Abstract: The present invention provides a system, method and apparatus that includes a user device having a magnetic field generator disposed within a substrate that is normally inactive, an initiator mounted on the substrate, a memory disposed within the substrate and a processor disposed within the substrate that is communicably coupled to the magnetic field generator, the initiator and the memory. The processor is operable to process information received from the initiator, generate a time varying code in response to the received information and activate the magnetic field generator. A power source is also disposed within the substrate. The magnetic field generator can create a spatial magnetic signal using a magnetic stripe and one or more induction coils, or create a time-varying magnetic signal for emulating data obtained from swiping a traditional magnetic stripe card through a magnetic card reader.

Abstract: According to the inventive method, the chip card, a counting function (FC), a counter (Cpt) and a private key (Cf) stored in the write-only part of the memory region are stored in a persistent memory, the counter and the private key (Cf) being accessible only by the counting function (FC). When the chip card receives a counter request emitted by an requesting entity (ER), the counting function (FC) performs a modification of the counter (Cpt) and a calculation of a signature, and sends a response to the applicant entity (ER). When the on-board system receives the response to the counter request, the signature contained in the response is checked.

Abstract: A system and method for automatically managing a connection between a user device and a security token access device. The access device is adapted to wirelessly communicate with a plurality of user devices and to be securely paired with at least one of the plurality of user devices, and is further adapted to maintain connection information relating to each of the plurality of user devices. The connection information comprises security information for each user device securely paired with the access device. The access device automatically manages a connection by maintaining a store of connection information comprising security information for each of a set of at least one securely paired user devices; determining whether one of the securely paired user devices is a stale device; and if it is determined that one of the securely paired user devices is a stale device, implementing a management protocol for handling the stale device.

Abstract: A data storage device includes a plurality of data storage units, a physical random number generator with a noise source based on a physical noise process, for generating a random number, and a replacer for selecting a data storage unit wherein data is to be stored, depending on the random number. Selecting, on the basis of genuine random numbers, data storage units and/or lines to be replaced in the cache.

Abstract: When a user connects a pluggable card store to a machine, the machine plugs a pluggable card provider into a card provider registry. The pluggable card store can be an object portable to the user, or can be a remote store available via some connection, such as an FTP connection. The user can then use the information cards stored on the pluggable card store in a transaction.

Abstract: Method and devices for making access decisions in a secure access network are provided. The access decisions are made by a portable credential using data and algorithms stored on the credential. Since access decisions are made by the portable credential non-networked hosts or local hosts can be employed that do not necessarily need to be connected to a central access controller or database thereby reducing the cost of building and maintaining the secure access network.

Abstract: By enabling to write information which is readable only by an IC card owner on an IC card without inputting a PIN and to authenticate a creator of the written information and prevent falsification, it is guaranteed that data written on the IC card can be read only by the IC card owner, the creator of the written data can be specified, and the written data has not been falsified. A secure memory card 101 includes a card private key storing unit 208 storing a private key, a card certificate storing unit 202 storing a certificate of a public key which forms a pair with the private key, a certificate sending unit 201 sending the certificate to a PC 102, a private storing unit 203 which is readable/writable from the outside only when a correct PIN is input, a public storing unit 210 which is readable/writable from the outside without checking a PIN, a confidential data receiving unit 211 receiving confidential data from the PC 102, and so on.

Abstract: Described herein are systems and methods for centralizing and standardizing implementation of security tokens so as to provide one token per one user for accessing business applications across an enterprise, providing scalability to support authentication of as many enterprise users as desired or needed, and providing a standardized token management interface that supports both pre-binding and post-binding user registration processes and different types of security token.

Abstract: To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a process's token. The rule includes an application-criterion set and changes to be made to the groups and/or privileges of a token. The rule is set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers. When a GPO containing a rule is applied to a computer, a driver installed on the computer accesses the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

Abstract: A chip mountable on a replaceable unit used in an image forming job is disclosed. The chip includes a central processing unit (CPU) to perform at least one of authentication and cryptographic data communication with a main body of the image forming apparatus using an operating system (OS) of the CPU which operates separately from an OS of the image forming apparatus. With the use of such a configuration, security for a unit in which the chip is mounted can thereby be reinforced.

Abstract: A chip mountable on a customer replaceable unit monitoring memory (CRUM) unit used in an image forming job includes a central processing unit (CPU) with its own operating system (OS), which operates separately from an OS of the image forming apparatus, to perform authentication communication with a main body of the image forming apparatus using the OS of the CPU. The security of a unit on which the chip is mounted can thereby be reinforced and random changes of data of the unit can be prevented.

Abstract: This invention provides a system, method and computer program product to allow a user to access administrative security features associated with the use of a security token. The administrative security features provide the user the ability to unlock a locked security token, diagnose a security token, activate and deactivate a security token, request a replacement security token or temporary password or report the loss of a security token. The invention comprises a client application which integrates into the standard user login dialog associated with an operating system. A portion of the user dialog is linked to a remote server to access the administrative services.

Abstract: A method and apparatus for secure authentication of a hardware token is disclosed. In one embodiment, a host computer fingerprint is used to generate a partial seed for a challenge-response authentication which is performed on the hardware token. In another embodiment, the host computer fingerprint is used as a personal identification number for the hardware token.

Abstract: A technique is utilized in the configuration and seeding of security tokens at third party facilities, particularly at facilities of a configuration agent, such that a token can be configured without the configuration agent having security-defeating knowledge about the token. Such a technique allows a third party to provision a token with a seed, but in such a way that the third party will not know, or be able to construct, the seed after the seed provisioning process is complete. The seed may include, by way of example, a symmetric key or other secret shared by two or more entities. In some arrangements, a method is used for secure seed provisioning. Data is derived from inherent randomness in a token or other authentication device. Based on the data, the token or other authentication device is provisioned with a seed.

Abstract: A programmable electronic device (10) stores a number of cipher-text software modules (14) to which access is granted after evaluating a user's token (55, 80, 82), a software-restriction class (58) for a requested software module (14), and/or a currently active access-control model (60). Access-control models (60) span a range from uncontrolled to highly restrictive. Models (60) become automatically activated and deactivated as users are added to and deleted from the device (10). A virtual internal user proxy that does not require users to provide tokens (80, 82) is used to enable access to modules (16) classified in a global software-restriction class (62) or when an uncontrolled-access-control model (68) is active. Both licensed modules (76) and unlicensed modules (18,78) may be loaded in the device (10). However, no keys are provided to enable decryption of unlicensed modules (18,78).

Abstract: An authentication system for an instruction processing apparatus includes first and second authentication portions each for performing user authentication at the time of using the instruction processing apparatus, and a controller which makes the first authentication portion execute the user authentication and switches from the first authentication portion to the second authentication portion when the user authentication by the first authentication portion cannot be established.

Abstract: A method for content access control operative to enable authorized devices to access protected content and to prevent unauthorized devices from accessing protected content, the method comprising: providing a plurality of authorized devices; dividing the plurality of authorized devices into a plurality of groups, each of the plurality of authorized devices being comprised in at least one of the plurality of groups, no two devices of the plurality of authorized devices being comprised in exactly the same groups; determining whether at least one device of the plurality of authorized devices is to be prevented from having access to the protected content and, if at least one device is to be prevented, removing all groups comprising the at least one device from the plurality of groups, thus producing a set of remaining groups; and determining an authorized set comprising groups from the set of remaining groups, such that each device of the plurality of authorized devices which was not determined, in the determining

Abstract: Techniques are described for managing access to computing-related resources that, for example, may enable multiple distinct parties to independently control access to the resources (e.g., such that a request to access a resource succeeds only if all of multiple associated parties approve that access). For example, an executing software application may, on behalf of an end user, make use of computing-related resources of one or more types that are provided by one or more remote third-party network services (e.g., data storage services provided by an online storage service)—in such a situation, both the developer user who created the software application and the end user may be allowed to independently specify access rights for one or more particular such computing-related resources (e.g., stored data files), such that neither the end user nor the software application developer user may later access those resources without the approval of the other party.

Abstract: Method for checking the signature of a message. The message, signature, and a certificate are sent by a signer having a public key to a recipient having a message storage device. The certificate is checked by a protected device connected to the message storage device and a checking result data element is sent for checking to a display device connected to the protected device. When the certificate is verified, a reduction of the message is calculated in the protected device and the message is recopied onto the display device. The signature is decrypted using the public key in the protected device, and the decrypted signature is compared with the reduction carried out. According to the comparison, a message is sent from the protected device to the display device indicating whether the signature conforms or does not conform to the message or to the public key of the signer put forward.

Abstract: A method and apparatus for securely broadcasting an instantaneous deposition testimony is provided. The method includes capturing a witness's testimony, authenticating the testimony, transmitting the testimony in instantaneous to authorized subscribers, viewers and participants remotely located from the deposition through a peer-to-peer network connection using the Internet. Accordingly, the invention allows subscribing attorneys to interactively access and save the textual deposition documents, while also allowing interactive communication between the deposing attorney and attorneys or colleagues at the home-office or other remote locations, during the deposition.

Abstract: An image processing device is provide with an external storage which is detachably connectable to the image processing device, an inputting unit configured to allow a user to input user information, a registration unit configured to register ID information intrinsic to the external storage and the user information input through the inputting unit with registration data in a related manner, a permission unit configured to retrieve the ID information from the external storage and permit access to the external storage connected to the image processing device only if the retrieved ID information is included in the registered ID information which is registered with the registration data, and a data processing unit configured to read/write data from/to the external storage if access to the external storage is permitted by the permission unit.

Abstract: If content is transmitted/received through a digital signal bus, protection of copyright causes a problem because of no deterioration in quality. Accordingly, authentication is required. The quantity of information to be processed is, however, so large that a long time is required for authentication. Accordingly, both achievement of handling property as in conventional analog connection and protection of copyrighted content without user's awareness become an object. The foregoing object can be achieved by authentication which is executed, for management of copyright, among apparatuses connected to the digital signal bus when the apparatuses are powered on or connected to the digital signal bus or when an input terminal connected to the digital signal bus is selected. The object can be further achieved by an encryption key shared among these apparatuses.

Abstract: A system and method which generates a single use password based on a challenge/response protocol. A box manager module executing within a security appliance identifies a public key (P) and salt value (S) associated with an administrator's smart card and generates a random nonce (N). The box manager transmits a challenge comprising the following elements: <SHA1(N), BM_ID, P[N, BM_ID], S>. Upon receiving the challenge, the administration card decrypts P[N, BM_ID] using the private key contained within the card and computes SHA1(N). The administration card then compares its computed values with the received values from the box manager. If the values match, then to the administration card returns a response comprising the following elements: HMAC_N[user, SHA1 (password, S)], where HMAC_N represents the SHA1 keyed hash message authentication check of the response elements using the nonce N as the key.

Abstract: A filter is arranged to selectively block or allow a data access command from an initiator according to whether the initiator is secure or insecure and whether a data source or destination being accessed is privileged or unprivileged. The data access command contains an identification of the initiator from which the data access command originated and an identification of the data source or destination being accessed. The security filter compares the initiator identification and data source or destination identification contained within the data access command with a list of those initiators defined as secure and a list of those data sources or destinations which are defined as unprivileged. The filter then blocks or allows the data access command signal according to a set of rules.

Abstract: A computer system with electronic lock is presented, which includes an end-user unit and a mobile unit. The end-user unit has a communication port and an identification database coupling with the communication port and storing at least one identification code. The mobile unit has an identifying module with a logging code, with the mobile unit able to connect with the end-user unit through the communication port to connect the identifying module with the identification database of the end-user unit. When the mobile unit is coupled with the end-user unit, the end-user unit catches the logging code and executes an identifying process to determine whether the logging code is one of the at least one identification code in the identification database.

Abstract: An identification tag for authenticating a product is associated with the product and has authentication data transmissible to a reader device. The authentication data include source data including a tag identifier that uniquely identifies the identification tag and a signature value that is a result of a private key encryption of a representation of the source data, where the private key encryption uses a private key of a public key encryption method.

Abstract: A virtual token represents an item, and includes embedded data defining rules and/or capabilities which apply to the use of the item. A virtual token may include graphical image data which is used to generate a display on a computer, whereby selection of the display allows the item represented by the virtual token to be used. A virtual token may contain instructions for sending access requests to a location on a communications network. A system for handling virtual tokens includes a clearing and routing house for routing token access requests, authenticating and generating tokens, and maintaining container structures for tokens. The system also includes connectors installed in a communications network for creating, controlling and managing items represented by tokens, and device clients for executing token components that issue access requests to the clearing and routing house.

Abstract: Described herein are systems and methods for centralizing and standardizing implementation of security tokens so as to provide one token per one user for accessing business applications across an enterprise, providing scalability to support authentication of as many enterprise users as desired or needed, and providing a standardized token management interface that supports both pre-binding and post-binding user registration processes and different types of security token.

Abstract: As a result of the inability to assign security in multiple applications at one time, there is an opportunity to tie the disparate security systems together. Security synchronization services is a method and apparatus that uses roles to provide a common administration experience for all applications that use it and fits better for new applications.

Abstract: A graphical password authentication method is based on sketches drawn by user. The method extracts a template edge orientation pattern from an initial sketch of the user and an input edge orientation pattern from an input sketch of the user, compares the similarity between the two edge orientation patterns, and makes an authentication decision based on the similarity. The edge orientations are quantized, and each edge orientation pattern includes a set of quantized orientation patterns each corresponding to one of the quantized edge orientations. The number of quantized edge orientations, as well as other parameters such as the dimension of the final orientation patterns and acceptance threshold, can be optimized either globally or user-specifically.

Abstract: A password generator for use with a detector and a verifier in an encapsulated system is provided, as is a system for generating and verifying passwords. The password generator comprises a support, a sensor for detecting a signal from the detector, a data transmitter for transmitting binary data as pulses, a processor that is initialized by the verifier and that controls the data to be sent, a controller for activating the processor and a connector to releasably connect the password generator with the verifier. The system employs a mouse as the detector.

Abstract: A system includes a first wireless-enabled device that transparently stores confidential information and a second wireless-enabled device that stores the same confidential information. The confidential information is to be used to secure a wireless communication link between the first device and the second device. One or both of the first device and the second device is to delete the confidential information upon fulfillment of one or more conditions related to the communication link.

Abstract: A network device management apparatus according to this invention is directed to a network device management apparatus, which is connected to a network and manages a network device connected to the network, acquires status information indicating the status of the network device from the network device, saves the acquired status information in a storage unit, randomly generates an address required to access the storage unit, and notifies a pre-registered destination of the generated address, and provides, when an access is made to the address, the status information saved in the storage unit to an accessing party.

Abstract: The present invention is directed to a method, system and computer program for using a mobile phone as handset for an Internet Protocol (IP) softphone and for automatically transferring calls from an IP softphone running on a workstation to another IP softphone running on another workstation.

Abstract: Systems and methods for implementing a secure processor stick are described. In one aspect, the system for implementing a secure processor stick with a computer, the system comprising: a secure processor stick, including: a processor; a memory coupled to said processor; a smart chip coupled to said processor, said smart chip storing data for implementing a secure environment; and an operating system adapted to run on said memory and said processor, wherein said operating system is adapted to provide a secure environment for display on a computer using said data.

Abstract: The present invention provides a system, method and apparatus that includes a user device having a magnetic field generator disposed within a substrate that is normally inactive, a biometric sensor mounted on the substrate, a memory disposed within the substrate and a processor disposed within the substrate that is communicably coupled to the magnetic field generator, the biometric sensor and the memory. The processor is operable to process biometric information received from the biometric sensor to verify that a user is authorized to use the apparatus and activate the magnetic field generator when the user is verified. A power source is also disposed within the substrate. The magnetic field generator can create a spatially varying magnetic signal using a magnetic stripe and one or more induction coils, or create a time-varying magnetic signal for emulating data obtained from swiping a magnetic stripe card through a magnetic card reader.

Abstract: Issuing and disseminating a data about a credential includes having an entity issue authenticated data indicating that the credential has been revoked, causing the authenticated data to be stored in a first card of a first user, utilizing the first card for transferring the authenticated data to a first door, having the first door store information about the authenticated data, and having the first door rely on information about the authenticated data to deny access to the credential. The authenticated data may be authenticated by a digital signature and the first door may verify the digital signature. The digital signature may be a public-key digital signature. The public key for the digital signature may be associated with the credential. The digital signature may be a private-key digital signature. The credential and the first card may both belong to the first user.

Abstract: Prior to the execution of a program contained in a second chip card inserted in a terminal such as a mobile radio telephone terminal, in addition to a first chip card containing data and connected to a telecommunication network to which the terminal is linked, one of the cards is authenticated by the other, or the two cards are authenticated mutually. This double authentication ensures the authenticity of the program for its overall execution in the terminal and the origin of the second card, distributed through conventional channels, for the network operator.

Abstract: A generic access card is paired with a data destination device by insertion into its card slot, and the public portion of a public/private key is stored in the card. The card authenticates the destination device. The paired card is transported to a data source device which includes a card slot and a removable mass storage medium. The card, when inserted into the card slot of the data source and authenticated, transfers the public key to the source device. The source device generates content encoding keys, and encodes the data on the storage medium. The content encoding keys are encoded using the public key, and loaded onto the card. The card and the storage medium are transported to the destination device, where the card provides the encoded encryption keys. The destination device decodes the encrypted content encryption key(s) and decodes the encrypted data for playback or display.

Abstract: Random partial shared secret recognition is combined with using more than one communication channel between server-side resources and two logical or physical client-side data processing machines. After a first security tier, a first communication channel is opened to a first data processing machine on the client side. The session proceeds by delivering an authentication challenge, identifying a random subset of an authentication credential, to a second data processing machine on the client side using a second communication channel. Next, the user enters an authentication response in the first data processing machine, based on a random subset of the authentication credential. The authentication response is returned to the server side on the first communication channel for matching. The authentication credential can be a one-session-only credential delivered to the user for one session, or a static credential used many times.

Abstract: The present invention provides methods, systems, computer program products, and methods of doing business whereby legacy host application/system access is integrated with single sign-on in a modern distributed computing environment. A security token used for signing on to the modern computing environment is leveraged, and is mapped to user credentials for the legacy host environment. These user credentials are programmatically inserted into a legacy host data stream, thereby giving the end user the look and feel of seamless access to all applications/systems, including not only modern computing applications/systems but also those residing on (or accessible through) legacy hosts. In addition to providing users with the advantages of single sign-on, the disclosed techniques enable limiting the number of user identifiers and passwords an enterprise has to manage.

Abstract: A user authentication method for an electronic apparatus makes a user authentication based on received first user identification information and registered user identification information and sets the electronic apparatus in an authenticated state if the received first user identification information matches the registered user identification information, and controls the authenticated state after the user authentication based on received second user identification, by continuing the authenticated state if the received second user identification information matches the registered user identification information.

Abstract: A method and system for enabling personal digital assistants (PDAs) and protecting stored private data. Specifically, one embodiment in accordance with the present invention includes a removable expansion card about the size of a postage stamp which plugs into a slot of a personal digital assistant. The removable expansion card, referred to as a personality card, is capable of storing all of a user's private information and data which is used within their personal digital assistant. By removing the personality card from the personal digital assistant, all of the user's private information and data may be removed from the personal digital assistant. Furthermore, the personal digital assistant may also be rendered totally or partially useless once the personality card is removed from it. There are several advantages associated with a personality card system in accordance with the present invention.

Abstract: A method, apparatus, and computer usable code for managing confidential data. A request is received to access an application from a user, wherein the application includes logic to process the confidential data. One of a first interface or a second interface is selected based on an identification whether the user is permitted to see the confidential data to form a selected interface in response to receiving the request. A selected interface is presented to the user. The first interface presents the confidential information and second interface presents non-confidential information without presenting the confidential information. The second interface allows access to the logic in the application without accessing the confidential data.

Abstract: An embodiment generally relates to a method of accessing a secure computer. The method includes capturing an authentication state of a security token in response to a verification of user authentication information. The method also includes providing the authentication state to at least one application requiring authentication with the security token and accessing the at least one application.

Abstract: A method of verifying programming of an integrated circuit card includes transferring program data to a page buffer of a non-volatile memory, copying the program data to a buffer memory, calculating a first checksum value with respect to program data in the buffer memory, updating the program data in the buffer memory by copying the program data of the page buffer to the buffer memory, calculating a second checksum value with respect to updated program data in the buffer memory, comparing the first checksum value and the second checksum value, and determining, based on the comparison result, whether the program data of the page buffer is tampered.

Abstract: A system and method for securely streaming encrypted digital media content out of a digital container to a user's media player. This streaming occurs after the digital container has been delivered to the user's machine and after the user has been authorized to access the encrypted content. The user's operating system and media player treat the data stream as if it were a being delivered over the Internet (or other network) from a streaming web server. However, no Internet connection is required after the container has been delivered to the user and the data stream suffers no quality loss due to network traffic or web server access problems. In this process of the invention, the encrypted content files are decrypted and fed to the user's media player in real time and are never written to the user's hard drive or storage device. This process makes unauthorized copying of the digital content contained in the digital container virtually impossible.

Abstract: A system includes an integrated circuit card, a tray configured to receive the integrated circuit card, a connector, and a housing configured to receive the connector. The housing is configured to attach to a mobile communication device, the connector is configured to couple the tray and the integrated circuit card to the mobile communication device, the tray includes one or more one way snaps that are configured to lock the tray and the integrated circuit card to one or more of the connector, the housing, and the mobile communication device, and the tray includes a means for engaging and damaging one or more leads on the connector when attempts are made to disengage the tray and the integrated circuit card from the connector.

Abstract: A method for activating functions of at least one tachograph having a control unit and an interface. The control unit is activated by a program to perform a first group of functions. First, a connection of an external storage medium to the interface of the at least one tachograph is established. The storage medium has at least one instruction for activating a function, which can be read out by the control unit. An authentication between the external storage medium and the control unit also takes place. The function associated with the at least one instruction is activated in such a way that the function is associated with the first group of the control unit. Next, the connection between the external storage medium and the interface of the at least one tachograph is released.

Abstract: A method and a system for disabling execution of a software application stored within a computer absent data indicative of an authorized use of the software application are disclosed. At start up or during execution of a software application a user is prompted for user authorization information. Using a processor within a smart card the received user authorization information is compared with user authorization information stored in memory of the smart card to produce a comparison result. If the comparison result is indicative of an authorized user of the software application, then data indicative of the authorized use of the software application is provided from the smart card to the computer. Upon receipt of the data indicative of the authorized use of the software application execution of the software application is continued. When the data is not data indicative of the authorized use of the software application further execution of the software application is disabled.