of a user using the security token is also disclosed.

Abstract: An access control system, having at least one access control unit for securing a physical area and controlling entry into and egress out of the physical area, and an Ethernet routing device, is disclosed. The Ethernet routing device includes an access controller for determining access privileges to the physical area; an Ethernet switching unit for directing network communications between multiple network devices; at least one Ethernet connector for connecting the at least one access control unit to the Ethernet routing device; and an access control message interpreter for reading messages received, by way of the Ethernet connector, from the at least one access control unit and providing access control information contained in the messages to the access controller for access privilege determination.

Abstract: An IC card is recognized by an IC card reader. Data is obtained from the recognized IC card. Card ID included in the obtained data is compared with card ID stored in a user registration information DB. If it is determined that the same card ID exists, an IC card issue count included in the obtained data is compared with an IC card issue count stored in the user registration information DB, and it is determined whether the counts are the same. If it is determined that the issue counts are not the same, a PIN code entry window appears so that the entered PIN code is compared with a PIN code in the user registration information DB. If it is determined that the PIN codes are the same, authentication success is displayed.

Abstract: A device for the secured start-up of a computer installation comprising a first connection interface to the computer installation and a second connection interface to an external data medium unit separate from the computer installation and which contains data and executable codes for a start-up program of the computer installation. The device also includes means for securing the use of data and executable codes and for transmitting data and executable codes of the start-up program from the external data medium unit via the second connection interface to the computer installation via the first connection interface, and after executing the means of security, to start-up the computer installation using transmitted executable codes and data.

Abstract: An information processing apparatus transmits photographic data of a job operator and identification information of the job operator to a server apparatus. The server apparatus calculates a matching rate for each piece of identification information based on a comparison between photographic data registered beforehand in a storage device and the received photographic data. Then, the server apparatus transfers the calculated matching rate to the information processing apparatus. The information processing apparatus performs processing based on the matching rate to reduce the data amount of the photographic data of the job operator.

Abstract: A computer system for identifying an individual using a biometric characteristic of the individual includes a biometric sensor for generating a first code, and a controller including a memory for storing the first code and a dynamic binary code conversion algorithm. When the controller receives a sensor code from the biometric sensor, it compares the sensor code with the first code stored in the memory, and if the identity between the sensor code and the first code is verified, the controller generates a first binary code by means of the dynamic binary code conversion algorithm and outputs the first binary code from which the computer system generates a second binary code by means of the dynamic binary code conversion algorithm. The computer system then verifies the identity of the individual if the second binary code matches the first binary code.

Abstract: A chip mountable on a customer replaceable unit monitory (CRUM) unit used in an image forming job includes a central processing unit (CPU) to perform cryptographic data communication with a main body of an image forming apparatus, using an operating system (OS) of the CPU. The security of a unit on which the chip is mounted can thereby be reinforced and random changes of data of the unit can be prevented.

Abstract: A smart card, system, and method for securely authorizing a user or user device using the smart card is provided. The smart card is configured to provide, upon initialization or a request for authentication, a public key to the user input device such that the PIN or password entered by the user is encrypted before transmission to the smart card via a smart card reader. The smart card then decrypts the PIN or password to authorize the user. Preferably, the smart card is configured to provide both a public key and a nonce to the user input device, which then encrypts a concatenation or other combination of the nonce and the user-input PIN or password before transmission to the smart card. The smart card reader thus never receives a copy of the PIN or password in the clear, allowing the smart card to be used with untrusted smart card readers.

Abstract: A chip mountable on a customer replaceable unit monitoring memory (CRUM) unit used in an image forming job includes a central processing unit (CPU) with an operating system (OS) thereof, which is separate from an OS of the image forming apparatus, to perform at least one of authentication and cryptographic data communication with a main body of an image forming apparatus by executing one cryptographic algorithm corresponding to a set state from among a plurality of pre-provided cryptographic algorithms, using the OS thereof. The security of a unit on which the chip is mounted can thereby be reinforced and random changes of data of the unit can be prevented.

Abstract: A protection device controlling an external device is provided having a mode detector, security data, a data detector, and a controller. The external device operates with operation modes that include a user mode that is used when the external device is operated by a user, and a manufacturer mode that is used when the external device is operated by someone other than the user. The mode detector detects an operation mode of the external device. The security data is input to the protection device. The data detector detects input of the security data. The controller restricts certain functions of the external device when the data detector does not detect input of the security data while the external device is in the manufacturer mode.

Abstract: Described herein are systems and methods for centralizing and standardizing implementation of security tokens so as to provide one token per one user for accessing business applications across an enterprise, providing scalability to support authentication of as many enterprise users as desired or needed, and providing a standardized token management interface that supports both pre-binding and post-binding user registration processes and different types of security token.

Abstract: A system and method for authorizing a remote device amongst multiple remote devices for passive functions, such as passive entry and passive start, includes a vehicle having a plurality of strategically located antennas, combinations of which transmit a query signal and receive query responses, a challenge antenna amongst the plurality of antennas for transmitting a challenge signal to at least one of the multiple remote devices in accordance with a challenge order, and a control unit having a controller in communication with the antennas for determining the challenge order based upon the query responses. The controller can determine whether a remote device is located in an authorization zone, out of an authorization zone, or whether the remote device's location is indeterminate.

Abstract: Secure information is managed for each host or machine in an electronic environment using a series of key identifiers that each represent one or more secure keys, passwords, or other secure information. Applications and services needing access to the secure information can specify the key identifier, for example, and the secure information currently associated with that identifier can be determined without any change to the code or manual input or exposure of the secure information on the respective device. Functionality such as encryption key management and rotation are inaccessible and transparent to the user. In a networked or distributed environment, the key identifiers can be associated with host classes such that at startup any host in a class can obtain the necessary secure information. Updates and key rotation can be performed in a similar fashion by pushing updates to host classes transparent to a user, application, or service.

Abstract: The invention relates to an authentication and/or rights containing retrievable token such as an IC card comprising at least one physical channel of communication to at least one apparatus and at least two logical channels of communication with said at least one apparatus wherein each logical channel of communication is associated with a different execution environment.

Abstract: An electronic control device and method for operating an electric roller shutter include establishing a wireless connection between the electronic control device and an electronic device if a preset login password is input. The electronic control device provides an operation interface to the electronic device, and receives a function instruction from the electronic device if a function key on the operation interface is pressed. The electric roller shutter is operated by the electronic control device according to the received function instruction.

Abstract: An electronic object carries out at least one operation on one element of an application installed in a computer. The method includes transmitting a random value of the electronic object to the computer, when such operation is completed, while maintaining in the electronic object the right of access to the electronic object by the user; storing the random value in the computer; giving access to the electronic object by the application and, in the case of a new access to the electronic object by the application; transmitting the random values stored in the computer to the electronic object; comparing, in the electronic object, the random value received from the computer with the random value previously transmitted to the computer; and, in case the random values are matching, re-establishing the previously acquired rights in the electronic object and thereby giving the application the access to the electronic object.

Abstract: A wireless security authentication system comprises a wireless element configured to determine validity of a user credential to enable use of a computing system, the wireless element powered by inductive coupling.

Abstract: A biometric authentication device has a threat of an attack of pretending to be someone else by such as forgery. The present invention supports a service provider to appropriately decide the level of such threat. A vulnerability verification server 150 is provided in the system, and the vulnerability of each biometric product is centrally managed. A service provider 130 sends the information that specifies the device in which a client terminal 110 executes the biometric authentication to the vulnerability verification server 150, and receives the vulnerability information. The service provider 130 decides whether the service can be provided or not to the client terminal 110 using the vulnerability information that was received.

Abstract: A method, system, and apparatus for agile generation of one time passcodes (OTPs) in a security environment, the security environment having a token generator comprising a token generator algorithm and a validator, the method comprising generating a OTP at the token generator according to a variance technique; wherein the variance technique is selected from a set of variance techniques, receiving the OTP at a validator, determining, at the validator, the variance technique used by the token generator to generate the OTP, and determining whether to validate the OTP based on the OTP and variance technique.

Abstract: Between an IC card (1) and a electronic ticket server (2), upon purchasing an electronic ticket a public key cryptosystem is employed for a mutual authentication to keep a strict security, and a shared secret between the electronic ticket and a ticket collecting machine is sent on a secure channel as well as the electronic ticket. Upon usage of the electronic ticket, the IC card (1) and the ticket collecting machine (6) mutually judge whether they carry out the mutual authentication by using a public key cryptosystem or a symmetric key cryptosystem. When they determine to use the symmetric key cryptosystem, they carry out the mutual authentication by using the shared secret exchanged beforehand. When they determine to use the public key cryptosystem, they carry out the mutual authentication by using the same method as that used upon purchasing the electronic ticket.

Abstract: A password authentication apparatus and a password authentication method for preventing the leakage of password information from user's password input operations includes a memory device for storing a correct answer symbol and selection information for selecting at least one input symbol for each digit of a password; a display for displaying combinations of input symbol candidates based on user operation; a processor for selecting, for each digit of the password, one or more input symbols from the combinations of input symbol candidates displayed by the display based on the selection information corresponding to the digit to determine whether the correct answer symbol corresponding to the digit is included in the selected one or more input symbols; and an authentication board for authenticating that the password is entered correctly when the processor determines that correct answer symbols for all the digits of the password are included.

Abstract: A method for validating a cryptographic token includes (a) operating the cryptographic token to generate a pseudo-random number for authentication purposes by using a cryptographic seed uniquely associated with the cryptographic token, the cryptographic seed having been cryptographically generated using a precursor value, (b) receiving a first value from the cryptographic token, the first value being the pseudo-random number generated by the cryptographic token, (c) inputting the first value and the precursor value into a trusted computing platform, and (d) operating the trusted computing platform to generate a validation signal if the first value can be derived using a specified algorithm from the precursor value, but to generate a failure signal if the first value cannot be derived using the specified algorithm from the precursor value. Accompanying methods and apparatus are also provided.

Abstract: A biometric key (10) which has an interface or electrical connection to a receptor body (11) which functions as an external power source a biometric sensor, a CPU, a nonvolatile memory unit incorporating a database of authorized biometric signatures or biocodes along with associated firmware required for comparison between data received from the biometric sensor and to provide acceptance or rejection of said data upon electrical connection to the receptor body (11) whereby a signal is sent to a facility (12, 13, 15, 16, 17) accessible by the key (10) advising of said acceptance or rejection.

Abstract: An information processing apparatus includes a user authentication unit that authenticates a user in a condition where an authentication medium used for authenticating the user is inserted, the authentication medium storing personal identification information of the user, a private key, and a software program for using the private key and including a processor for running the software program, to thereby establish a verified state in which the user is allowed to use the apparatus, a data processor that performs data processing including private key processing, a processing completion detector that detects completion of the private key processing performed by the data processor, and a verification state changing unit that changes, the verified state of the user having been established as a result of authenticating the user to a user unverified state based on detection of the completion of the private key processing in the processing completion detector.

Abstract: Methods and systems are provided for non-cryptographic capabilities of a token such as a smartcard to be used as an additional authentication factor when multi-factor authentication is required. Smartcards are configured to generate a transaction code each time a transaction is attempted by the smartcard. The transaction code is dynamic, changing with each transaction, and therefore is used as a one-time password. When a user attempts to access a service or application requiring at least two authentication factors, a secure processor is used to read transaction code from the smartcard. The secure processor establishes a secure communication with the remote computer hosting the service or application. The transaction code can then be encrypted prior to transmission over the public Internet, providing an additional layer of security.

Abstract: A method of authorizing a user in communication with a workstation is disclosed. According to the method, a system automatically determines a plurality of available user information entry devices in communication with the workstation. The system then determines predetermined user authorization methods each requiring data only from available user information entry devices. The user then selects one of the determined authorization methods for use in user authorization. Optionally, each authorization method is associated with a security level relating to user access to resources. Once the authorization method is selected, the user provides user authorization information in accordance with a determined user authorization method and registration proceeds.

Abstract: To provide external access to a specification file stored in at least one memory unit, which is associated with at least one electronic control unit which may be in a vehicle, a computer is connected to a first communication bus in the vehicle. A first module in the computer is adapted to communicate with the at least one electronic control unit over the first communication bus. Provided that a user-unique key is connected to a port of the computer and a software component of this key is set to an active authorization state, the computer is enabled to communicate with the at least one electronic control unit. Thus, the computer may read out the specification file as well as update the specification file.

Abstract: A trusted platform module (TPM) is a silicon chip that constitutes a secure encryption key-pair generator and key management device. A TPM provides a hardware-based root-of-trust contingent on the generation of the first key-pair that the device creates: the SRK (storage root key). Each SRK is unique, making each TPM unique, and an SRK is never exported from a TPM. Broadly contemplated herein is an arrangement for determining automatically whether a TPM has been replaced or cleared via loading a TPM blob into the TPM prior to the first time it is to be used (e.g. when a security-related software application runs). If the TPM blob loads successfully, then it can be concluded that the TPM is the same TPM that was used previously. If the TPM blob cannot be loaded, then corrective action will preferably take place automatically to configure the new TPM.

Abstract: UIMID of a UIM 50 owned by the owner of a portable phone 40 is stored in an owner information registration area 410b of phone 40. A CPU 405 of portable phone 40, upon receiving content, compares a UIMID of a UIM 50 inserted in phone 40 to the UIMID registered in owner information registration area 410b. The storing of the content in a nonvolatile memory 410 is permitted only when the two UIMIDs agree with each other.

Abstract: Managing user access to application-specific capabilities of a system includes maintaining data correlating application-specific capabilities for each of the applications of the system, where the application-specific capabilities of different applications are independent of each other. Managing user access also includes maintaining data correlating user identifiers with user roles, maintaining data correlating user roles with application-specific capabilities, and managing the data using a security module that accesses the data correlating application-specific capabilities, data correlating user identifiers, and the data correlating user roles. The system may have a plurality of tenants and wherein each of the tenants subscribes to one or more of the applications. Each of the users may correspond to a particular one of the tenants. Each tenant may subscribe to a particular set of applications/features.

Abstract: An information processing apparatus includes: a software storing unit that stores software; a storage recognizing unit that recognizes, when a storage having stored therein first authentication information for enabling a function of the software stored in the software storing unit is connected to the information processing apparatus via an interface unit, that the storage is connected and transmits second authentication information uniquely corresponding to the function of the software to be enabled to the storage; and a function managing unit that enables, when the first authentication information and the second authentication information compared by the storage coincide with each other, the function of the software on the basis of a notification informing that the first authentication information and the second authentication information coincide with each other issued by the storage, the storage deleting the first authentication information.

Abstract: A system and method for securely streaming encrypted digital media content out of a digital container to a user's media player. This streaming occurs after the digital container has been delivered to the user's machine and after the user has been authorized to access the encrypted content. The user's operating system and media player treat the data stream as if it were a being delivered over the Internet (or other network) from a streaming web server. However, no Internet connection is required after the container has been delivered to the user and the data stream suffers no quality loss due to network traffic or web server access problems. In this process of the invention, the encrypted content files are decrypted and fed to the user's media player in real time and are never written to the user's hard drive or storage device. This process makes unauthorized copying of the digital content contained in the digital container virtually impossible.

Abstract: The invention provides methods for efficiently registering a domain name and issuing a certificate without a Subscriber submitting a separate request for the certificate. In some embodiments, a notice may be provided to the Subscriber, after requesting to register a domain name, that a certificate may be issued for the domain name. The certificate may be saved in a Subscriber's account to enable the Subscriber to use the certificate at a later time. In yet other embodiments, a single vetting process may be used to facilitate one or more of: creating a Subscriber's account; registering a domain name; and issuing a certificate.

Abstract: Disclosed procedures automatically identify a carrier-authorized mobile station and verify an account related identifier (e.g. mobile number) associated with the device, in response to start-up of an application in the device. In an example, application start-up causes the device to send a request to an application server, with the device's current IP address, MTN and a device identifier such as MEID or ESN. The server queries a AAA system of the network to retrieve the MTN that has been assigned the IP address. If the retrieved MTN matches the MTN passed to the server in the request, the server queries a network database such as DMD for the device identifier associated with the MTN. A match of the device identifier retrieved from the network database with that passed to the server via the request indicates perfect authenticity of the requesting device and its MTN.

Abstract: A method and apparatus for presenting a media data stream complying with a broadcast encryption standard is disclosed. A dongle is removably coupleable to a rendering device, with the dongle performing transcoding so as to allow presentation of the media in a secure manner without modification of the rendering device software or hardware.

Abstract: A method is provided for controlling multiple access to a network service to prevent fraudulent use of the network service. The method includes identifying an account access counter for an account using identification information received from a user at a first device using a network, wherein the user is requesting access to a service provided at a second device, and further wherein the account access counter is the number of service access sessions active for the account; comparing the account access counter to a maximum account access number, wherein the maximum account access number defines a maximum number of service access sessions allowed for the account; and providing the user at the first device access to the service at the second device if the account access counter is less than the maximum account access number.

Abstract: Disclosed is a system managing usage authorizations, comprising a central computer system, field devices and smart cards, wherein the system maintains databases containing all information relating to the users, user accounts, user smart cards, field devices and products, establishes and maintains at least at times communication with the field devices, issues instructions based on the available information and transmits to a plurality of field devices, with the field devices maintaining information relating to the smart cards and products so that communication between a field device and a smart card allows at least a portion of the smart card-related instructions to be processed from the instruction list and stored on the field device and to be transmitted to the computer system during the next communication, and wherein the smart cards carry to allow exchange of information with a field device and store instructions.

Abstract: An information processing system is supplied capable of holding a security; and transferring an output authority which is had by a transfer source portability terminal to a transfer destination portability terminal.