Abstract: Systems and methods are provided that enable authentication of transaction coordination messages sent via insecure connections. Also provided are systems and methods for controlling transaction coordination and recovery. In many embodiments, there is an exchange between a coordinator and a sub-coordinator, such that the coordinator provides the sub-coordinator with a coordinator token, and the sub-coordinator provides the coordinator with a sub-coordinator token. The coordinator and sub-coordinator tokens are used to authenticate transaction coordination messages sent over one or more insecure connections between the coordinator and the sub-coordinator.

Abstract: A hand-held token for secure conveyance of encryption keys includes memory for holding a media key and at least one device key. Control logic reads the media key from memory, encrypts the media key based on the device key, and transmits the encrypted media key to a data storage device. The data storage device decrypts the encrypted media key using its own device key, which may have previously been downloaded from a token.

Abstract: A method and apparatus for restricting access of an application to computer hardware. The apparatus includes both an authentication module and a validation module. The authentication module is within the trusted firmware layer. The purpose of the authentication module is to verify a cryptographic key presented by an application. The validation module is responsive to the authentication module and limits access of the application to the computer hardware. The authentication modules may be implemented in software through a firmware call, or through a hardware register of the computer.

Abstract: This invention provides a printing system which reduces cost while stably operating an authentication server function associated with a print process. To accomplish this, this invention relates to a printing system including a plurality of authentication servers, a client communicable with the authentication servers, and a printing apparatus. The client gains access with user authentication information, and outputs a print job containing response access restriction information. The authentication server issues access restriction information to the client. The printing apparatus holds decryption information to decrypt the encrypted access restriction information, and determines whether decryption information corresponding to an identifier is held. When determining that no corresponding decryption information is held, the printing apparatus obtains the decryption information, and performs verification based on the obtained or held decryption information.

Abstract: A method for sending personal information based on an identifier includes receiving the identifier from a portable identification device. A personal information aggregator is identified based on the identifier. Authorization is received to send one or more data feeds comprising personal information to the personal information aggregator. The authorized data feeds are sent to the personal information aggregator.

Abstract: A system for facilitating memory and application management on a smartcard the system includes a client having a number of applications and a smartcard having specification logic allowing file structures and security and access conditions to be defined using a set of common commands. Each application has a corresponding group of data on the smartcard. An applet instance is created for each application and corresponding group of application data. At the time of instantiation, the specification logic allows an application to specify the file structure and/or to specify security and access conditions for its group of data. An application can utilize passcode and credential management so that a single passcode is used to access the smartcard regardless of whether the application utilizes the common commands to specify a file structure.

Abstract: A method is for securing and verifying an electronic certificate issued by an authority to an owner. The certificate is stored in the memory of a user unit operated by the owner. The user unit transmits all or part of the data of the certificate to the authority. Further, during an initialization phase, the method includes determining, by the authority, a network identifier pertaining to the user unit, and storing, by the authority, the identifier in connection with the data of the certificate. As such, the use of an electronic certificate by individuals other than the owner may be prevented. Further, damages to the owner, in the case of the theft or copying of a certificate, may be avoided.

Abstract: An information storage device is provided which includes a password input section for inputting a password to be notified only to the information storage device without outputting it to external equipment connected to it by way of a predetermined interface, a password collation section for collating the password input by way of the password input section and an access permission section for permitting an access to the storage section of the device from the external equipment connected by way of the predetermined interface in response to the collation of the password by the password collation section.

Abstract: A password management and authentication method suitable for an electronic device with a trusted platform module (TPM) is provided. An authentication code is automatically generated according to a TPM password, and the authentication code is stored into an authentication device selected by a user. The authentication device storing the authentication code is directly served as an electronic key of the TPM so that the user needs not to memorize any password and can access data or a hard disk (HD) encrypted by the TPM by simply connecting the authentication device to the electronic device. Thereby, it is very convenient to the user.

Abstract: A coprocessor includes a calculation unit for executing at least one command, and a securization device. The securization device includes an error detection circuit for monitoring the execution of the command so as to detect any execution error, putting the coprocessor into an error mode by default as soon as the execution of the command begins, and lifting the error mode at the end of the execution of the command if no error has been detected, an event detection circuit for monitoring the appearance of at least one event to be detected, and a masking circuit for masking the error mode while the event to be detected does not happen, and declaring the error mode to the outside of the coprocessor if the event to be detected happens while the coprocessor is in the error mode. Application in particular but not exclusively to coprocessors embedded in integrated circuits for smart cards.

Abstract: When an enabler key 10 is inserted in the main body 1, an overwrite mode for overwriting new data on existing data in a hard disk drive 25 is set. When the enabler key 10 is removed from the main body 1, the overwrite mode is released. During startup of the main body 1 and at every fixed time t1 after the startup of the main body 1, presence or absence of insertion of the enabler key 10 is detected. When a result of this detection changes from “present” to “absent”, the main body 1 is stopped.

Abstract: A method of facilitating communications between a computer device and a smart card reader having an associated smart card, the computer device including a smart card resource manager and a smart card reader service, the smart card reader service acting as a relay for commands between the smart card resource manager and the smart card reader, the method comprising: receiving from the smart card resource manager a first command for setting a protocol for communications with the smart card; and responding, prior to receiving a reply from the smart card to the first command, to the smart card resource manager with a message indicating that the smart card has successfully received the first command.

Abstract: An identification system includes at least one user medium, which is equipped to store a derived key and authenticate itself using the same with respect to a write and/or read device. Furthermore, at least one key dispensing medium is present, which comprises a monolithic first integrated circuit having storage means and processor means, wherein the first integrated circuit is equipped to store a source key and derive therefrom the derived key and to pass it on for storage in the user medium, wherein the user medium is enabled neither directly nor by way of aids to read the source key from the key dispensing medium and/or the user medium is not enabled to calculate a derived key.

Abstract: A method of securing the learning mode of a device includes an assembly of at least one command transmitter, communicating with a command receiver capable of driving an element providing for the security and/or the comfort of a building and capable of being switched to learning mode by one or more activation functions, wherein one or more actions of which at least one is applied to a particular command transmitter of the assembly, termed secure, causes the disabling of at least one function of activation of the learning mode of the command receiver.

Abstract: A method for providing a secure single sign-on to a computer system is disclosed. Pre-boot passwords are initially stored in a secure storage area of a smart card. The operating system password, which has been encrypted to a blob, is stored in a non-secure area of the smart card. After the smart card has been inserted in a computer system, a user is prompted for a Personal Identification Number (PIN) of the smart card. In response to a correct smart card PIN entry, the blob stored in the non-secure storage area of the smart card is decrypted to provide the operating system password, and the operating system password along with the pre-boot passwords stored in the secure storage area of the smart card are then utilized to log on to the computer system.

Abstract: Update firmware is stored as one binary file. The binary file includes firmware data necessary for operating a controller unit and root certificate data necessary for a printer apparatus to establish secure communication with a content server. Specific information in the root certificate data is extracted from the update firmware, and the extracted specific information is used to update a management table of the root certificate provided in a RAM. With this configuration, it is possible for an information processing apparatus to reliably acquire and update the root certificate data without greatly changing the original functional configuration.

Abstract: The invention provides an external in-line device (“Subnet Box”) placed between a network and an access point to achieve secure Wi-Fi communications without needing to modify the access point. The Subnet Box comprises an embedded token and will authenticate users based on pre-stored access rights. In at least one embodiment of the invention, the Subnet Box comprises: a first communications port for intercepting data packets communicated to and from a wired communications network; a second communications port for intercepting data packets communicated to and from a wireless access point, wherein the wireless access point is an edge device of the wired communications network; a database comprising a number of serial numbers each associated with a client token and a secret cryptographic key; and a processor for determining whether a computing device having a client token can access the wired communications network via the wireless access point.

Abstract: The present invention relates to a coprocessor comprising a calculation unit for executing a command, and a securization device for monitoring the execution of the command and supplying an error signal having an active value as soon as the execution of the command begins and an inactive value at the end of the execution of the command, if no abnormal progress in the execution of the command has been detected. The coprocessor further comprises means for preventing access to at least one unit of the coprocessor, while the error signal is on the active value. Application is provided particularly but not exclusively to the protection of integrated circuits for smart cards against attacks by fault injection.

Abstract: There is provided a non-contact type IC card that prevents electrostatic discharge failure of an IC chip embedded in an IC card. A non-contact type IC card includes at least a magnetic recording layer, a metal reflective layer, and a hologram layer, which are sequentially laminated on a card base member, and an antenna and an IC chip connected to the antenna that are embedded in the card base member. The metal reflective layer is made of a material of which electric conductivity is smaller than 28.9×106/?m, or is composed of a thin film of which surface resistivity is 7.02 (?/?) or more.

Abstract: Systems, methods, and technologies for configuring a conventional smart card and a client machine, and for performing a smart card authorization using the configured smart card and client. Further, the combination of methods provides for mutual authentication—authentication of the client to the user, and authentication of the user to the client. The authentication methods include presenting a specified token to the user sufficient to authenticate the client to the user and thus protect the user-provided PIN. Security is strengthened by using an integrity key based on approved client system configurations. Security is further strengthened by calculating a PIN? value based on a user-specified PIN and a modifier and using the PIN? value for unlocking the smart card.

Abstract: Described are techniques for storing data. A plurality of data portions and a corresponding token for each of the data portions are received. Each of said plurality of data portions is to be stored by one of a plurality of processes and each token has a corresponding token value. Each of the data portions is stored at a storage location on a device allocated for use by one of said plurality of processes. An entry is written in a log file in accordance with said storing of the data portion. The log file is a private log file of one of the plurality processes. An access structure used to access stored data portions is updated. The access structure is indexed by token values of the stored data portions. The updating of the access structure is performed in accordance with log entries from private log files of the plurality of processes.

Abstract: A confidential content search engine method is provided. With the method, a security compliance search engine is provided for searching one or more client computing devices for items of information that meet a security criteria identifying items of information containing confidential content. Results of the search are provided to an analysis engine for determining if the items of information identified by the search are being maintained in accordance with a security policy for ensuring the confidentiality of the confidential content. Results of the analysis may be used to generate a report or log and to generate a notification to the client computing device identifying any violations of the security policy and possible solutions for bringing the item of information into compliance with the security policy. In addition, an administrator may be notified of any violations so that corrective action may be taken.

Abstract: A method and system for providing authentication of a user to a first peripheral device connected to a host computer using an authentication of the user on a second peripheral device, thereby allowing the user access to both devices through a single authentication. A security function on the second peripheral device is used to create an authorization phrase. Subsequent accesses to the first peripheral device requires the second peripheral device to re-create the same authorization phrase thereby demonstrating that the same second peripheral device is being used to access the first peripheral device and that a user was successfully authenticated to the second peripheral device. Other systems and methods are disclosed.

Abstract: A key management of cryptographic keys has a data package including one or more cryptographic keys that are transferred to a personal device 100 from a secure processing point 150 of a device assembly line in order to store device specific cryptographic keys in the personal device 100. In response to the transferred data package, a backup data package is received by the secure processing point 150 from the personal device 100, which backup data package is the data package encrypted with a unique secret chip key stored in a tamper-resistant secret storage 125 of a chip 110 included in the personal device 100. The secure processing point 150 is arranged to store the backup data package, together with an associated unique chip identifier read from the personal device 100, in a permanent, public database 170.

Abstract: A token device that generates and displays one-time passwords and couples to a computer for inputting or receiving data for generating and outputting one-time passwords and performing other functions is provided. The token includes an interface for coupling to a computer. The token may also be coupled to any network that the computer may be connected to, when coupled to the computer. Data and information may be transmitted between the computer and token, and between the network and token, via the computer and interface. The data and information may include one-time password seeding, file transfer, authentication, configuration and programming of the token. The token must be seeded to generate and display one-time passwords. An original, or seed, value is loaded into the token. One-time passwords are subsequently generated or calculated, or both, from the seed value. Seeding of the token involving a counter, time, or time-related functions, may allow synchronization of the token with such functions.

Abstract: E-mail based user authentication is described herein. A user can access resources of a service provider by submitting only an e-mail address to which the user has access. The service provider generates an authentication ticket corresponding to the user's login request, and transmits the authentication ticket to the e-mail service provider indicated by the submitted e-mail address. The e-mail service provider processes the authentication ticket, and enables either approval or denial of the authentication ticket, whether by explicit user action or by automated processing.

Abstract: The purpose of the present invention is to add a user restriction function with use of a card by a simple structure even with an inexpensive image forming apparatus. A CPU of an image forming apparatus determines a port of a signal acquired from a card R/W at the time of initialization of the connected IC card R/W. Then, the CPU of the image forming apparatus controls an execution or a stop of an application for performing authentication service processing corresponding to the port of the signal received from the card R/W.

Abstract: A plug-and-play (PnP) for configuring security in a PnP architecture includes a security manager and a PnP device. The PnP device is adapted to send a device description document to a user entity. The device description document includes an address pointing to the security manager, and as such, the user entity is capable of accessing the security manager based upon the address. The security manager is adapted to authenticate the user entity, and it authenticated, to communicate with the user entity to configure application-layer security of the PnP device, whereby configuring the application-layer security includes creating an access control list (ACL) document for restricting access to a service of the PnP device. In a further aspect, the PnP device may bootstrap establishing its link-layer security with configuring its application-layer security.

Abstract: A portable memory storage device (“device”) is provided. The device includes a microphone for receiving a user voice input; a controller that receives the voice input and creates a template; and a plurality of non-volatile memory cells for storing the template, wherein the template is used to authenticate the user for any subsequent user request for accessing the device and an application is launched when the device interfaces with a host system to enroll the user as an authorized user to access device functionality and/or access host system functionality.

Abstract: Method and systems configured for allowing a non-local remote user to access a computer system with a particular authorization level. Such access is facilitated by examining non-local directory services group memberships of the user and performing a mapping of the user's identity to a corresponding universal local user account that have the proper authorization level or levels. Such methods and systems allow any number of non-local remote users access to the computer system in such a way that the remote user assumes the identity of (i.e., is mapped to) a corresponding universal local user account of an appropriate privilege level. All non-local remote users that the computer system determines to be of the same privilege level will share the identity of the same universal local user account.

Abstract: The preferred embodiment of the invention comprises a computer system which employs a trusted display processor (260), which has a trusted processor (300) and trusted memory (305, 315, 335, 345) physically and functionally distinct from the processor and memory of the computer system. The trusted display processor (260) is immune to unauthorised modification or inspection of internal data. It is physical to prevent forgery, tamper-resistant to prevent counterfeiting, and has crypto functions (340) to securely communicate at a distance. The trusted display processor (260) interacts with a user's smartcard (122) in order to extract and display a trusted image, or seal (1000), generate a digital signature of the bitmap of a document image and control the video memory (315) so that other processes of the computer system cannot subvert the image during the signing process. The user interacts with the trusted display processor via a trusted switch (135).

Abstract: Various embodiments are described for providing password approval on a device. The password approval includes getting the user password, generating at least one symbolically equivalent password and then comparing the at least one symbolically equivalent password with at least one specified forbidden password. The user password is disapproved if one of the symbolically equivalent passwords corresponds to the at least one forbidden password.

Abstract: A method and systems for protecting the identification of a subscriber when a service provider transmits a subscriber request to a content provider in a distributed network environment, such as Internet. After the user sends a request to a service provider to which he has subscribed, the service provider encrypts the user identifier before transmitting this request with the encrypted user identifier to the content provider. Upon reception, the content provider uses an authentication Web Service supplied by the service provider for certifying the user identifier. If the user identifier is certified, the content provider transmits the requested content to the service provider, which formats it before sending it to the user. The content provider may charge the user through the service provider.

Abstract: A method and system operative to preclude content providers from tracking users, while still allowing content providers to communicate to users. An intermediary, such as an access channel provider for instance, gives content providers non-repeating user-identification-tokens, each of which a content provider can use as a key to access an intermediary resource that facilitates a communication to the user, without revealing the user's identity to the content provider.

Abstract: Systems and methods for emulating credentials. In some cases, the systems include an access control module with an access credential reader that is operable to receive an access information from one access credential, and an access credential writer that is operable to provide at least a portion of the access information to another access credential. The written access credential is operable to receive the portion of the access information from the access credential writer. Upon receiving the information, the written access credential becomes operable to access an access point. Some systems and methods are related to access control, while other systems and methods are related to payment, access, and/or other transaction devices used in relation to credentials.

Abstract: A method and apparatus for secure authentication of a hardware token is disclosed. In one embodiment, a host computer fingerprint is used to generate a partial seed for a challenge-response authentication which is performed on the hardware token. In another embodiment, the host computer fingerprint is used as a personal identification number for the hardware token.

Abstract: Data transfer between remote and home locations over a network is effected using an electronic token to facilitate access to the data. According to an example embodiment of the present invention, a network-based server facilitates the generation of a token specifying conditions upon which data access to a registered user's data can be made. When a request for data transfer is received in connection with a token, information in the token is used together with the request to selectively authenticate and serve the request.

Abstract: A context-sensitive user input interface may be provided. An application may display a user interface element, such as a text box. The interface may provide suggested action tokens, and may receive a user selection of one of the suggested tokens and/or a text-based input of an action token. The interface may also provide suggested options and/or guidance to the user in entering an application action. The interface may further determine when the user's input comprises a complete action and may provide an execute option to the user for finalizing and executing the action.

Abstract: A token device that generates and displays one-time passwords and couples to a computer for inputting or receiving data for generating and outputting one-time passwords and performing other functions is provided. The token includes an interface for coupling to a computer. The token may also be coupled to any network that the computer may be connected to, when coupled to the computer. Data and information may be transmitted between the computer and token, and between the network and token, via the computer and interface. The data and information may include one-time password seeding, file transfer, authentication, configuration and programming of the token. The token must be seeded to generate and display one-time passwords. An original, or seed, value is loaded into the token. One-time passwords are subsequently generated or calculated, or both, from the seed value. Seeding of the token involving a counter, time, or time-related functions, may allow synchronization of the token with such functions.

Abstract: A system and method for connecting remote player devices to regulated host gaming devices in a network to provide remote game play. A host gaming device is configured to provide game information to a plurality of remote player devices to allow remote play of the host game device. Whether each remote player device is permitted to receive gaming data is based upon, at least in part, the geographic location of the remote player device.

Abstract: A method for effecting the execution of an application function on an application server from a client device with a smart card. The method includes transmitting a first text message pertaining to a request to execute the application function to the proxy server. The method also includes sending a token request message to the user at a text message confirmation address that is different from the text message origination address, generating a token in the smart card, and transmitting the token to the proxy server. If the token is valid, the method includes executing the application function at the application server as specified by the first text message, whereby the first application function is ascertained based at least on the text message destination address.

Abstract: Systems and methods automatically scan content, such as advertisements, for a list of terms and/or phrases that may not be allowed in the content. In one implementation, the terms and/or phrases include trademarks. In this implementation, incoming advertisements may be automatically scanned for the presence of trademarks.

Abstract: An authentication token using a smart card that an organisation would issue to its customer, the smart card having a processor for executing a software application that is responsive to a user input to generate a one-time password as an output. The smart card co-operates with an interface device for inputting the user input and displaying the one-time password. The authentication token may be used in combination with a remote authentication server for validation of the password and hence authentication of the user.

Abstract: Example embodiments herein include a license manager process that receives a license query from a server device. The license query requests usage data associated with a permanent license on a client device. In response to receiving the license query, the license manager procures the usage data associated with the permanent license on the client device. The license manager then transmits the usage data associated with the permanent license to the server device. Furthermore, the license manager receives a revocation request from the server device. In this manner, the revocation request is received in response to transmitting the usage data associated with the permanent license to the server device. In turn, the license manager revokes the permanent license that was indicated in the revocation request to disable use of the respective application on the client device.

Abstract: A method of authenticating users to reduce transaction risks includes indicating a desire to conduct a transaction and determining whether the transaction requires access to protected resources. Moreover, the method determines whether inputted information is known, determines a state of a communications device when the inputted information is known, and transmits a biometric authentication request from a server to an authentication system when the state of the communications device is enrolled.

Abstract: A data processing system includes a data storage unit for storing data sets accessible to a user upon receipt of permission. The data processing system restricts access to data sets by requiring a username and then requiring a password to obtain permission for access to a data set stored in a data storage unit. The system is adapted to support use of more than one said password associated with a username; and each of those passwords associated with that username permits a distinct level of access to a particular data set, whereas other passwords can provide different levels of access to any data set assigned thereto.

Abstract: A method, apparatus, and program product for tiered, multi-state intelligent detection and enforcement of security on a pervasive device is provided. The method/apparatus first monitors the pervasive device for the presence of a security identifier, then establishes a current security level chosen from a plurality of security levels for the pervasive device based on the presence of the security identifier.

Abstract: A multi-level sequence number is associated with a data provider supplying data for an object. The multi-level sequence number includes a portion that is unique to the data provider, and one or more portions that are shared by other data providers for the object. A per-object table is used to cache data supplied by each data provider for the object and the corresponding multi-level sequence number. A global table associates each data provider with the current value of its multi-level sequence number. Whenever data supplied by a data provider changes, the sequence number in the global table is updated. Cached data of the data provider is updated with current data of the data provider only if the cached value of the sequence number is found to be different from the current value of the sequence number.

Abstract: A smart card enabled secure computing environment system locks the host computer system from user access and waits for a smart card to be inserted into an attached or co-resident smart card reader. When a smart card is inserted into the smart card reader, the invention asks the user to enter his smart card password which is compared to the password on the smart card. If the two passwords match, the invention looks up the user's username in an access file of valid users and finds its associated access times and/or cumulative time limits in the access file. if the current time is within any of the valid access times and the user's cumulative usage time is within the specified cumulative time limit, then access is granted and the system is unlocked. The invention periodically checks the current time while the user is using the computer. If a blocked time period is entered or a cumulative time limit is exceeded, the user is logged off the machine and the computer is locked from user access.

Abstract: To access services on a device, such as a computer, a user has a portable device in two parts: a plug adapted to be inserted in a USB port and a transponder that remains about his person. In a preferred embodiment, an access manager verifies that first the plug and then the transponder are identified. If so, the access manager verifies if plug and transponder have to be paired and if they have the proper access rights for the desired service. Only then is access given. In a further embodiment, more than one transponder is needed to access a certain service. It can thus be appreciated that the invention provides a flexible and secure way to secure access to services.