Abstract: A computer system includes a computer, a fingerprint reader, and a security apparatus to apply complete security for the benefit of an authorized user. The computer includes a first interface, a second interface, an account storage unit, and a fingerprint storage unit. The fingerprint reader can connect with the computer through the first interface for inputting fingerprint information. The security apparatus can connect with the computer through the second interface, and includes a password storage module, a first use module, a password modification module, and a normal use module.

Abstract: A method of communicating over a communications system includes determining that a communication event at a user terminal of the communications system requires use of a feature for processing data, the communication event being over the communications system and determining that the feature required by the communication event is not enabled for use at the user terminal when the communication event is initiated. Following the step of determining that the feature is not enabled, the method further includes retrieving a certificate enabling the use of the feature at the user terminal and using the feature at the user terminal to process data of the communication event.

Abstract: The invention relates to a token, to an integrated circuit comprising the token, to a method of randomizing the token and a system for randomizing the token. The token comprises a physical unclonable function and comprising probing means for probing the physical unclonable function. The physical unclonable function comprises a capacitor comprising a dielectric medium being arranged at least partially between the electrodes of the capacitor. The dielectric medium is configured for contributing to a capacitance value of the capacitor and comprises conducting particles substantially randomly dispersed in the dielectric medium. The conducting particles comprise a phase changeable material being changeable between a first structural state having a first conductivity and a second structural state having a second conductivity different from the first conductivity.

Abstract: Embodiments for providing differentiated access based on authentication input attributes are disclosed. In accordance with one embodiment, a method includes receiving an authentication input at an authentication authority using an authentication protocol. The authentication input being associated with a client. The method also includes providing one or more representations for the authentication input, wherein each of the representations represents an attribute of the authentication input.

Abstract: An ACT generation unit (208) in an access control apparatus generates an ACT in a form in which the ACT includes function restriction information based on the time period. At this time, in response to an ACT request from a client PC, a list (401) which describes function restriction information based on the time period is referred to based on user information (404) and time information (405) representing the request time. A regular time ACT (410) and overtime ACT (411) are generated in accordance with the request time. By replying the ACT to the client PC, a print job is transferred together with the ACT to a printing apparatus, allowing access control based on the time period.

Abstract: In some embodiments, an apparatus includes an authorization module implemented in at least one of a memory or a processing device. The authorization module can receive from an application a request for an access token associated with the application that includes a scope identifier associated with a level of access to a resource module. The authorization module can select based on the scope identifier at least one authentication mode from a set of predefined authentication modes. The authorization module can also receive at least one credential assigned to at least one authentication mode. Additionally, the authorization module can send the access token to the application in response to authenticating a user of the application based on the at least one credential.

Abstract: Disclosed are a radio frequency identification (RFID) security apparatus and a method thereof. According to the RFID security method, a secure tag reader performs determining an AES key using security information received from a secure tag and generating an output key using the determined AES key, decrypting AES data received from the secure tag using the output key, and encrypting data to be transmitted to the secure tag using the output key and transmitting the data, and a secure tag performs generating an output key using an AES key and security information, and transmitting the security information to a secure tag reader, encrypting data to be transmitted to the secure tag reader using the output key, and transmitting the encrypted data to the secure tag reader, and decrypting data received from the secure tag reader using the output key.

Abstract: A communication system uniquely identifying a communication partner within a predetermined coverage area and transmitting and receiving information in a predetermined protocol, includes a device and an information processing apparatus with one performing wireless communication with the other within the predetermined coverage area. The device includes a random number generating unit, a device secret key storage unit, a communication ID transmitting unit, and a device transmitting and receiving unit. The information processing apparatus includes an apparatus encryption unit, an apparatus secret key storage unit, a communication ID storage unit, a random number acquisition unit and an apparatus transmitting and receiving unit.

Abstract: A system for managing sensitive personal data includes a first data processing subsystem and a second data processing subsystem. The first data processing subsystem includes a generating unit and a private database. The generating unit generates a common key from data identifying a person. The private database associates the common key with the identification data. The second data processing subsystem includes an obtaining unit, a generating unit, a receiving unit and a storing unit. The obtaining unit obtains the common key. The generating unit generates a random number from the common key. The receiving unit receives a registration message including sensitive personal data of the person and the random number. The storing unit stores the personal data in a second database in association with the random number and the common key.

Abstract: A system and method for batch signing of a message is provided. An administrator initiates a management operation directed to a plurality of security appliances organized as a cluster. In response, the security appliance generates an operation context identifying the management operation to be performed. In addition, a secure encryption processor (SEP) of each security appliance generates a random nonce. The nonces are then assembled along with the operation context into a single message. The message is then cryptographically signed by an appropriate number of administrators using a cryptographic key associated with each administrator. The signed message is returned to the security appliances, where each security appliance examines the signed message and determines whether its nonce is present within the message. If so, the security appliance performs the desired management operation. However, if its nonce is not present in the signed message, the management operation is disallowed and not performed.

Abstract: A biometric authentication device performs authentication of a user based on biometric information. In the biometric authentication device, a registry information storage stores pre-registered biometric information as registry information. An acceptance value determiner determines a verification acceptance value used for authentication, based on quality of the registry information with regard to reliability of characterizing an individual. An authentication information acquirer obtains biometric information of a user as authentication information. A similarity calculator compares the authentication information of the user with the registry information and calculates similarity between the authentication information and the registry information. An authenticator identifies whether the user is a registrant corresponding to the registry information, based on the similarity and the verification acceptance value.

Abstract: A key fob includes a biometric sensor including a fingerprint area sensor having a surface for receiving a finger, and a controller includes at least one processor configured to authenticate a user of the key fob based on biometric information obtained with the biometric sensor and stored biometric information for an individual. The key fob includes a RF transmitter for communicating stored transaction information to a reader upon authentication of the user and a housing. The housing includes a base for supporting the biometric sensor and a cover sleeve slidably engaged with the base to allow for extension from and retraction into the sleeve by the base, thereby permitting selective exposure of the fingerprint area sensor under user actuation.

Abstract: A multi-user computer system and a remote control method for the multi-user computer system includes a remote controller, with an input unit that receives a remote-control password to remotely operate the computer, information on an OS booted when the remote-control password is input, a key input setting the computer in a mode wherein the remote-control password and the OS information are set, and a key input operating the computer, a microprocessor, a wireless transmitter, and a computer, with a wireless receiver, a microprocessor, and a BIOS that automatically loads an OS corresponding to the remote-control password stored in the memory when the received remote-control password stored in the wireless receiver and the remote-control password in the memory are the same.

Abstract: In some applications, it may be more convenient to the user to be able to log in the memory system using one application, and then be able to use different applications to access protected content without having to log in again. In such event, all of the content that the user wishes to access in this manner may be associated with a first account, so that all such content can be accessed via different applications (e.g. music player, email, cellular communication etc.) without having to log in multiple times. Then a different set of authentication information may then be used for logging in to access protected content that is in an account different from the first account, even where the different accounts are for the same user or entity.

Abstract: A network helper is provided that assists verifiers in executing a puzzle-based protocol for authentication of a token. A token stores a secret key and one or more puzzle-generating algorithms. The helper stores a plurality of puzzles associated with a particular token. When requested to do so by a verifier, the helper provides a plurality of pseudorandomly selected puzzles for the token to a verifier. The puzzles are encoded with information that is used between the verifier and token to establish a secured symmetric key. The verifier selects one or a few of the encoded puzzles and breaks them by a brute force attack. Because the helper does not know which puzzles have been selected, it has to break all puzzles to attempt to figure out the symmetric key. However, if a large number of puzzles are utilized, say millions, then breaking all of them becomes a computationally prohibitive task.

Abstract: A computer device receives a personal authentication statement from a user seeking to access concealed computer objects or applications on the computer device. A parser syntactically parses the personal authentication statement to extract a user-authentication token and a computer objects-authentication token. The computer objects-authentication token can identify one or more concealed computer objects on the computer device. The computer device reveals the one or more concealed computer objects to the user upon authentication of the user and verification that the authenticated user is authorized to access the concealed computer objects.

Abstract: A system includes a mobile unit and a smart card reader. The mobile unit includes a security application that prevents access to functionalities and data stored thereon and further includes an authentication application that securely stores an authentication token. The smart card reader communicatively connects to a smart card. The smart card includes authentication data. The authentication application transmits the authentication token to the smart card reader to verify the smart card. The authentication application shares the authentication token with the security application when the verification is successful. The authentication token indicates to the security application to grant access to the functionalities and the data.

Abstract: A method of securing a telecommunication terminal that is connected to a module used to identify a user of the terminal is described. The method includes a step including executing a procedure in which the terminal is matched to the identification module, consisting in: securely loading a first software program including a data matching key onto the identification module; securely loading a second software program which can operate in conjunction with the first software program onto the telecommunication terminal; transmitting a data matching key that corresponds to that of the first software program to the second software program; storing the transmitted data matching key in the secured storage zone of the telecommunication terminal; and conditionally submitting every response from the first software program to a request from the second software program upon verification at the true value of the valid possession of the data matching key by the second program.

Abstract: An image processing apparatus which, in outputting images including copies of original images, if an image that has restriction information embedded therein and an image that has no restriction information embedded therein are in a state mixed in the original images, is capable of embedding the restriction information in an image that is output based on the image that has no restriction information embedded therein. When the copy restriction information is extracted from a read image, the copy restriction information is stored in an embedded information-extracting section. When the copy restriction information is not extracted from the read image, dot pattern data corresponding to the copy restriction information stored in the embedded information-extracting section is generated. The dot pattern data and image data output from a scanner are synthesized. A printer prints an image on a sheet based on the synthesized image data.

Abstract: A mechanism is provided for managing access authorization to forums open to anonymous users within an organization. A token distributor application provides a unique token to each member of a community or organization. The application is trusted by all members to not store an association between the authenticated user and the token when a token is assigned. The only control exerted by the token distributor is to block users who have already obtained a token from receiving another token. The communication tool or collaboration space may accept creation of a new anonymous identity, such as a nickname, to any individual supplying a token assigned by the token distributor application. An administrator may ban users by token. A banned user cannot access the communication tool or collaboration space using a nickname associated with a banned token.

Abstract: Access to content may be administered by storing content, the content comprising one or more selections, accessing a passive optical out-of-band token associated with the content, determining an access right for the content based on the passive optical out-of-band token, and enabling access to the content in accordance with the access right.

Abstract: A method for protecting the execution of a ciphering or deciphering algorithm against the introduction of a disturbance in a step implementing one or several first values obtained from second values supposed to be invariant and stored in a non-volatile memory in which, during an execution of the algorithm: a current signature of the first values is calculated; this current signature is combined with a reference signature previously stored in a non-volatile memory; and the result of this combination is taken into account at least in the step of the algorithm implementing said first values.

Abstract: A method for preventing secret code manipulation in a data processing device, such as a smart card, to which a presented code is applied. Prior to implementation of a code transforming function in the processing device, the secret code is transformed into a transformed secret code in the card. For each use of the card, the presented code is transformed into a transformed presented code in accordance with the implemented transformation function. A comparison of the transformed secret code with the transformed secret code in the card is then performed.

Abstract: A secure password/Personal Identification Number (PIN) reset process is disclosed. The process involves replacing a transportation password/PIN of a terminal with a user-specific password/PIN. During the replacement, the user-specific password/PIN is bound with a token. The token can then be used to securely reset the password/PIN of the terminal back to the transportation password/PIN if the user-specific password/PIN is forgotten or compromised.

Abstract: The disclosure provides a method and a terminal for locking/unlocking a screen of a terminal based on Radio Frequency Identification (RFID). The method includes: the terminal receives locking or unlocking information carrying authentication information from an external electronic tag via an RFID reader; user identity authentication is performed according to the authentication information; and the screen of the terminal is locked or unlocked according to the locking or unlocking information, after the authentication succeeds. With the method and the terminal, user experience can be achieved by waving a mobile phone and the screen can be opened while being unlocked, thus, the user experience of locking/unlocking screen is improved.

Abstract: According to one embodiment, an information processing apparatus includes an input to input a password, a biological authentication device including a storage unit for storing biological information and identification information, and an authentication controller. The authentication controller sets and holds identification information to be stored in the storage unit of the biological authentication device, and permits a password input using the input to be substituted by authentication using the biological authentication device when the identification information held by itself and the identification information stored in the storage unit of the biological authentication device match.

Abstract: An information processing apparatus includes a memory that stores command execution right information including execution right information indicating whether a command is executable, and a command determination unit that determines whether an entered command is a target of a command execution determination where it is determined that whether a command is executable based on whether the entered command is invoked by a user command or a system command, and determines whether the entered command is executable with reference to the command execution right information stored in the memory when the entered command is determined as the target of the command execution determination.

Abstract: A system and method for securely streaming encrypted digital media content out of a digital container to a user's media player. This streaming occurs after the digital container has been delivered to the user's machine and after the user has been authorized to access the encrypted content. The user's operating system and media player treat the data stream as if it were a being delivered over the Internet (or other network) from a streaming web server. However, no Internet connection is required after the container has been delivered to the user and the data stream suffers no quality loss due to network traffic or web server access problems. Encrypted content files are decrypted and fed to the user's media player in real time and are never written to the user's storage device. This process makes unauthorized copying of the digital content contained in the digital container virtually impossible.

Abstract: A system and method for allowing for distributed interaction in a computing scenario is presented. The system is powered by SandTable software. First and Second items are respectively displayed on interactive screens of first and second surface computers. A first token is configured to be placed on the interactive screen of one of the computers and that computers reads its credentials. The SandTable software determines a first access level of the first token based on the credentials of the first token when it is placed on the surface computer. The first surface computer displays an image of an add item symbol when the first token is authenticated as a valid token. The SandTable software is configured to detect when the add item symbol is selected and to generate a menu of new items. SandTable creates a new item based on the new item selected from the menu.

Abstract: Method and devices for making access decisions in a secure access network are provided. The access decisions are made by a portable credential using data and algorithms stored on the credential. Since access decisions are made by the portable credential non-networked hosts or local hosts can be employed that do not necessarily need to be connected to a central access controller or database thereby reducing the cost of building and maintaining the secure access network.

Abstract: The present invention is designed to enable a secure device to authenticate a terminal application that operates on an information processing terminal and that accesses the secure device. An application issue request transmitter (301) of the information processing terminal (30) sends a request for issue of a terminal application to an application issuer (101). The application issuer (101) of an secure device (10) reads a terminal application (31) from an application storage (105) and embeds authentication information in the terminal application (31), associates an ID and the authentication information of the terminal application (31) and save them in an issue information storage (106), and sends the terminal application (31) to an application receiver (302) of the information processing terminal through an application transmitter (102). The application receiver (302) starts the terminal application (31).

Abstract: A method, apparatus and program product provide a mechanism for managing the execution of electronic documents using electronic signatures. Documents requiring electronic signatures are automatically identified, mined, trimmed and split from a printer control data language stream. Status information pertaining to needed data, signatories, signature completions and authentication attempts is related to users during and after an electronic signing sequence.

Abstract: The approach defines a protection mechanism against attacks to a security enforcing operation performed by cryptographic token or smart card. It is based on an attack detector which signals the main elaboration or processing system regarding a potential attack situation. The approach addresses SIM cloning problems of telecommunications operators who use old and breakable cryptographic algorithms such as the COMP-128 and do not want to invest in updating the network authentication systems with more resistant authentication cryptographic algorithms. The approach may be applicable to the typical telecommunications operator in an emerging market that does not use state of the art technology.

Abstract: According to one embodiment, an apparatus may intercept a request to access a resource represented by a resource token. The apparatus may receive a hard token representing identification information of a device. The apparatus may determine, based at least in part upon the hard token and the resource token, at least one token-based rule specifying compliance criteria required to consume the resource. The apparatus may receive at least one token representing compliance information of the device in response to a request for compliance information of the device. The apparatus may then compare the compliance information against the compliance criteria to determine that the device is capable of consuming the resource. The apparatus may then generate a compliance token representing the determination that the device is capable of consuming the resource, and communicate the compliance token to facilitate the provisioning of a container to the device.

Abstract: A method for limiting devices and controlling the applications executed from USB ports on personal computers (PCs). More specifically, the present invention relates to a method for ensuring that only authorized devices and applications are accessed from USB ports using software and configuration files on the PC. Using the software application stored on the PC storage device in conjunction with functionality performed by a designed security file server, the use of USB applications and devices is limited to authorized applications and devices.

Abstract: A method is provided for controlling multiple access to a network service to prevent fraudulent use of the network service. The method includes identifying an account access counter for an account using identification information received from a user at a first device using a network, wherein the user is requesting access to a service provided at a second device, and further wherein the account access counter is the number of service access sessions active for the account; comparing the account access counter to a maximum account access number, wherein the maximum account access number defines a maximum number of service access sessions allowed for the account; and providing the user at the first device access to the service at the second device if the account access counter is less than the maximum account access number.

Abstract: A method, system, and apparatus for agile generation of one time passcodes (OTPs) in a security environment, the security environment having a token generator comprising a token generator algorithm and a validator, the method comprising generating a OTP at the token generator according to a variance technique; wherein the variance technique is selected from a set of variance techniques, receiving the OTP at a validator, determining, at the validator, the variance technique used by the token generator to generate the OTP, and determining whether to validate the OTP based on the OTP and variance technique.

Abstract: To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a process's token. The rule includes an application-criterion set and changes to be made to the groups and/or privileges of a token. The rule is set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers. When a GPO containing a rule is applied to a computer, a driver installed on the computer accesses the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

Abstract: A client includes a card selector, and receives a security policy from a relying party. If the client does not have an information card that can satisfy the security policy, the client can define a virtual information card, either from the security policy or by augmenting an existing information card. The client can also use a local security policy that controls how and when a virtual information card is defined. The virtual information card can then be used to generate a security token to satisfy the security policy.

Abstract: A secure portable electronic device for providing secure services when used in conjunction with a host computer having a central processing unit use two hardware device protocols readily supported by computer operating systems. Other systems and methods are disclosed.

Abstract: An electronic product code information service (EPCIS) interface is provided, where the EPCIS interface allows accessing applications residing on a variety of systems and associated with a plurality of enterprises/organizations to receive EPC-related data. Also provided is a consumer security profile in which access authorization governing the extent of data collection and/or access by an entity to EPC-related consumer data is specified. Access by an accessing application may be allowed within an extent permitted by access authorization specified in the consumer security profile.

Abstract: An electronic product code information service (EPCIS) interface is provided, where the EPCIS interface is capable of allowing one or more accessing applications residing on a variety of systems and associated with a plurality of enterprises/organizations to receive EPC-related data. One or more roles of an entity attempting to receive EPC-related data through the interface may be identified. A query may be performed to generate a result set within an extent permitted by access authorization associated with the identified roles of the entity.

Abstract: The invention is a method of managing communication between an electronic token and a remote web server. The token and the server are connected to a same host machine. The token comprises first and second token servers and a memory comprising HTML data. The host machine has an Internet web browser. Said method comprises the steps of: sending a first request from the Internet web browser to the first token server, returning a first answer to the Internet browser, said first answer comprising HTML data including a connection information associated to a script, on the Internet web browser, executing the script associated to the connection information. Script execution establishes a connection to the remote server allowing a two-way communication between the second token server and the remote server through the Internet browser acting as a gateway.

Abstract: A mobile device out of range of other devices in a wireless network may be locked to provide security.

Abstract: An advertisement management device generates and manages advertisement information and an advertisement identifier, a tag management unit generates a tag identifier and tag information unique to the tag identifier, and manages the tag identifier, the tag information, and the advertisement identifier generated by the advertisement management device in associated manner. The tag management unit sends the tag identifier and the advertisement identifier to the radio tag. A reader reads the tag identifier and the advertisement identifier from the radio tag, sends the tag identifier to the tag management unit, and sends the advertisement identifier to the advertisement management unit. The tag management unit sends tag information corresponding to the tag identifier received from the reading unit to a display unit, and the advertisement management unit sends advertisement information corresponding to the advertisement identifier received from the reading unit to the display unit.

Abstract: Self-authorizing tokens are disclosed. Typical embodiments employ a secure element and a secure element interrogator. Such tokens may be used for authorization of financial payments and other secure transactions. In some embodiments the secure element is provisioned with information about a particular payment card holder account. A secure element reader interrogates the smart element and derives information needed to authorize a transaction. In some embodiments the secure element and the secure element interrogator communicate using communications formatted according to ISO 7816-4.

Abstract: An information processing device includes: a local memory unit for storing data including an encrypted content; a memory for storing data including key information used to reproduce the encrypted content; and a data processing unit performing a process of writing data to the local memory unit and the memory, and a process of reproducing the encrypted content, wherein the data processing unit performs a process of writing encrypted content downloaded from a server or encrypted content copied from a medium to the local memory unit, and performs a process of decoding the encrypted content or a validity authenticating process using the data stored in the local memory unit and the data stored in the memory when reproducing the encrypted content written to the local memory unit.

Abstract: Providing access to an enterprise application from a telecommunications device via a client, through a device server, and an intermediate application gateway (IAG), is disclosed. The server is communication with the client and the IAG. The IAG and client are in indirect communication via the server. The client is operative to request an enterprise application token from the IAG using a dataset comprising a device identifier and a user identifier, without concurrently prompting a user for the dataset. The IAG is operative to prepare a token in response to the request, and push the token to an e-mail address associated with the telecommunications device via the server's push proxy gateway. The client is operative to employ the token in communications addressed to an enterprise application via the server and the IAG. The IAG is operative to replace the token in each communication with identification information called for by the enterprise application.

Abstract: A method, an apparatus and a system for authorization-dependent access to multimedia contents. A first terminal produces a first request for a multimedia content for an output of the multimedia content via the first terminal. A first authorization information item is used to check that the output of the multimedia content is authorized. The first terminal produces a second request for an output of the multimedia content via a second terminal. A check is carried out to determine whether to output a first security note via the first terminal. The output of the multimedia content takes place via the second terminal if the first security note is not to be output, or an input of a confirming acknowledgement for the first security note is identified by the first terminal.

Abstract: A security method for an attached computer module in a computer system. The security method reads a security identification number in an attached computer module and compares it to a security identification number in a console, which houses the attached computer module. Based upon a relationship between these numbers, a security status is selected. The security status determines the security level of operating the computer system.