Abstract: A system and method for issuing electronic vouchers representing value. An issuing server generates an eVoucher that a recipient may use to purchase goods and services from a merchant's e-commerce Web site. The eVoucher includes an image, such as a corporate logo, that identifies the issuing merchant. Nonimage data, such as a unique identifier for the eVoucher and encrypted arbitrary text, is embedded in the eVoucher image and is used to track the use of the eVoucher and to verify its authenticity.

Abstract: A one-time password (OTP) generator in combination with a conventional credit/debit card comprising a card having a magnetic bar stripe, raised imprint card numbers and name, expiration date and four digit code as are known in the art is provided. Full smart card functionality may also be provided. The card also includes a microprocessor and software, dedicated chip or a memory chip for generating the OTP. A visual and/or audio display is provided on the card to output the OTP to the user. The end user inputs the OTP to access the secured system. The credit/debit card functionality may be used apart from the OTP generator functionality.

Abstract: A portable device including a biometric voice sensor configured to detect voice information and to take an action in response to speech spoken into the voice sensor. The device also includes a voice processor configured to process the voice sensor signal characteristics. The portable device may encrypt the detected signal and may compare the detected signal characteristics with voice characteristics that are stored in a memory of the portable device for applications such as voice enabled authentication, identification, command execution, encryption, and free speech recognition. The voice sensor may include a thin membrane portion that detects pressure waves caused by human speech. The portable device may be a contact-type smart card, a contactless smart card, or a hybrid smart card with contact and contactless interfaces. The device may be powered by an internal battery or by a host via contacts or by a power signal making use of the antenna in a contactless implementation.

Abstract: A method and system for unlocking diagnostic functions in a hardware device for a user. The method obtains a signed permission object for the hardware device, and validates the signed permission object. A memory of the hardware device stores a device identifier and a last recorded sequence number. The signed permission object includes a sequence number and is associated with an expiration counter having an initial value that indicates a lifetime for the signed permission object. When the signed permission object is valid, the method updates the expiration counter to decrease the lifetime of the signed permission object, stores the sequence number associated with the signed permission object as the last recorded sequence number in the hardware device, and unlocks the diagnostic functions for the user based on the signed permission object.

Abstract: Systems and methods for token authentication analyze token data over one or more read operations to compute a characteristic master signature for the token. This can be accomplished, for example by analyzing the token data statistically to compute a characteristic signature for the token. Similar techniques can be used to generate a subsequent signature that can be verified against the original characteristic signature to authenticate the token. For example, a signature can be generated on a per use basis and that signature verified against the characteristic signature to validate the token upon use.

Abstract: A portable or embedded access device is provided for being coupled to, and for allowing only authorized users access to, an access-limited apparatus, device, network or system, e.g. a computer terminal, an internet bank or a corporate or government intranet. The access device comprises an integrated circuit (IC) providing increased security by bridging the functionality of biometrics input from a user and, upon positive authentication of the user's fingerprint locally to provide secure communication with the said access-limited apparatus, device, network or system, whether local or remote. A corresponding method of using the portable device or the embedded device is disclosed for providing a bridge from biometrics input to a computer locally, into secure communication protocol responses to a non-biometrics network. A method of providing secured access control and user input in stand-alone appliances having an embedded access control or user input device according to the invention is also disclosed.

Abstract: A method for identifying and performing a vehicle operator computer login to a vehicle computer provided in a vehicle. A device is arranged to request and receive vehicle operator data stored on a data carrier provided for a tachograph comprising a reader for reading the data carrier. The device controls communication of vehicle operator related data to the vehicle computer, wherein the device is arranged to initiate a vehicle operator login procedure of the vehicle computer, in dependence on the data carrier inserted in the tachograph. The invention is also related to a vehicle arrangement, a computer program and a computer program product. The invention solves the problem of providing identification and login of an operator of a vehicle to the vehicle computer in a simplified and secure way. The invention also enables shortened start up/stop times of a vehicle by reducing systems login/logoff time for an operator.

Abstract: System (1) for securing a data processing application, the said system comprising: first means (2) for interfacing with a security device (3); second means (4) for interfacing with the user; third means (6) for interfacing with the application and adapted for intercepting any request to use the said security device originating from the said application destined for the said security device; authentication means (8) connected to the first and second interfacing means, adapted for authenticating the user as legitimate user of the security device by requesting at least one secret; means (10) for storing the result of the authentication; validation means connected to the storage means and to the first and third interfacing means, adapted for authorizing any request originating from the application, destined for the said security device if and only if, the user is authenticated.

Abstract: One embodiment provides a computer-implemented method for transaction authorization within a security service. The computer-implemented method intercepts a request by a security service, wherein a transaction identifier is cached to form a cached transaction identifier, and requests the requester to authenticate to form an authentication request. The computer-implemented method further determines whether the requester was authenticated, and responsive to a determination the requester was authenticated, receives authentication information, including an associated transaction identifier. The request is intercepted and the cached transaction identifier inserted.

Abstract: Methods and systems are provided for non-cryptographic capabilities of a token such as a smartcard to be used as an additional authentication factor when multi-factor authentication is required. Smartcards are configured to generate a transaction code each time a transaction is attempted by the smartcard. The transaction code is dynamic, changing with each transaction, and therefore is used as a one-time password. When a user attempts to access a service or application requiring at least two authentication factors, a secure processor is used to read transaction code from the smartcard. The secure processor establishes a secure communication with the remote computer hosting the service or application. The transaction code can then be encrypted prior to transmission over the public Internet, providing an additional layer of security.

Abstract: Systems and methods directed at enhancing the capability of a federated authentication system by configuring the system with extensibility points for adding new account stores and customizing claim transformations. The federated authentication system includes accounts stores, a security token service (STS), and custom claim transformation modules. The account stores are configured to maintain data associated with accounts and to provide security claims in an intermediate format. The STS is configured to retrieve the security claims provided by the account stores and includes built-in transformations for transforming each security claim from the intermediate format to formats associated with resource providers. The STS is further configured to provide extensibility points for custom claim transformations that are not available from the built-in transformations. The custom claim transformation modules are configured to perform at least one custom claim transformation.

Abstract: A method of facilitating communications between a computer device and a smart card reader having an associated smart card, the computer device including a smart card resource manager and a smart card reader service, the smart card reader service acting as a relay for commands between the smart card resource manager and the smart card reader, the method comprising: receiving from the smart card resource manager a first command for setting a protocol for communications with the smart card; and responding, prior to receiving a reply from the smart card to the first command, to the smart card resource manager with a message indicating that the smart card has successfully received the first command.

Abstract: A method and apparatus for brokering the enablement of the communication of encrypted media programs from a plurality of independent broadcasters to a plurality of receivers is disclosed. The system makes use of a pairing key for each provided service, which is differently encrypted by a pairing server and by the broadcaster providing the service. The encrypted versions of the pairing key are decrypted in a first receiver module using information known to the pairing service but not the broadcaster and in a second receiver module using information known to the broadcaster. The pairing key is used to cryptographically bind the first and second receiver modules.

Abstract: A method and apparatus of using a token comprises receiving an indication of a presence of a nearby short-range terminal and waking up the token in response to receiving the indication. The method further comprises performing authentication between the token and the terminal, without requiring a user to directly interact with the token.

Abstract: The present invention provides methods and apparatuses that utilize a plurality of portable apparatuses to securely operate a plurality of host computers. Each portable apparatus including an operating system and a list of software applications is installed in a removable data storage medium. An authorization procedure is implemented before establishing a connected-state operation between a portable apparatus and a host computer. The host computer loads the operating system in the portable apparatus into its random access semiconductor memory (RAM) through the established connected-state operation.

Abstract: A smart card issuance system and method are disclosed. In a first aspect a method and system for issuing a smart card device (SC) is disclosed. The method and system comprise providing an initialization phase of the SC by a manufacturer and providing an authentication phase of the SC by the manufacturer. The method and system also include deploying the SC, providing a first time authentication phase for a specific customer by the issuer (IS) after the SC is deployed and starting a first phase of the registration process of the SC for the specific customer by the issuer. The method and system further include providing another authentication phase of the SC by IS after the first time authentication; and providing of an authentication of the IS by the SC. When both the SC and IS are mutually authenticated, the IS and the specific customer are allowed to complete the registration process. In a second aspect, a data transmission process and system for a smart card device (SC) of an issuer (IS) is disclosed.

Abstract: Provided are a method, client and system for reservation access to a management server using a one-time password. A generated personal identification number (PIN) is transmitted to the management server when a reservation time comes. The management server generates a random number encrypted using the PIN and transmits the random number to the client. The random number encrypted using the PIN is received, the received random number is encrypted by a symmetric-key algorithm using a client secret key and is transmitted to the management server. The management server receives the random number encrypted using the client secret key, and decrypts the received random number using a server secret key and the PIN. A random number before the encryption using the PIN is compared with a decrypted random number, and access of the client is accepted if the two numbers are identical.

Abstract: A method of automated password authentication by pattern matching regions of screen pixels against a repository of previously captured regions, and submitting a username and a password stored with the regions of the screen pixels for authentication includes triggering an autorunnable application to startup by inserting a memory stick by a user, challenging the user for a master password to access an encrypted database held on the memory stick, running the autorunnable application as a background task following a successful authorization of the user, and checking whether the user has triggered the autorunnable application by a pre-defined key sequence. If the user has triggered the autorunnable application, then the method proceeds with prompting the user to highlight at least one rectangle around a text or an image which uniquely identifies a login panel, capturing a username and a password when entered by the user, and returning the autorunnable application to a background task.

Abstract: A method and a device for remotely controlling the execution of at least one function of a computer system. The method and device are suitable for logging out of a computer application when the user moves a certain distance away from the workstation on which the application is installed. The device includes a mobile identification element (2) having a unique identifier; a computer system (4) with access control; an electronic module forming a base station (3) that can be connected to the computer system (4); a processing system (5) included in the computer system (4), the processing system (5) being capable of communicating with the base station (3) when the latter is connected to the computer system (4).

Abstract: A device may include communication logic to receive a request to perform an activity on behalf of a client, where the activity is related to a primary application and a secondary application. The communication logic may send a response that allows the client to perform the activity when the client is authorized. The device may include evaluation logic to determine whether the client is related to the primary license and to determine whether a secondary license related to the secondary application is available. The evaluation logic may allocate the available secondary license to the client for use with the secondary application when the secondary license is available. The evaluation logic may authorize the client to perform the activity when the secondary license is allocated to the client.

Abstract: A method for improving security of the security token, comprising the steps of: detecting the bioelectrical signal of the host user; and allowing the host to access the data stored in the security token after verifying the user. The process of detecting the bioelectrical signal of the host user further comprises the following steps of: capturing the bioelectrical signal of the user; processing the captured bioelectrical signal to produce a bioelectrical feature vector; comparing the bioelectrical feature vector with the previously stored feature vector templates; and verifying the user if the comparing result is greater than or equal to a previously specified threshold. The present also provides two embodiments of an apparatus for improving security of the security token. The present invention eliminates the security problems of the prior art and improves the reliability and security of the security token.

Abstract: Systems and methods of providing security to an external Serial Advanced Technology Attachment (SATA) device are described herein. A controller is connected between the eSATA device and the computing device. On startup, the controller presents a first partition of eSata device as a Read Only Memory, e.g., CD-ROM, but at the same time it restricts access of the computing device to a second partition of the eSata device until receiving a valid identity authentication. The second partition is preferably encrypted with a key stored on a first partition. Decryption is performed in the controller as part of presenting the eSata device. The authentication process is preferably stored in the first partition and downloaded to the computing device on startup.

Abstract: In general, the invention relates to a method for executing at least a portion of a server operation. The method includes providing an extension to a client connected to the server, where the extension includes a portable object connected to the client. The method further includes performing at least the portion of server operation by the extension, where performing at least the portion of the server operation includes executing a copy of at least a portion of server software stored on the portable object.

Abstract: Systems and methods are provided for data protection across connected, disconnected, attended, and unattended environments. Embodiments of the inventions may include differential encryption based on network connectivity, attended/unattended status, or a combination thereof. Additional embodiments of the invention incorporate “trust windows” that provide granular and flexible data access as function of the parameters under which sensitive data is accessed. Further embodiments refine the trust windows concept by incorporating dynamic intrusion detection techniques.

Abstract: A system is provided and facilitates management of a device by a first entity and management of a third entity by a second entity, wherein by way of the system access rights permitting access otherwise prevented by the device are assignable by the first entity to the second entity, the access rights are able to be administrated by the second entity to the third entity, and the access is obtainable by the third entity using a combination of the access rights and personal identification information to affect the device.

Abstract: A trusted service which publishes information describing security attributes of computing platforms in a defined physical area, for use by a visitor to a building, for example, who is unfamiliar with the computing platforms available for use therein. In a preferred embodiment, the system provides only details and/or a list of public keys of genuine trusted computing platforms within the area. In another embodiment of the invention, the information system comprises a trusted computing platform for providing selected information to a user's portable computing apparatus.

Abstract: A user credential management system and method for managing user credentials are provided. The user credential management system comprises an authentication module for authenticating a user login to a mobile device, and a message transforming module for associating a user credential to a message sent from the mobile device to a server. The method comprising the steps of authenticating a user login to a mobile device, locating a user credential associated with the user login, and associating the user credential to a message between the mobile device and a server.

Abstract: A portable mass storage device for use in two factor authentication systems and methods. A secure portable mass storage device protects content from being freely copied with security mechanisms and firmware. The security functionality also protects confidential user credentials and passwords, as well as algorithms and seeds needed for two factor authentication or asymmetric authentication methods. A client application residing in the mass storage device acts as both a password manager and an authentication manager that seamlessly performs the authentication procedures in the background while signing a user into various institutions of his choosing. A very high level of security is integrated into a mass storage device the user has for purposes other than two factor authentication, and the convenience of highly secure password management also comes in a convenient pocket sized package easy for the user to transport.

Abstract: Techniques are provided for securely managing, using smart cards, the usage of a peripheral device. In one embodiment, both the peripheral device and the smart card have digital certificates and a means for authenticating each other. Each device requires authentication of the other device before access to the device's resources is granted. In one embodiment of the invention, the smart card executes a local Java application for managing usage data. The application provides quota and prior usage data to the peripheral device, and updates on the smart card usage data provided by the peripheral device. The usage data on the smart card is used to limit, audit, or track access to resources and operations on the peripheral device. In another embodiment, the authentication and usage management functions of the smart card is implemented on a remote server.

Abstract: Self-authorizing tokens are disclosed. Typical embodiments employ a secure element and a secure element interrogator. Such tokens may be used for authorization of financial payments and other secure transactions. In some embodiments the secure element is provisioned with information about a particular payment card holder account. A secure element reader interrogates the smart element and derives information needed to authorize a transaction. In some embodiments the secure element and the secure element interrogator communicate using communications formatted according to ISO 7816-4.

Abstract: A system and methods authenticate sensitive information such as passwords. Password characters are transformed into distorted characters and distorted character groups are generated such that each distorted password character is part of a group. An image is created containing the groups and the password or other sensitive information is authenticated when groups are identified within the image that contain the password characters in an expected sequence.

Abstract: A method, program product and apparatus include resistance structures positioned proximate security sensitive microchip circuitry. Alteration in the position, makeup or arrangement of the resistance structures may be detected and initiate an action for defending against a reverse engineering or other exploitation effort. The resistance structures may be automatically and selectively designated for monitoring. Some of the resistance structures may have different resistivities. The sensed resistance may be compared to an expected resistance, ratio or other resistance-related value. The structures may be intermingled with false structures, and may be overlapped or otherwise arranged relative to one another to further complicate unwelcome analysis.

Abstract: A management server acts as a repository for a plurality of user certificates corresponding to a plurality of users. When a user wishes to access a remote computer such as a secure-enabled host requiring a secure credential, his/her computer sends a request message to the management server. The management server may perform its own validity checking. In response to a request and conditioned on the management server authorizing access to a computing resource that requires an authorization credential, the management server delivers the requested credential and executable code, the authorization credential comprising information that enables access to the computing resource and the delivered executable code manages the lifecycle of the delivered authorization credential by allowing only temporary storage without caching of the delivered authorization credential.

Abstract: Disclosed are embodiments of a radio frequency identification (RFID) authentication system and an associated authentication methodology. The embodiments incorporate an identification device (e.g., an identification badge, a key fob, etc.) with an embedded RFID tag. The embedded RFID tag is associated with a specific user and stores a private key generated as part of a public key-private key encryption scheme. The private key is read by an RFID reader and used to decode public key encrypted data stored within or accessible by a computer system (e.g., a desktop computer system, a laptop computer system, a personal digital assistant (PDA), a digital fax machine, wireless telephone, etc.). Thus, the embodiments provide a portable way to use public key-private key encryption scheme data anywhere using RFID technology.

Abstract: An anonymous secure messaging method, system and computer program product for implementation over a wireless connection. The invention allows the securely exchange of information between a security token enabled computer system and an intelligent remote device having an operatively coupled security token thereto over the wireless connection. The invention establishes an anonymous secure messaging channel between the security token and the security token enabled computer system, which allows the intelligent remote device to emulate a locally connected security token peripheral device without requiring a physical connection. A dedicated wireless communications channel is incorporated to prevent several concurrent wireless connections from being established with the security token and potentially compromising the security of the information being sent on concurrent wireless connections.

Abstract: A secure NFC apparatus includes a plug-in socket, an NFC unit, and a protocol matching unit. A security module is inserted in the plug-in socket. The NFC unit communicates with the outside via non-contact NFC using signals based on an S2C protocol. The protocol matching unit determines the type of chip in the inserted security module, generates a chip identification signal according to results of the identification, and matches the protocol of the signals based on the S2C protocol, which are input to and output from the NFC unit, with the protocol of the signals, which are input to and output from the security module, according to the chip identification signal.

Abstract: A method for effecting a secure electronic transaction on a terminal using a portable data carrier is proposed. According to the method a user (30) first authenticates himself vis-à-vis the portable data carrier (20). The portable data carrier (20) at the same time produces quality information about how authentication was done. The authentication is confirmed to the terminal (14). Then the portable data carrier (20) performs a security-establishing operation within the transaction, for example the creation of a digital signature. It attaches the quality information to the result of the security-establishing operation.

Abstract: Methods and apparatus are provided to allow Internet Key Exchange (IKE) phase 1 keying materials to be periodically refreshed in a secure manner without requiring user interaction. A client and server perform authentication and key exchange during set up of a secure connection. A token is passed to the client by the server during or after the initial user authentication phase. The token is stored both at the client and at the server. Instead of requiring user credentials, the token can be used to securely prove the identity of the client.

Abstract: The delegation of rights may be controlled in a number of manners. In an example implementation, a delegation authority assertion is formulated with a delegator principle, a delegatee principal, a verb phrase, a resource, and a delagation-directive verb. In another example implementation, a delegation mechanism involving an assertor, a first principal, and a second principal enables a delegation to be specifically controlled. In yet another example implementation, a chained delegation mechanism enables explicit control of a permitted transitive chaining depth.

Abstract: Systems and/or methods that facilitate programming content to a plurality of nonvolatile memory devices are presented. A wafer program component facilitates programming content to a plurality of memory devices contained on a wafer. The wafer program component can interface with the wafer and can employ parallel processes to program the memory devices on the wafer at substantially the same time. The content programmed to the memory devices can be the same content or different content. A portion of the content can be access-restricted where authentication information is to be provided in order to be granted access to such content, where access-restricted content can include content associated with subscriptions or personal information of a user(s).

Abstract: The invention provides a system, a secure device and a method for authenticating dynamically a host device with a secure device without modifying hardware or basic functional software of the host device. An authentication engine implemented in the secure device allows detecting non-authorized host devices or illegal secure devices environment. The secure device is locally connected to the host device comprising at least one processor configured for handling a plurality of hardware or software parameters defining the functioning behavior of the host device. A memory associated to the processor stores a plurality of reference hardware and software parameters. The secure device monitors the behavior of the host device both in terms of hardware and software. After comparison with the reference parameters, the host device is considered as authentic or authorized only when the values of counters associated to the hardware and software parameters are within an acceptable.

Abstract: System and method for controlling access to information about or from computing devices in which an authorization request to enable a first one of the devices to obtain information from or about a second one of the devices is generated and directed to the second device with a token assigned to the first device. Once the token is received by the second device, the authorization request is presented to its user in a form enabling viewing and manually entry of the token into the second device. The user of the first device can, when desired, request information from or about the second device. The request is fulfilled and the information from or about the second device is provided to the first device only after the user of the second device has manually entered the token assigned to the first device.

Abstract: In the terminal affiliation switchover system of the invention, in the case of allocation of an IP address to one terminal in a VPN#1 in response to an IP address allocation request, a DHCP server module 121 changes registry information in a DHCP table 122 provided for the VPN#1 and simultaneously makes the change of the registry information reflected in registry of a DHCP table 222 provided for a VPN#2 via a DHCP server module 221. Similarly in the case of allocation of an IP address to one terminal in the VPN#2 in response to an IP address allocation request, the DHCP server module 221 changes the registry information in the DHCP table 222 for the VPN#2 and simultaneously makes the change of the registry information reflected in the registry of the DHCP table 122 for the VPN#1 via the DHCP server module 121.

Abstract: A technique for providing message authenticity includes accepting transaction information, accepting a first data item used for authenticating an originating user, cryptographically processing the transaction information using only a second data item, wherein the entropy of the first data item is less than the entropy of the second data item, and authenticating the originating user using the first data item. The first data item can be a sequence of digits corresponding to those displayed on an external device, such as, for example, an RSA authorization token, credit card, etc. In general, the first data item will be a short alphanumeric string and the second data item will generally be much larger, e.g., a 128 bit sequence to be used principally for data authentication. According to another aspect of the present invention, consequential evidence of the transaction may be secured to provide after-the-fact evidence of the transaction.

Abstract: A method of managing access rights in a smart card, to subordinating execution of a command (Cmd1, Cmdk) such as reading or writing to an event (Evt1?, Evtk?) being valid, such as authentication by verifying a code. The state of validation events is stored in a register, and the access rights are stored in a command list (List_Cmd) made up of couples (Cpl1, Cplk), each associating a command with an event. On receiving a request to execute a command, a search is made in the command list (List_Cmd) for the couple (Cpl1, Cplk) that includes the requested command, and execution is refused if the search is unsuccessful. If the search is successful, then it is determined from the register (referred to as the card security state register) whether the event associated with the command is or is not valid, in order to authorize or refuse execution thereof. The invention is for use in any smart card application that involves access rights.

Abstract: Methods for pre-registering a participant in a program database using a participant smart card and biometric data in a verification process to manage fraud and enhance security and privacy protection are disclosed. The methods include pre-registering, or alternatively registering, individual information including biometric data in the program database, forming a secured registered account for the participant, and assigning the participant smart card to the participant with the secured registered account. The methods continue by determining risk factors for the participant, assigning at least one program with program risk factors to the participant, authenticating identity of the participant at a program access point, receiving eligibility verification or denial of the participant to access and use assigned programs, and updating the database data for exit verification.

Abstract: An information forming apparatus includes: a communication unit that carries out data communication with an authentication card inserted into a card slot; an authentication unit that authenticates that a user who attempts to operate the apparatus is an authorized user by sending entered authenticating information to the authentication card; a storing unit that stores the entered authenticating information; and a process execution unit that, when a process is invoked that requires input of authenticating information to the authentication card, executes the process using the authenticating information stored in the storing unit.

Abstract: In one embodiment, a key list entry corresponding to a user's private key is securely deleted from a key list of a user device on shutdown of the user device. Subsequently, input of the user's private key will not allow decryption of an encrypted partition storing encrypted data on the user device. In another embodiment, a key list entry corresponding to a user's private key is automatically and securely re-provisioned on boot up of the user device. Subsequently, input of the user's private key will allow decryption of the encrypted partition on the user device.

Abstract: The aim of the present invention is to provide a secure system-on-chip for processing data, this system-on-chip having at least a central processing unit, an input and an output channel, an encryption/decryption engine and a memory. The system-on-chip having real-time working conditions while receiving and sending data, having an autonomous supervision module which is preprogrammed with normal working conditions definitions of at least the input and/or output data flow to enable or disable the input/output channel according to the comparison on the real-time working conditions and the normal working conditions definitions.

Abstract: A method in one example implementation includes extracting a plurality of data elements from a record of a data file, tokenizing the data elements into tokens, and storing the tokens in a first tuple of a registration list. The method further includes selecting one of the tokens as a token key for the first tuple, where the token is selected because it occurs less frequently in the registration list than each of the other tokens in the first tuple. In specific embodiments, at least one data element is an expression element having a character pattern matching a predefined expression pattern that represents at least two words and a separator between the words. In other embodiments, at least one data element is a word defined by a character pattern of one or more consecutive essential characters. Other specific embodiments include determining an end of the record by recognizing a predefined delimiter.