Abstract: Methods and systems for enabling content to be securely and conveniently distributed to authorized users are provided. More particularly, content is maintained in encrypted form on sending and receiving devices, and during transport. In addition, policies related to the use of, access to, and distribution of content can be enforced. Features are also provided for controlling the release of information related to users. The distribution and control of contents can be performed in association with a client application that presents content and that manages keys.

Abstract: A system and method of providing universal digital rights management system protection is described. One feature of the invention concerns systems and methods for repackaging and securing data packaged under any file format type, compression technique, or digital rights management system. Another feature of the invention is directed to systems and methods for securing data by providing scalability through the use of modular data manipulation software objects.

Abstract: The invention provides a secure and efficient resource management system and a corresponding method for managing resources of a product that is put on the market by a licensor via a distribution chain. In particular, the number of keys needed for managing said resources can be reduced. At the time that the product is released to the market the exact licensing conditions of the product need not be known yet. The licensing conditions and the associated configuration of resources of the product are managed via a second key which is provided to a licensee. The licensee, however, has no knowledge of the first key and the derivation function which generates said second key based on the first key. Therefore, it is ensured that the licensee cannot claim more resources of the product than the licensor allows.

Abstract: A system and method for processing an access request by a wireless device to access an IP data network is provided. An access request from a wireless device is received and denied a predetermined number of times, and the wireless device is granted a limited access to the IP data network. When the access request from wireless device is authenticated, the wireless device is granted an unlimited access to the IP data network.

Abstract: A data storage architecture for networked access by clients includes a file server capable of communication with the clients via the network, physical storage organized as a plurality of logical volumes, and an encryption device in communication with both the file server and the physical storage. The encryption device is operable in response to signaling from the file server, including an indication of a range of blocks of data, to cause encryption of the range of blocks with an encryption key that is unique within the physical storage. The encryption device includes nested tables mapping block ranges to encryption keys. Consequently, undesirable key sharing across files, file systems, and other units can be avoided down to the block level.

Abstract: The present invention relates to a method and a device for determining access to multimedia content from an entry identifier, in a domain which comprises a number of entry identifiers, and where the multimedia content is assigned an access number n indicating the number of entry identifiers which may access the multimedia content. This is obtained by accessing a domain list indicating at least some of said entry identifiers in said network domain and by further determining that the entry identifier may access said multimedia content if said entry identifier is between the n entries in said domain list determined by an evaluation rule.

Abstract: A method of checking whether a content aggregator's content matches a content owner's content involves generating a fingerprint of the content and looking for a matching fingerprint from the content owner through a service provided by the content owner. In one aspect, the fingerprints are generated from an intermediate digest of the content instead of the original form.

Abstract: Systems and methods for stateless system management are described. Examples include a method wherein a user sends the management system a request to act upon a managed system. The management system determines whether the user is authorized for the requested action. Upon authorization, the management system looks up an automation principal, which is a security principal native to the managed system. The management system retrieves connecting credentials for the automation principal, and connects to the managed system using the retrieved credentials. Once the managed system is connected, the management system performs the requested action on the managed system, and sends the result back to the user.

Abstract: A portable license for licensed content is obtained by a user along with a regular license in a local network, such as a home network or other private network. The portable license may be stored in a license server on a portable device, such as a smart phone or a tablet, which functions as a portable license server. The user may take the portable device to another location where it joins another local network. A device in the second network, which does not have a license to play the licensed content, may use the portable license on the portable device to execute the content, enabling the user to enjoy it in multiple environments. The device (e.g., a TV) in the second network may continue to play the content as long as the portable license or another valid license is present in the network.

Abstract: Whether a combination method defined in an output rule satisfies a combination condition of each content specified in a play list is judged in order of priority defined in a priority list. Based on the judgment result, the output rule is edited in such a manner that the combination condition of each content specified in the play list is satisfied. The resources of the combination target contents specified in the play list are combined in accordance with the combination method of the edited output rule.

Abstract: A protected memory source device including removable non-volatile memory durably stores a signature such as a serial number or identifier, which is used to mark protected multimedia content legally stored on the protected memory device. The protected multimedia content is moved from the source device to another device, such as a target device used to aggregated protected content in a library. Moving the protected multimedia content involves replacing a source-specific header, comprising digital rights management metadata and/or other security metadata allowing only a device having the source device signature access to the content, with a target-specific header comprising digital rights management metadata and/or other security metadata allowing only a device having the target device signature access to the content. The transfer is done using one of a variety of transfer methods with either a trusted or un-trusted host system connecting the source device to the target device.

Abstract: A content management device, includes: a folder level access control information storage unit configured to store folder level access control information indicating access rights of a user to a folder where content is stored; an access control unit configured to acquire content level access control information indicating access rights of a user to content, from a predetermined content level access control unit; and a user interface configured to output display data for displaying a hierarchical structure between at least one folder and at least one content stored in the at least one folder, along with information indicating whether or not an inconsistency has occurred in access rights between the folder level access control information of the at least one folder and the content level access control information of the content stored in the at least one folder.

Abstract: A method for use in playing content that is made up of data includes establishing in a device a physical media storing a first portion of the data making up the content, receiving a streamed second portion of the data making up the content, wherein the second portion of the data includes essential information for reconstructing the content from the first portion of the data, and playing the content by combining the first portion of the data with the second portion of the data to correctly reconstruct the content. A method for use in enhancing security of content that is made up of data includes removing information from the data making up the content that is essential for playing the content.

Abstract: The present invention proposes a method for obtaining a digital right management (DRM) function for playing DRM contents on a user device according to need. To this end, the present invention comprises the steps of, when a user device requests a specific DRM contents or accesses a service system, a user device obtaining a rights object corresponding to a request; determining information on a current DRM function using the rights object; and when a new DRM function is required, installing a new DRM function or upgrading the standard DRM function.

Abstract: Apparatus and methods for enabling protected premises networking capabilities. In one embodiment, a white list of devices authorized to access a premises network and a black list of device not authorized to access a premises network are utilized. The black and white lists may be stored at a database in communication with an authorization manager or may be stored at the manager itself. When a client device is connected to a premise, the manager determines, based on the premises and/or device identity, whether the device is entitled to access. The authorization manager makes this determination based on whether the device is on the white or black list. If the device is on neither list, the manager may add the device to the white list upon appropriate verification. The manager may also facilitate removal of a device from the white list to the black list upon request or automatically.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for authorizing actions of a service provider. In one aspect, a method includes providing a user security key to a mobile device of a user. A request is received from a client device distinct from the mobile device to perform an action. A challenge token including a security signature matched to a service security key is generated, and the challenge token is provided to the mobile device. An approval value is received from the client device. The approval value is determined to be valid in reference to the challenge token and the user security key previously provided to the mobile device and to indicate approval to perform the action for the user. The action is performed in response to receiving the approval value.

Abstract: When license information is transferred between a server machine and a client machine, an identifier which is unique to a series of communication sequences is provided. The identifier is sent when a communication is performed between the two machines, as well as when the license information is updated. Therefore, when a message for transferring the license information is received by the use of the same identifier, a response message is returned without updating the license information.

Abstract: A system and method for managing control of a network interface device. Permissions for management of a NID are established. The permissions enable a user to deny a third party access to one or more portions of the NID. Access for the third party to the one or more portions of the NID are granted in response to receiving an authorized override command from the third party. Activities performed by the third party are logged by the one or more portions of the mid-in response to receiving the authorized override command from the third party.

Abstract: Trusted user accounts of an application provider are determined. Graphs, such as trees, are created with each node corresponding to a trusted account. Each of the nodes is associated with a vouching quota, or the nodes may share a vouching quota. Untrusted user accounts are determined. For each of these untrusted accounts, a trusted user account that has a social networking relationship is determined. If the node corresponding to the trusted user account has enough vouching quota to vouch for the untrusted user account, then the quota is debited, a node is added for the untrusted user account to the graph, and the untrusted user account is vouched for. If not, available vouching quota may be borrowed from other nodes in the graph.

Abstract: A system for security management for applications associated with multiple user registries can include an integrated console configured to host a one or more applications or resource objects in corresponding realms. The system also can include one or more roles mapped to different ones of the resource objects and also to different users permitted to access the integrated console. The system yet further can include a user relationship system having associations with multiple different ones of the roles. Finally, the system can include console security management logic programmed to manage authentication for the users using realm of the resource object while not requiring a separate user registry for the integrated console.

Abstract: Method for providing access to private digital content installed on a content server C(s), wherein a content manager server C(a) has a number of clients potentially interested in the private content; the method comprising the following steps performed at the content management server C(a): establishing a first communication channel with a client C(b) of the number of clients; receiving a query for private digital content from the client C(b) and sending an appropriate response, causing the client to establish a second communication channel with the content server; establishing a secure session with the content server C(s) over the first and second communication channel; establishing a new session key for the secure session and transmitting said new session key to the client C(b), so that the client can obtain the queried private digital content from the content server as if the client is the content management server.

Abstract: A method of using a mini filter driver to secure access to encrypted information stored on a removable storage device. The method comprises receiving a request to read information from the removable storage device. The mini filter driver ascertains if the request originated from an authorized client. The mini filter driver receives encrypted information read from the removable storage device, and decrypts the encrypted information in the event that the request originated from an authorized client. The decrypted information can then be conveyed to the authorized client. If the client is not authorized, then the mini filter driver does not decrypt the information.

Abstract: A method for use in providing content that is made up of data includes providing a first portion of the data making up the content to a user, and making available for a limited amount of time an ability to stream a second portion of the data making up the content to a device having the first portion of the data. The second portion of the data includes essential information for reconstructing the content from the first portion of the data. Also disclosed are a storage medium storing a computer program for causing a processor based system to assist with providing content, and a system for use in providing content.

Abstract: A method and wireless device for updating at least one cryptographic security key (116) associated with a wireless device (104) and an authentication module (108). An over-the-air programming message comprising security key update information is received (804) from an information processing system (118). The security key update information is processed (808). At least one new security key is extracted from the security key update information in response to the processing (806). At least one existing security key (116) is updated with the at least one new security key (124) that has been extracted.

Abstract: An electronic device, prior to entering a distribution channel, is equipped with a loss prevention client which permits limited use of the device until correct authentication is provided by a legitimate purchaser. By permitting limited use before authentication, the device remains both useful to a legitimate purchaser and valuable to a thief. While allowing operation in the possession of a thief, options can be provided to permit tracking of the device or to allow proper purchase of the device.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting one or more portions of one or more items and that was in possession of a first user has been transferred from the first user to a second user; and marking, in response to said determining, the one or more portions of the one or more items to facilitate the computing device in returning to the one or more portions upon the computing device being at least transferred back to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: Provided are a method, system, and computer storage device for managing zone information for devices in a network. A zone table includes entries indicating whether devices in at least one zone are permitted to communicate. An attributes table has attributes of the devices indicated in the zone table. A determination is made of attributes from the attributes table for devices indicated in the zone table entries as being permitted to communicate. The entries in the zone table indicating that devices can communicate are verified by determining whether the attributes for the devices indicated as permitted to communicate in the entries in the zone table are consistent with the determined devices being able to communicate. Information is outputted indicating whether the entries in the zone table indicating that devices can communicate are in error.

Abstract: A system and method of distributing a file maintained on a first device located at the top tier of a secured network having at least a second device at a lower tier, without needing to change security parameters of the secured network, is disclosed. Network administrators may access the top tier of the network, may add files into the system, and may generate a file privilege file. The file privilege file can include configuration information for a computer on a tier and may include information about files accessible to a computer on a specific tier. The network propagates the file privilege file from the first device through intermediate devices and onto the second device. The second device may then receive a file authorized from the first device via a connection in the secured network. The second device may also propagate files up to the first device.

Abstract: A system and method for accessing content on an electronic device in an encrypted mode, a decrypted mode or a default mode. A request is transmitted to an application program interface to permit a requesting program to access at least one file. The request specifically identifies whether the requesting program wishes to access the file in an encrypted mode, a decrypted mode or a default mode. It is determined whether the specific form is supported by the application program interface being used by the system, whether the at least one file is protected; and whether the requesting program is permitted to access the at least one file. If the specific form is supported by the application program interface, if the at least one file is protected, and if the requesting program is permitted to access the at least one file, the at least one file is opened in the specific form for use by the requesting program.

Abstract: Systems, methods, and other embodiments associated with flexible supplicant access control are described. One example method includes collecting a network information associated with a network to which an endpoint is to be communicatively coupled. The network information comprises a network identification and information to facilitate the evaluation of network threats. The example method may also include classifying the network based, at least in part, on the network information, to assign a variable level access parameter (VLAP) to the network based on the policy locally configured on the endpoint or centrally managed by the administrator. The VLAP may establish three or more access levels for the network at the endpoint. The example method may also include communicating the network identification and the network VLAP to a second endpoint, a security agent, a security application, and so on.

Abstract: The invention provides a method and system for presenting information in a web document using a program applet to restrict further copying or redistribution. The web document includes a first region in which a graphical element or other information is displayed, and a second region covering the first region in which a program applet is invoked by a server for the web document. The program applet is dynamically created upon access, and assigned a serial number. The program applet contacts the server for permission to display the graphical element or other information; thus, the server can control, by granting or denying permission, when and if the program applet displays the graphical or other information.

Abstract: An authentication scheme to facilitate lending of digital content at an authorized location to an authenticated electronic device.

Abstract: At a hosted storage service, a resource and a request to store the resource are received. The request includes a location of an access control service. The access control service is separate from the hosted storage service and controls access permissions for the resource. A request to access the stored resource is received. The hosted storage service accesses metadata stored in association with the resource and determines that access permissions for the resource are controlled by the access control service. An access request is from the hosted storage service to the access control service, the access request identifying the resource and a user of the client system.

Abstract: An architecture and techniques to facilitate lending of digital content at an authorized location to an authenticated electronic device.

Abstract: A registration flow to facilitate lending of digital content at an authorized location to an authenticated electronic device.

Abstract: In general, the subject matter described in this specification can be embodied in methods, systems, and program products for receiving a request to retrieve electronic resources that correspond to a first network address. The resources are retrieved from a cache. The retrieved resources are responsive to the received request, correspond to the first network address, and are configured to activate a first web application. Activation of the first web application requires that the computing device be authenticated. Instructions that are in the retrieved resources and are for activating the first web application are executed. The execution includes determining that the computing device is not authenticated to activate the first web application, and requesting to retrieve electronic resources that correspond to a second network address and that are configured to activate a second web application. Activation of the second web application does not require that the computing device be currently authenticated.

Abstract: A method is described for managing rights for digital music, including registering music players, from among a plurality of music players, with digital archives that store songs, from among a plurality of digital archives, wherein songs can be copied from digital archives to music players, and from music players to digital archives, permitting a music player to copy a song from a digital archive for which it is registered, permitting a digital archive to copy a song from a music player that is registered with the digital archive, restricting a music player from copying a song from a digital archive for which it is not registered, and restricting a digital archive from copying a song from a music player that is not registered with the digital archive. A system and a computer-readable storage medium are also described.

Abstract: Systems and methods are described that relate to authentication and/or binding of multiple devices with varying security profiles. In one aspect, a first device with a higher security profile may vouch for the authenticity of a second device with a lower security profile when the second device requests access for content from a content provider. The vouching process may be implemented by allowing the first device to overlay its digital signature on a registration request that has been signed and transmitted by the second device. The second device with the lower security profile may access content from the content provider or source for a predetermined time period, even when the second device does not access content through the first device.

Abstract: A computing system selects a portion of data of an unknown work and detects each event in the portion of data of the unknown work. An event is a perceptual occurrence in a work successively positioned in time. The system determines an event metric between each successive event in the portion of data in the unknown work and generates a list of event metrics between the events for the unknown work. The system compares the list of event metrics for the unknown work to a list of event metrics for a known work and determines the unknown work is a copy of the known work responsive to a match between the list of event metrics of the unknown work and the list of event metrics for the known work.

Abstract: A software validity period changing apparatus includes a password information storage unit, an input device, an authentication unit, and a validity period changing unit. The authentication unit calculates a first hash value of the password stored in the password information storage unit, calculates a second hash value of a password input via the input device, and determines whether the first hash value matches the second hash value. The validity period changing unit decompresses an installation package into components, the installation package including a validity period and version information on each of the components, detects a position of the validity period if it is determined that the first hash value matches the second hash value, changes the validity period identified by the position to a validity period input through the input device, changes the version information, and combines the components to reproduce the installation package.

Abstract: Apparatus and methods for protected content access, browsing and transfer over a network. In one embodiment, the network comprises a premises (e.g., residential) LAN, and the apparatus comprises a server and renderer consumer premise equipment (CPE). The renderer CPE scans the network to search for a server CPE that implement a compatible security framework. The renderer authenticates itself with the server, and the server allows content browsing and selection access only to an authorized and authenticated renderer. A negotiation and exchange protocol comprises messages exchanged between the renderer and the server that include one or more of device identification, encryption key exchange, digital certificates and information regarding security package used by each CPE.

Abstract: A system, method, and computer program product are provided for redirecting internet relay chat (IRC) traffic identified utilizing a port-independent algorithm and controlling IRC based malware. In use, IRC traffic communicated via a network is identified utilizing a port-independent algorithm. Furthermore, the IRC traffic is redirected to a honeypot.

Abstract: The present invention provides a system and method for identifying and transferring digital media assets within a system through the use of identification data. The identification data is applied to each transferred copy and includes data specific to the customer and digital media asset. To facilitate transfers and ease of use the digital media assets can be made DRM-free.

Abstract: In one set of embodiments, methods, systems, and apparatus are provided to enable secure local invocation of a web service in response to receiving a request from a first composite application to invoke a web service operation of a second composite application, where the first application is associated with a reference policy, and the second application is associated with a service policy, then determining, based upon the service policy and the reference policy, whether local invocation is secure, and invoking the operation using the local invocation in response to determining that the local invocation is secure. Attributes associated with the reference and service policies can indicate whether those policies can be used in a local invocation, or if user authentication is needed before performing the invocation with those policies. The local invocation may comprise a procedure call in an application server from the first application to the second application.

Abstract: A method for authenticating a computing device or hardware component includes computer-implemented process steps for assigning a unique identifier to the hardware component, generating a baseline fingerprint for the hardware component using algorithm-processing characteristic configuration data determined from the hardware component as input, wherein the baseline fingerprint is capable of being regenerated from the hardware component so long as configuration of the hardware component is not changed, transmitting the identifier in association with the baseline fingerprint for storage in a computer-readable data structure, and generating a data signal, in response to a query comprising the assigned identifier, indicating whether the stored baseline fingerprint for the assigned identifier matches a second fingerprint regenerated from the hardware component at a time after the baseline fingerprint is generated.

Abstract: A method and system for anonymizing data to be transmitted to a destination computing device is disclosed. Anonymization strategy for data anonymization is provided. Data to be transmitted is received from a user computer. Selective anonymization of the data is performed, based on the anonymization strategy, using an anonymization module. Accent preservation of data is selected. An accent value for the data is determined. The anonymized data with the determined accent value is transmitted to the destination computing device over a network. In one embodiment, the anonymized data has less number of characters than the input data.

Abstract: In a communication system in which two communication entities seek to have a private or confidential communication session, a trust relationship needs first be established. The trust relationship is based on the determination of a shared secret which in turn is generated from contextual information. The contextual information can be derived from the circumstances surrounding the communication session. For example, the contextual information can include topological information, time-based information, and transactional information. The shared secret may be self-generated or received from a third party. In either event, the shared secret may be used as key material for any cryptographic protocol used between the communication entities.

Abstract: Systems and methods for limiting access to data in a portable data storage device. An exemplary method may use an electronic computing device to prevent access to the data and includes the step of providing the portable storage device with a first software program that has a current expiration time value. The first software program is able to compare the current expiration time value against a time based parameter and activate a security mechanism protecting the data stored in the portable data storage device based on the comparison. The method also includes the step of providing an electronic computing device with a second software program. The second software program is able to identify the portable data storage device and reset the current expiration time value of the first software program to a later time value when the electronic computing device is electronically communicating with the portable data storage device.

Abstract: Systems and methods are described which provide handling and secure routing of an article of content in accordance with a code or instruction set identifier embedded in or associated with the article of content. In one aspect, the invention provides a content handling system that comprises a digital data store containing a plurality of instruction sets, each defining a content handling workflow. The system further includes a content handling engine in communication with the store, wherein the content handling engine identifies a code associated with an article of content and executes workflow processing in accordance with an instruction set associated with the code. In various embodiments, an article of content comprises digitally encoded information (e.g., containing one or more of text, image, audio, video, data, and PACS data) and/or information otherwise convertible to digital format (e.g., printed matter, images, film, and audio recordings).

Abstract: According to this disclosure, a user is identified (and selectively granted access to protected resources) by using information that describes the user's interpersonal relationships. This information typically is stored in a datastore, such as a digital address book, an online profile page, or the like. The user's digital address book carries an “acquaintance pattern” that changes dynamically in time. This pattern comprises the information in the user's contact list entries. In this approach, the entropy inherent in this information is distilled into a unique acquaintance digest (or “fingerprint”) by normalizing the contact list data, and then applying a cryptographic function to the result.