Abstract: Systems and techniques for mediating user communications. A user persona manager maintains one or more user profiles and manages user interactions with other parties and with service providers based on user preferences associated with the user profile or profiles selected for a particular interaction. The persona manager receives a single set of user authentication information to establish the user identity, and provides previously stored information to other parties and service providers as appropriate, and otherwise conducts user interactions involving communications initiated by or on behalf of the user. The persona manager also examines interactions initiated by others, selects user profiles appropriate to the interactions, and routes and responds to the interactions based on information stored in the user profiles.

Abstract: Techniques, systems and methods are described relating to combining biometric and cryptographic techniques to support securely embedding data within a token and subsequent biometrically-enabled recovery of said data. Various transformation approaches are described that provide a secure means for transforming a stored or live, secure biometric-based identity token, embedding data into such tokens and biometric-based matching to both verify the user's identity and recover the embedded data. Security enhancements to a range of existing protocols are described using the techniques. Systems using novel protocols based on these techniques are described.

Abstract: An authorization algorithm of a software component can be selected. A static code analysis can be performed to determine a conditional statement within an algorithm of the software component. The outcome of the conditional statement can be established based on an input and a criteria using dynamic code analysis. The input can be a value associated with a claim set of a claims-based authentication policy. The criteria can be an authentication criteria specified within the algorithm. Responsive to the outcome, an execution path associated with the outcome can be determined and a code coverage criterion can be met for the conditional statement.

Abstract: An authorization algorithm of a software component can be selected. A static code analysis can be performed to determine a conditional statement within an algorithm of the software component. The outcome of the conditional statement can be established based on an input and a criteria using dynamic code analysis. The input can be a value associated with a claim set of a claims-based authentication policy. The criteria can be an authentication criteria specified within the algorithm. Responsive to the outcome, an execution path associated with the outcome can be determined and a code coverage criterion can be met for the conditional statement.

Abstract: An information processing apparatus that performs a communication with a device includes a storage unit that stores one or more keys. The information processing apparatus also includes a polling-request generating unit that generates a polling request in which a first identifier identifying a key of the one of more keys is included. The key is identified by the first identifier and a second identifier subordinate to the first identifier. Further, the information processing apparatus includes an obtaining unit that identifies the key from the first identifier included in the polling request and the second identifier, that reads the key from the storage unit, and that decrypts encrypted data by the key to obtain a random number. The encrypted data and the second identifier are included in a polling response supplied to the information processing apparatus in response to the polling request.

Abstract: In a switching method of an electronic device, the electronic device receives a message sent from an earphone that is in electronic connection with the electronic device, the message comprising an input password, if the input password is equal to a password to switch an application layer into a host mode, the electronic device switches the application layer into the host mode to access private information of the application layer.

Abstract: The purpose of the present invention is to add a user restriction function with use of a card by a simple structure even with an inexpensive image forming apparatus. A CPU of an image forming apparatus determines a port of a signal acquired from a card R/W at the time of initialization of the connected IC card R/W. Then, the CPU of the image forming apparatus controls an execution or a stop of an application for performing authentication service processing corresponding to the port of the signal received from the card R/W.

Abstract: A data security system includes providing a unique identification from a first system to a second system; copying the unique identification in the second system by the first system; and unlocking a memory in the first system or the second system only when the unique identifications in the first system and the second system are the same.

Abstract: A mobile terminal includes a near-field communication device capable of performing near-field wireless communication with an external device, and a controller configured to instruct the external device or the near-field communication device to execute a command. The near-field communication device has a storage unit, a first mutual authentication unit for authenticating the controller and for requesting the controller to authenticate the near-field communication device, a first communication key setting unit for setting a first communication key, a second mutual authentication unit for authenticating the external device and for requesting the external device to authenticate the near-field communication device, and a second communication key setting unit for setting a second communication key.

Abstract: A virtualization system is described herein that facilitates communication between a virtualized application and a host operating system to allow the application to correctly access resources referenced by the application. When the operating system creates a virtualized application process, the virtualization system annotates a data structure associated with the process with an identifier that identifies the virtualized application environment associated with the process. When operating system components make requests on behalf of the originating virtual process, a virtualization driver checks the data structure associated with the process to determine that the helper process is doing work on behalf of the virtualized application process. Upon discovering that the thread is doing virtual process work, the virtualization driver directs the helper process's thread to the virtual application's resources, allowing the helper process to accomplish the requested work with the correct data.

Abstract: A secure USB flash drive employing digital rights management to implement secure digital media storage such as that provided by encrypted storage utilizing content protection for recordable media (CPRM) or the like. Unlike a secure digital card which provides such protection, it does not need an SD card port which is CPRM enabled, or alternatively a reader adapted for use therewith. The form factor can be that of a standard USB flash drive and a standard USB connector is employed making the device and its use familiar and comfortable to the average consumer.

Abstract: A computer device provides an execution environment that supports a plurality of processes. A plurality of key resources are associated with a security application that may perform process elevation to grant privileged access rights to a user process. A security module controls access to the key resources using an access control list. An anti-tamper mechanism creates a protection group as a local security group and adds a deny access control entry to the access control list. The anti-tamper mechanism intercepts the user process and creates a revised access token identifying the user process as a member of the protection group. The security module matches the protection group in the revised access token of the user process against the deny access control entry in the access control list of the key resources thereby restricting access by the user process even though the user process otherwise has privileges to access those resources.

Abstract: A method includes receiving user input including a user password while an authentication token is retained at a first position in an authentication token receiver of an authentication token reader by an insertion force applied to the authentication token by a user. The authentication token reader includes a bias member that applies an ejection force to the authentication token while the authentication token is at the first position. The method also includes reading authentication data from a memory of the authentication token while the authentication token is retained at the first position by the insertion force applied to the authentication token by the user. The method also includes authenticating the user based on the authentication data.

Abstract: A system and method for signing and authenticating electronic documents using public key cryptography applied by one or more server computer clusters operated in a trustworthy manner, which may act in cooperation with trusted components controlled and operated by the signer. The system employs a presentation authority for presenting an unsigned copy of an affixing an electronic signature to the unsigned document to create signed electronic document. The system provides an applet for a signing party's computer that communicates with the signature authority.

Abstract: The invention relates to a system for remotely accessing a mass storage unit and a security storage unit in a portable communicating object. According to the invention, a terminal, such as a mobile device, which is associated with a portable communicating object, such as a multimedia smart card, includes an agent for facilitating access from a server to a mass storage unit capable of storing multimedia data and a security storage unit in the portable communicating object via a communication network. The agent establishes a single communication channel between the remote server and the terminal and processes data transmitted from one of the two elements including the server and one of the storage units of the portable communicating object to the agent so that the agent can transmit the data to the other of the two elements.

Abstract: An intermediary system that facilitates a connection request from a client to a server. The intermediary system may participate in either or both of a token creation phase and a server connection phase. If participating in the token creation phase, the intermediary system generates a token that may later be used by the client during a server connection phase. The token includes a session identifier and is returned to the client. If participating in the server connection phase, the intermediary receives the token, extracts the session identifier from the token, and compares against the session identifier for the session in which the token was created. If the session identifiers match, then the intermediary connects to the server to complete the connection request.

Abstract: The present invention provides an information processing system, an information processing apparatus, and an information processing method, capable of reducing a load of user authentication on a user, when a specific operation is performed using a plurality of apparatuses. In an embodiment of the present invention, an authentication server searches a device group corresponding to devices identified by device identification information transmitted to the authentication server, and searches a workflow. Subsequently, the authentication server judges whether or not a workflow in operation exists, and, if exists, does not instruct password input but directly instructs device processing.

Abstract: A method for adding a conditional access system to a digital audio/video transmission system that delivers content from a source to a security device associated with an audio/video processing device by providing at the broadcast source a datastream having system information data including an unused identifier reserved for security data associated with the additional conditional access system.

Abstract: An authorized user may be provided access to a service only when a wireless token assigned to the user is in the proximity of a computing device. A user's credential may be stored on an RFID token and an RFID reader may be implemented within a security boundary on the computing device. Thus, the credential may be passed to the security boundary without passing through the computing device via software messages or applications. The security boundary may be provided, in part, by incorporating the RFID reader onto the same chip as a cryptographic processing component. Once the information is received by the RFID reader it may be encrypted within the chip. As a result, the information may never be presented in the clear outside of the chip. The cryptographic processing component may cryptographically encrypt/sign the credential received from the token.

Abstract: A method in one example implementation includes extracting a plurality of data elements from a record of a data file, tokenizing the data elements into tokens, and storing the tokens in a first tuple of a registration list. The method further includes selecting one of the tokens as a token key for the first tuple, where the token is selected because it occurs less frequently in the registration list than each of the other tokens in the first tuple. In specific embodiments, at least one data element is an expression element having a character pattern matching a predefined expression pattern that represents at least two words and a separator between the words. In other embodiments, at least one data element is a word defined by a character pattern of one or more consecutive essential characters. Other specific embodiments include determining an end of the record by recognizing a predefined delimiter.

Abstract: A client-side user agent operates in conjunction with an identity selector to institute and exercise privacy control management over user identities managed by the identity selector. The user agent includes the combination of a privacy enforcement engine, a storage of rulesets expressing user privacy preferences, and a preference editor. The editor enables the user to direct the composition of privacy preferences relative to user identities. The preferences can be applied to individual cards and to categorized groups of attributes. The engine evaluates the proper rulesets against the privacy policy of a service provider. The privacy preferences used by the engine are determined on the basis of specifications in a security policy indicating the attribute requirements for claims that purport to satisfy the security policy.

Abstract: A system and method for securely streaming encrypted digital media content out of a digital container to a user's media player. This streaming occurs after the digital container has been delivered to the user's machine and after the user has been authorized to access the encrypted content. The user's operating system and media player treat the data stream as if it were a being delivered over the Internet (or other network) from a streaming web server. However, no Internet connection is required after the container has been delivered to the user and the data stream suffers no quality loss due to network traffic or web server access problems. In this process of the invention, the encrypted content files are decrypted and fed to the user's media player in real time and are never written to the user's hard drive or storage device. This process makes unauthorized copying of the digital content contained in the digital container virtually impossible.

Abstract: An embodiment includes a main compute node that detects the physical presence of a first user and subsequently loads a profile for the first user. The main compute node may detect the first user's presence based on detecting a first compute node corresponding to the first user. For example, the main compute node may be a desktop computer that detects the presence of the first user's Smart phone, which is nearby the first user. The main compute node may unload the first user's profile when the main compute node no longer detects the first user's presence. Upon detecting a second user's presence, the main computer may load a profile for the second user. The profile may include cookies and/or other identifiers for the second user. The profile may facilitate the second user's navigation of a computing environment (e.g. web pages). Other embodiments are addressed herein.

Abstract: A computerized device can implement a content player to access a content stream using a network interface, the content stream comprising encrypted content and an embedded license comprising a content key encrypted according to a global key accessible by the content player. The content player determines whether a token meeting an authorization condition is present and uses the global key to decrypt the content key only if such a token is present. The authorization condition may be evaluated at least in part based on data included in the content stream. The authorization condition can include presence of a token having a content ID matching a corresponding ID in the license; presence of a token with a correct device ID; presence of a token signed according to a digital signature identified in the licenses; and/or presence of a token that is unexpired, with expiration evaluated based on a time-to-live indicator in the token.

Abstract: Single sign-on process allowing a mobile user with a mobile phone or with a laptop to remote-access a remote server, comprising the steps of: (1) sending a first authenticator over a first communication layer to a first intermediate equipment between said mobile equipment and said remote server, (2) verifying in said first intermediate equipment said first authenticator sent by said mobile equipment, (3) if said first authenticator is accepted by said first intermediate equipment, completing the communication layer between said mobile equipment and said intermediate equipment, (4) repeating steps (1) to (3) with a plurality of successive intermediate equipment and over a plurality of successive communication layers, until a communication has been completed at the last requested communication layer between said mobile equipment and said remote server, wherein at least a plurality of said authenticators are furnished by a smart-card in said mobile equipment.

Abstract: A method for authenticating a portable data carrier (10) to a terminal device employs a public key (PKG) and a secret key (SK1) of the data carrier (10) as well as a public session key (PKT) and a secret session key (SKT) of the terminal device. The data carrier (10) employs as a public key a public group key (PKG). As a secret key the data carrier (10) employs a key (SK1) that has been derived from a secret group key (SKG) associated with the public group key (PKG).

Abstract: Systems and methods for facilitating check-ins that are resistant to common fraud scenarios while also being relatively inexpensive. One or more embodiments include displaying unique tokens in quick succession on a display positioned at the check-in location (e.g., a store, restaurant, or other business or location). Customers have a short period of time (e.g., a few seconds, five minutes, etc.) to scan a particular check-in token before a new token is displayed on the display. Each token may encode a pre-determined number or identification code that cannot be guessed by the user and that can be verified by the system to validate the check-in. By periodically changing the check-in token displayed to users and limiting each token to a single use within a short timeframe, users are prevented from checking in remotely.

Abstract: The present invention provides identification and access control for an end user mobile device in a disconnected mode environment, which refers generally to the situation where, in a mobile environment, a mobile device is disconnected from or otherwise unable to connect to a wireless network. The inventive method provides the mobile device with a “long term” token, which is obtained from an identity provider coupled to the network. The token may be valid for a given time period. During that time period, the mobile device can enter a disconnected mode but still obtain a mobile device-aided function (e.g., access to a resource) by presenting for authentication the long term token. Upon a given occurrence (e.g., loss of or theft of the mobile device) the long term token is canceled to restrict unauthorized further use of the mobile device in disconnected mode.

Abstract: Methods, computer-readable storage medium, and systems described herein facilitate enabling access to a virtual desktop of a host computing device. An authentication system receives one of an authentication token and a reference to the authentication token, wherein the authentication token is indicative of whether a user successfully logged in to an authentication portal using a client computing device. The authentication system generates a private key, a digital certificate, and a personal identification number (PIN) for the user in response to receiving the one of the authentication token and the reference to the authentication token. The private key, the digital certificate, and the PIN are stored in a virtual smartcard, and the client computing device is authorized to log into a virtual desktop using the virtual smartcard.

Abstract: A method of authorising a user in communication with a workstation is disclosed. According to the method, a system automatically determines a plurality of available user information entry devices in communication with the workstation. The system then determines predetermined user authorization methods each requiring data only from available user information entry devices. The user then selects one of the determined authorization methods for use in user authorization. Optionally, each authorization method is associated with a security level relating to user access to resources. Once the authorization method is selected, the user provides user authorization information in accordance with a determined user authorization method and registration proceeds.

Abstract: The present invention provides a method, system and apparatus for securely operating a computer. The method comprises: obtaining presence status of an authenticated user, the presence status indicating whether the authenticated user is present in the vicinity of the computer; and triggering security operation in response to that the presence status indicates the authenticated user is absent in the vicinity of the computer. By means of the method, current status of an authenticated user who has logged in can be easily learned, and in turn, corresponding security operation is performed; in addition, when a user is performing sensitive operation, it can be confirmed in real time whether the user is an authenticated user who previously logged in, so that security of operating the computer is improved.

Abstract: A method is provided, including (a) upon a standard small form-factor pluggable (SFP) module being inserted into an SFP jack on a network host device, determining if the SFP module is a legacy device or a smart device, (b) upon determining that the SFP module is a legacy device, receiving a magic code from the SFP module and determining if the magic code is a valid magic code, and (c) upon determining that the SFP module is a smart device, performing a smart authentication process with the SFP module. Associated apparatuses and additional methods are also provided.

Abstract: There is presented a system and method for associating a domain transcendent identification (ID) of a user and a domain specific ID of the user, the system comprising an ID association server accessible by a plurality of secure domains over a network. The system also includes an ID associator application that when executed by ID association server is configured to receive a domain specific ID that associates the user to the secure domain, enter the domain specific ID in a domain transcendent ID record created for the user, generate a unique data associated with the domain transcendent ID record and identify a network location for submission of the unique data, send the unique data and the network location to the user, and associate the domain transcendent ID and the domain specific ID.

Abstract: A computer-implemented method for validating ownership of deduplicated data may include (1) identifying a request from a remote client to store a data object in a data store that already includes an instance of the data object, (2) in response to the request, verifying that the remote client possesses the data object by (i) issuing a randomized challenge to the remote client, the randomized challenge including a random value which, when combined with at least a portion of the data object, produces an authentication token demonstrating possession of the data object and, in response to the randomized challenge, (ii) receiving the authentication token from the remote client; and, in response to receiving the authentication token from the remote client, (3) storing the data object in the data store on behalf of the remote client. Various other methods and systems are also disclosed.

Abstract: Disclosed are systems, methods and computer program products for multi-level user authentication. In one example, method includes detecting a plug-in token connected to a device that controls user access to a protected resource; identifying one or more authorized users associated with the detected token who are authorized to access the protected resource; authenticating whether a first user requesting accessing the protected resource is associated with the detected token and authorized to access the protected resource; detecting presence of one or more wireless transponders of one or more authorized users associated with the token, including at least a transponder of the first user; and providing access to the protected resource to the first user when the first user is authenticated as an authorized user associated with the detected token and the transponder of at least the first user is detected.

Abstract: A payment processing system for accepting manually-entered payment-card numbers. Rather than entering a payment-card account number into an application module, the card number is instead captured and stored within a tokenizer prior to being sent to the application module. The tokenizer then returns a random token to the calling application as a pointer to the original payment-card number. The token has no algorithmic relationship with the original payment-card number, so that the payment-card number cannot be derived based on the token itself. Since the token is not considered cardholder data, the token may be used in an application module without the module or its connected hardware from being subject to regulatory standards compliance. Some embodiments involve browser-based schemes, and some embodiments involve PIN-entry device-based schemes.

Abstract: A biometrics-enabled smart card for use in transactional or identity applications (e.g., credit cards and identity cards). The biometric smart card includes a substrate, a biometric sensor capable of reading biometric information through the substrate, and a microprocessor to process, store, and authenticate biometric information. The substrate has a Young's modulus of at least abut 50 GPa and a thickness of up to about 0.5 mm.

Abstract: A multi-function memory card is disclosed including: a memory card interface for coupling with a memory card connection port of a terminal device; a storage module for storing one or more specific files transmitted from the terminal device; a protocol converter for retrieving the one or more specific files from the storage module and extracting data contained in the one or more specific files; and a smart card module for conducting an operation on extracted data from the protocol converter using a private key to generate one or more response data and transmitting the one or more response data to the protocol converter; wherein the protocol converter converts the one or more response data into one or more response files and writes the one or more response files into the storage module so that the one or more response files are accessible by the terminal device.

Abstract: System for conducting remote biometric operations that includes a biometric data reading device connected to a personal computer and configured to send said encrypted data to a remote data authentication center for establishing a secure communications channel once the user identity has been verified by means of said biometric data. This invention refers to a remote biometric operations system that can be connected to a computer to carry out electronic banking and other similar operations with a certain degree of safety.

Abstract: A method of securely operating a computerized system includes forming a connection to a user-removable physical security device (PSD) which is uniquely paired with the computerized system and which stories cryptographically secured data required for performing a protected function on the computerized system. The PSD may be realized as a USB or similar peripheral device containing security-related data and potentially security processing capability as well. The protected function could be decrypting of encrypted data encryption keys used to encrypt/decrypt user data for example. A user who has an established association with the PSD (e.g. by some preceding registration process) is authenticated, resulting in activation of the PSD on the computerized system. Upon such activation of the PSD, the computerized system engages in a security operation using the cryptographically secured data from the PSD to enable the protected function to be performed under control of the user on the computerized system.

Abstract: A system and method of transmitting an authentication code includes automatically calculating a security code on a device executing a security program. The security program may periodically calculate a respective unique security code. In response to a user requesting the security code, the device automatically vibrates according to a pattern representing the security code. The pattern tactilely communicates the security code to the user.

Abstract: An electronic device, system and method for automatically managing wireless connections with a plurality of other devices are provided. The electronic device may be a security token access device and may be adapted to wirelessly pair and optionally securely pair with other devices. Connection information, which may comprise security information, is maintained at the electronic device for each connected device. When a connected device becomes stale, the electronic device implements one or more steps to manage the stale device's connection.

Abstract: A multifactor authentication (MFA) enforcement server provides multifactor authentication services to users and existing services. During registration, the MFA enforcement server changes a user's password on an existing service to a password unknown to the user. During normal usage when the user accesses the existing service through the MFA enforcement server, the MFA enforcement server enforces a multifactor authentication enforcement policy.

Abstract: A device for secure access to digital media contents, the device comprising an access means for accessing digital media contents from a data source and a reader for authenticating a user, the authentication being performed by checking some authentication data. An internal communication path between the access means and the reader is not directly accessible from outside the device.

Abstract: A method and apparatus are disclosed wherein a portable memory storage device is provided for interfacing with a communications port of the computer system. During operating system start up of the operating system of the computer, fields relating to security of the operating system are prompted for. The portable memory store retrieves from memory therein data for populating said fields and provides same to the computer system mimicking a data entry device other than a portable memory store.

Abstract: The invention relates to a process for releasing the access to a computer system or to a program for a user via a terminal (2) without software having to be installed solely for this purpose on the terminal (2). A data connection is established between a portable data carrier (1) of the user and the terminal (2). An authentication of the user is performed by the portable data carrier (1). If the authentication is successful, an access code is made available by the portable data carrier (1) for releasing the access to the computer system or to the program for a transmission via the data connection.

Abstract: Managing a digital certificate includes a landlord providing a digital certificate, a secure hardware device generating a series of n hash values, the secure hardware device providing an nth hash value to the landlord, wherein other hash values are not readily available to the landlord, the landlord placing the nth hash value in the certificate, the landlord digitally verifying the certificate containing the nth hash value to obtain a digitally signed certificate, a tenant obtaining the digitally signed certificate, the tenant obtaining the n hash values and the tenant managing the certificate by periodically issuing a previous hash value in the series of n hash values in response to the certificate being valid when the previous hash value is issued.

Abstract: A method for imputing different usernames and passwords using an input device with a display to use different protected assets that requires the inputting of a preselected username into a username enter box and the inputting of a preselected password into a password entry box immediately prior to use. The method includes the steps of designating two or more username keys on said input device, each said username key being assigned with a unique letter or number located on said input device and to a unique username made of a plurality of alpha-number characters, designating two or more password keys on the input device each being assigned with a letter or number located on said input device and to a unique password made of a plurality of alpha-number characters. Next the protected asset is then accessed and the username key and keyword key assigned to the asset is imputed.

Abstract: A computer-implemented authentication method is described. The method includes the steps of (a) receiving an authentication request at an authentication computing system, the request including a resource identifier, (b) identifying one or more authentication pools associated with the resource identifier, each authentication pool including at least one authentication method implementation, (c) executing a pool authentication process for the one or more identified authentication pools, and (d) transmitting a response to the identification authentication request based on the execution of the pool authentication process for the one or more identified authentication pools.

Abstract: A security method for an attached computer module in a computer system. The security method reads a security identification number in an attached computer module and compares it to a security identification number in a console, which houses the attached computer module. Based upon a relationship between these numbers, a security status is selected. The security status determines the security level of operating the computer system.