Abstract: An apparatus, system, and method for controlling access to sensitive data in a wireless handset using password protection are disclosed. The wireless handset comprises an input module, a memory module, a display module, and a control module. The input module is configured to manually receive one or more passwords that are input into the wireless handset. The memory module is configured to store at least one password associated with a user-requested function. The user-requested function has a plurality of user-specific data stored on the memory module. The display module displays the stored user-specific data. The control module controls the operation of the input, memory and display modules. The control module controls access to the user-specific data with an initial password received with the input module.

Abstract: A method allows access to a set of secure databases and database applications over an untrusted network without replicating the secure database. The method involves authenticating a user using a first authentication application. When the user is verified, then the user's credentials are directed to a second authentication application associated with a secure database based on a first set of user settings retrieved for the user. The second authentication application, based on a second set of user settings, grants the user access to the secure database and database applications associated with the secure database.

Abstract: Techniques are provided for adjusting the number of devices allowed to use a digital product (e.g., software) under a license. In one embodiment, the technique may involve setting the allowed number of devices to a first upper/lower limit for a first time period, and, after the first time period has expired, increasing/lowering the allowed number of devices to a second upper/lower limit for a second time period. The technique may involve, readjusting the allowed number for a third time period, thereby allowing for a changing number of device installations of the digital product.

Abstract: A system for authenticating data acquired by multiple sensors prior to storing the data in a database is described. The system also authenticates users requesting data access and intelligence agents that provide analyses of data stored in the database. As a result, any data or data analysis obtained from the system is traceable and reliable.

Abstract: A method, performed by a registrar of a presence service, for registering a user with a presence service. The method entails negotiating a key with a client device operated by the user in order to establish an encrypted communications channel between the client device and the registrar via a proxy node, authenticating the user by exchanging messages through the encrypted communications channel and through a separate e-mail channel, binding a universally unique identifier identifying the user with one particular function node that is interposed between the proxy node and a publish-subscribe subsystem of the presence service and creating a user profile for the user and storing the user profile in a persistent data store.

Abstract: Embodiments of systems, apparatuses, and methods to securely download digital rights managed content with a client are described. In some embodiments, a system establishes a secure root of trust for the client. In addition, the system establishes a secure tunnel between an agent of the client and a storage system of the client. Furthermore, the system securely downloads the digital rights managed content to the storage system via the secure tunnel and securely provides the digital rights managed content from the storage system to a display.

Abstract: A system, method, and computer program product are provided for allowing access to data based on a recipient identifier included with the data. In use, data is received at a device of a recipient. Additionally, it is determined whether an identifier of the recipient is included with the data. Further, access to the data by the device of the recipient is conditionally allowed based on the determination.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for handling secure user interface content. In one aspect, a method includes receiving, at a data processing apparatus, content over a communication network from a computing system separate from the data processing apparatus; determining that the received content is authentic secure content; retrieving information stored at the data processing apparatus and previously selected by a user for purposes of securing user interface content; rendering the received content, to a display of the data processing apparatus, as a user interface with a visual wrapper, where the visual wrapper includes the retrieved information, visually separates the user interface from other visual elements on the display, and includes an indication that the user interface is secure; and processing input received through the user interface.

Abstract: A storage controller and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.

Abstract: The invention relates to a method of allowing access to an authorized domain (100), the authorized domain (100) being managed by a domain manager (210), comprising a step in which a user authentication device (220), which user authentication device is linked to a foreign device (201), asserts to the domain manager that a local link (205) between the user authentication device and the foreign device is limited in distance, and a step in which the domain manager allows the foreign device to operate as a member of the authorized domain if the assertion is accepted as accurate.

Abstract: A secure portable electronic device for providing secure services when used in conjunction with a host computer having a central processing unit use two hardware device protocols readily supported by computer operating systems. Other systems and methods are disclosed.

Abstract: A method of providing web site verification information to a user can include receiving a DNS query including a host name and a seal verification site name, parsing the DNS query, and extracting the host name from the DNS query. The method also can include accessing a DNS zone file including a list of Trust Services customers and determining if the host name is associated with a Trust Services customer in the list of Trust Services customers. The method further can include transmitting a positive identifier to the requester if the host name is associated with a Trust Services customer and transmitting a negative identifier to the requester if the host name is not associated with a Trust Services customer. In a specific embodiment, the Trust Services include issuance of digital certificates.

Abstract: A system and method for securely streaming media. The system includes a gateway server that receives requests for access to a secured data resource from an end users. The request include an authorization ticket and a referring website. The gateway server validates the authorization ticket using a secret key shared with the referring website, and validates the referring website by verifying that referring website is on a white-list for the secured data resource. The gateway server selects a data server to service the request, and formats a data server access request containing the data server location and data server request parameter data and transmits the data server access request to the end users. When end users transmit the data server access requests to a data server, the data server validates the request and transmits it to the end user.

Abstract: A private stream aggregation (PSA) system contributes a user's data to a data aggregator without compromising the user's privacy. The system can begin by determining a private key for a local user in a set of users, wherein the sum of the private keys associated with the set of users and the data aggregator is equal to zero. The system also selects a set of data values associated with the local user. Then, the system encrypts individual data values in the set based in part on the private key to produce a set of encrypted data values, thereby allowing the data aggregator to decrypt an aggregate value across the set of users without decrypting individual data values associated with the set of users, and without interacting with the set of users while decrypting the aggregate value. The system also sends the set of encrypted data values to the data aggregator.

Abstract: Restricting access to a device from a server, where the device is remote to the server and is connected locally to a client that is remote to the server, is described. The operations may include facilitating interception, at the server, of a function call to create a symbolic link; facilitating determination that the intercepted function call to create the symbolic link corresponds to a device object associated with the device that is remote to the server and is connected locally to a client that is remote to the server; facilitating obtaining configuration data indicating whether access to the device is to be restricted; and facilitating creation of the symbolic link in a local namespace of an object manager namespace of the server, upon obtaining configuration data indicating that access to the device is to be restricted.

Abstract: A system is configured to: receive an authentication request for a transaction from a web server; identify a phone number of the mobile device based on identifying information of the user in the authentication request and the user information, transmit a message to the mobile device based on the phone number, receive a message response from the mobile device, determine whether the mobile device provided a mobile pin pad authentication for the user based on the message response, and transmit a success authentication response to the web server when the mobile device provided the mobile pin pad authentication for the user.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: A kernel extension is configured to intercept a call to associate a socket with a port of a node in a network. The call originates from a kernel of the node. The kernel extension is configured to determine the port from the call. The kernel extension is configured to determine that the port is one of a plurality of ports for which the node has authority to modify firewall rules of a firewall of the network. The kernel extension is configured to modify firewall rules maintained by the firewall to allow communications for the port to the node through the firewall.

Abstract: An image forming apparatus connected via a network with an authentication server for user authentication based on biometric information about a user. The image forming apparatus is also connected with a managing server for managing an operation of the image forming apparatus. The image forming apparatus includes a transmission unit transmitting the biometric information about the user to the authentication server, a reception unit receiving use limit information corresponding to the biometric information about the user from the managing server, and a control unit controlling the operation of the image forming apparatus based on the use limit information.

Abstract: A system and method is disclosed for authenticating a removable data storage device (RDSD) by implementing a removable trusted information module (TIM) comprising a non-volatile storage medium operable to securely store passwords, digital keys, digital certificates and other security credentials (“security credentials”). An RDSD enclosure comprising a disk storage drive, one or more interfaces, one or more connectors, and a TIM is implemented to be connected, disconnected and reconnected to a plurality of predetermined information handling systems. The RDSD is authenticated by the TIM initiating comparison and cryptographic operations between its contents and the contents of authentication files comprising the RDSD. Once the RDSD has been authenticated, the TIM performs similar operations to authorize access and usage of its contents by the information handling system. Other cryptographic operations are performed to determine whether the integrity of data files has been compromised.

Abstract: Unit for secure processing access controlled audio/video data capable of receiving control messages (ECM) comprising at least one first control word (CW1) and first right execution parameters (C1), at least one second control word (CW2) and second right execution parameters (C2), said processing unit being connected to a first access control device (CA1), said processing unit is characterized in that it comprises: —means for verifying and applying the first right execution parameters (C1) in relation to the contents of a memory (M1) of said first access control device (CA1) and means for obtaining the first control word CW1, —a second access control device (CA2) integrated into the processing unit UT including means for verifying and applying the second right execution parameters (C2) in relation to the contents of a memory (M2) associated to said second access control device (CA2) and means for obtaining the second control word (CW2), —a deciphering module (MD) capable of deciphering, sequentially with the f

Abstract: A method for alerting Internet content providers of the age or other personal information of a computer user, which includes receiving a reverse DNS lookup query from an Internet content provider; and providing the age information of the computer user, in addition to a host name, from a reverse map zone file in response to the request. The personal information may be used by the content provider to select appropriate content for the requesting host, for example for complying with content restrictions. A system of alerting an Internet content provider of the age or other personal information of a computer user is also provided.

Abstract: An information processing system including multiple apparatuses capable of executing one or more applications and an information processor connected to the apparatuses through a first network is disclosed. The information processing system includes a license status information obtaining part configured to obtain the license status information of the applications installed in each of the apparatuses from the corresponding apparatuses through the first network, a license data obtaining part configured to obtain license data authorizing usage of the applications from a computer connected through a second network based on the license status information, and a license data delivery part configured to deliver the license data to each of the apparatuses.

Abstract: Computer-implemented methods and apparatus to perform a valid transfer of an electronic mobile ticket on a mobile device by a ticketing application system of a ticket processing center. One method includes: receiving a first electronic message from a first user, where the first message includes an encrypted electronic mobile ticket and a mobile device number of a second user, and where the electronic mobile ticket is encrypted with a key shared between the first user and the ticketing application system; decrypting the encrypted electronic mobile ticket; generating an electronic mobile ticket encrypted with a key shared by the ticketing application system and the second user; and transmitting a second electronic message that includes the electronic mobile ticket encrypted with the key shared between the ticketing application system and the second user to a mobile device of the second user.

Abstract: Systems and methods for controlling accuracy of transmitted information are described. A package is assembled based on a numerical value, such as a measurement, and one or more policies associated with the sender. When the package is received by a receiver, it is unpacked to yield a second value representing the numerical value and having a reduced accuracy with respect to the first value. The accuracy reduction depends on policies associated with the receiver and/or the sender. Examples of numerical values in different applications include geo-location data, medical data, and financial data.

Abstract: Database management and security is implemented in a variety of embodiments. In one such embodiment, data sets containing sensitive data elements are analyzed using aliases representing sensitive data elements. In another embodiment, the sensitive data elements are stored in an encrypted form for use from a secure access, while the alias is available for standard access.

Abstract: In a system for providing access control management to electronic data, techniques to secure the electronic data and keep the electronic data secured at all times are disclosed. According to one embodiment, a secured file or secured document includes two parts: an attachment, referred to as a header, and an encrypted document or data portion. The header includes security information that points to or includes the access rules and a file key. The access rules facilitate restrictive access to the secured document and essentially determine who/when/how/where the secured document can be accessed. The file key is used to encrypt/decrypt the encrypted data portion. Only those who have the proper access privileges are permitted to retrieve the file key to encrypt/decrypt the encrypted data portion.

Abstract: In a gaming environment, a method of periodically downloading dynamically generated executable modules at random intervals that perform system configuration integrity checks in a secure and verifiable manner is disclosed. The dynamically generated executable module returns the signature to a server from which it was downloaded and deletes itself from the system being checked. The next time such an executable module is downloaded, it will contain a different randomly chosen subset of hashing and encryption algorithms. The server that is performing the system configuration integrity check maintains a database of expected system configurations and performs subset of hashing and encryption algorithms as contained in the dynamically generated executable module. The result returned by the downloaded executable module is compared to that computed locally, and an error condition is raised if they do not match.

Abstract: A flexible network security system and method is provided for permitting a trusted process. The system includes a port monitoring unit for extracting information about a server port being used through a network communication program, an internal permitted program storage for extracting information about a program for which communication is permitted by the firewall and registering the extracted information, an internal permitted port storage registering the extracted information if the network communication program is registered in the internal permitted program storage; and a device for making the firewall flexible, determining whether a destination port of a packet of inbound traffic has been registered in the internal permitted port storage, and if the destination port has not been registered, transmitting the corresponding packet to the firewall, and if the destination port has been registered, allowing the corresponding packet to bypass the firewall.

Abstract: A system and method for configuring devices for wireless communication are disclosed. A method may include transmitting an activation key from an activation broker to a wireless agent. The method may also include transmitting the activation key from the activation broker to a wireless registrar. At least one of the transmission of the activation key to the wireless agent and the transmission of the activation key to the wireless registrar may include transmitting the activation key via a short-range wireless communication technology. In addition, the activation key may include information for authenticating wireless communication between the wireless agent and a wireless access point.

Abstract: To provide a copyright protection storage medium in which copyright protected contents are recorded by an information recording apparatus connected to a content server providing copyright protected contents and a license server handling licenses concerning recording/playback of the copyright protected contents through a network, in which the copyright protected contents are written by a simple copy-and-paste when the information recording apparatus is possessed by a prescribed user, and the copyright protected contents are written by combining a domain model which assures playback in the apparatus and a media-bind model when the information recording apparatus is possessed by another user.

Abstract: An audio-video display device can download from a third party server a licensable component on which a royalty is to be paid. Various methods are disclosed for accounting for royalties associated with downloading the licensable component to the client device between the third party server and a client device manufacturer server.

Abstract: Techniques which allow definition and enforcement of connectivity-based action and execution authorization policies. On a computer, an action or execution attempt is intercepted in real-time. The connectivity state of the computer, the subject process, the program file of the subject process, the attempted action and the object of the attempted action are determined. An authorization policy considering the connectivity state indicates whether the attempted action is authorized or not. In a tracking mode, the attempted action and its authorization are logged and the attempted action is allowed to proceed. In an enforcement mode, unauthorized attempts are blocked and logged, thereby enforcing the authorization policy.

Abstract: A strategy is described for controlling access to a resource which is shared between a trusted environment and an untrusted environment. The resource can represent a clipboard module. The trusted environment can include trusted client functionality, while the untrusted environment can include potentially untrusted network-accessible entities (e.g., websites) which seek to access the clipboard module. The strategy provides a security presentation which notifies a user when a network-accessible entity is attempting to access the clipboard module, identifying the entity which is making the attempt, together with the nature of the information being read or added to the clipboard module. The security presentation invites the user to approve or deny the particular attempt (or all such attempts from the network-accessible entity), and/or clear the clipboard module. The security presentation does not block the user's interaction with other parts of a user interface presentation.

Abstract: This application discloses methods, systems, and servers for digital right management. One such method may include the steps of: combining content of multiple digital files selected by a user into a new digital file; encrypting the new digital file and generating authorization information according to a key used in the encryption and information of a client where the user logs in; and transmitting the authorization information to the client to instruct the client to use the new digital file based on the authorization information. In some embodiments, contents of multiple digital files selected by a user may be combined into a new digital file, and authorization information for the new digital file may be transmitted to the client, thus achieving authorization for digital works from multiple sources.

Abstract: An information processing apparatus in which a part of a plurality of different programs included in an application package is validated includes an invalidation command input unit configured to input a command to invalidate a license of the application package, a generation unit configured to generate invalidation verification data by invalidating the license of the program which is included in the application package, is already installed in the information processing apparatus, and has a validated license, and to generate invalidation verification data of the license of the program without installing the program which is included in the application package and is not installed in the information processing apparatus, and an output unit configured to output the invalidation verification data generated by the generation unit.

Abstract: An image processing apparatus associates application information to connect to a server device and a client certificate to transmit to the server device with each other and stores therein the associated application information and client certificate. An application managing part activates a browser with designating transmission of the client certificate which is associated with the application information. The browser transmits the client certificate identified by the application managing part to the server device when a request for transmission of the client certificate is received from the server device. As the result, the image processing apparatus reduces operation load placed on a user to transmit the client certificate to the server device. Moreover, the appropriate client certificate may be transmitted to the server device without lowering efficiency in processing. So, data communication between the image processing apparatus and the server device may be established rapidly.

Abstract: Provided personal information from a user may be determined, the provided personal information being associated with network publication thereof. A comparison of the provided personal information with password-related information may be performed. Based on the comparison, it may be determined that a risk level associated with the network publication relative to password security of at least one password associated with the password-related information exceeds a predetermined risk level. The user may be notified that the network publication of the provided personal information is associated with potential compromise of the password security of the at least one password.

Abstract: A method for hindering detection of information unintentionally leaked from a secret held in a memory unit is described, the method including receiving a triggering event waiting for at least a first amount of time to pass after the receipt of the triggering event, the memory unit being in a non-operational state during the at least a first amount of time after the at least a first amount of time has passed, changing at least one first condition under which the memory unit operates, thereby causing the memory unit to enter an operational state, waiting for a second amount of time to pass after the changing at least one first condition, and changing, after the second amount of time, at least one second condition under which the memory unit operates, thereby causing the memory unit to enter the non-operational state, wherein access to the secret information is enabled only during the second amount of time, and detection of secret information unintentionally leaked is limited during the first amount of time.

Abstract: An information access apparatus has an activation state permitting an information access to a recording medium, and a non-activation state permitting a change to the activation state. The apparatus comprises: a medium access section that permits, in the activation state, information access and ejection of the recording medium out of the information access apparatus; an instruction operating section that receives instruction operation for instructing the ejection of the recording medium; and an activation control section that controls change from the non-activation state to the activation state of the information access apparatus in such a manner that when the recording medium is loaded, change from the non-activation state to the activation state is permitted in response to reception of the instruction operation by the instruction operating section, and when the recording medium is not loaded, change from the non-activation state to the activation state is inhibited.

Abstract: A data encryption device is connected between an HDD and an HDD controller that controls the HDD. The data encryption device encrypts data that is stored from the HDD controller to the HDD, and decrypts data that is read from the HDD. A CPU of the data encryption device receives a command issued from the HDD controller to the HDD, and determines whether the command is executable at the HDD. When it is determined that the command is executable, the command is issued to the HDD. On the other hand, when it is determined that the command is unexecutable, the CPU prohibits issuance of the command to the HDD. Furthermore, when a command issued to the HDD is a specific command, the CPU bypasses data transferred between the HDD controller and the HDD without encryption or decryption.

Abstract: A storage device in which file data is divided into multiple blocks for storage on a recording medium. The storage device includes an additional data storing section for storing additional data to be recorded on the recording medium in association with the data to be written, a position determining section for determining recording positions on the recording medium where the blocks should be respectively written, based on the additional data, and a block writing section for writing the respective blocks on the recording positions on the recording medium determined by the recording position determining section. The additional data thus defines a gap length between blocks of recorded data. During a read operation, if the gap length does not comport with the additional data, then an error is assumed.

Abstract: The present invention discloses a method for validating user equipment, a device identity register and an access control system. Wherein the method for validating user equipment comprises: setting a central device identity register shared by different networks, wherein illegal user equipment identities are stored in the central device identity register; the central device identity register receiving an ID validation request from a mobility management entity, wherein the ID validation request carries ID parameters of a user equipment; the central device identity register validating the validity of the user equipment according to the ID parameters, and returning a validation result to the mobility management entity. In virtue of the present invention, the accessing of the illegal non-3GPP network user equipment which is capable of accessing 3GPP network to the 3GPP network is able to be controlled.

Abstract: In an embodiment, communication is controlled between a service provider web application executed in a first web browser instance on a device platform of the device and a partner web application executed in a second web browser instance on the device platform. A signal is received, at a control module at the device, from the partner web application, the signal for initiating communication between the partner web application and the service provider web application. The control module, provided by the service provider and installed on the device, uses technology that is native to the device platform. The control module uses a list of partners approved by the service provider to determine whether the partner web application is approved for communication with the service provider web application. If the control module determines the partner web application is approved, the control module allows communication to proceed.

Abstract: There is provided a system and method for distributors to use an interoperable key chest. There is provided a method for use by a distributor to obtain content access authorizations from a key chest or central key repository (CKR), the method comprising receiving a user request from a user device for access to an encrypted content identified by a content identification, transmitting a key request to the CKR including the content identification, receiving an encrypted first key from the CKR, decrypting the encrypted first key using a second key to retrieve the first key, and providing a DRM license for the encrypted content to the user device using the first key for use by the user device to decrypt the encrypted content using the first key. By generating such DRM licenses, distributors can unlock protected content even sourced from distributors using different DRM schemas.

Abstract: Methods and systems for providing an enterprise license registrar anchor point are provided. More particularly, an enterprise license registrar is established within an enterprise system using license files and a certificate provided by an external license authority. The enterprise license registrar operates within the enterprise system to maintain a record of allocations of license rights by license manager servers to application instances. The enterprise license registrar logs the report data. The log files are digitally signed or encrypted to prevent tampering by the enterprise system, and are delivered to the external license authority, without requiring a persistent connection between the external license authority and the enterprise system. The enterprise system can comprise a virtualized environment.

Abstract: A method for dynamically associating, by a server, access rights with a resource includes the step of receiving, by the server, a request for a resource from a client. The server requests, from a policy engine, an identification of a plurality of access rights to associate with the resource, the plurality of access rights identified responsive to an application of a policy to the client. The server associates the resource with the plurality of access rights via a rights markup language. The server transmits the resource to the client with the identification of the associated plurality of access rights. An application program on the client makes an access control decision responsive to the associated plurality of access rights. The application program provides restricted access to the resource responsive to the access control decision.

Abstract: A client computer detects a user operation for transmitting data to a server or a storage device, determines whether the detected user operation is a fraudulent manipulation, and, if the determination is a positive result, performs security processing which is processing related to security of data to be transmitted. If the data is data within a group to which the user belongs and a destination of the data is a server or a storage device outside the group, the determination is a positive result.

Abstract: Methods and apparatus are provided, such as a memory card with a processor and nonvolatile memory coupled thereto. The nonvolatile memory has a secure area configured to store a user password and a serial number in encrypted form. The card is configured to grant access to the secure area when the card receives a password that matches the stored user password and the card is coupled to a system having the serial number.

Abstract: A policy store associated with a policy decision point of an access control system is updated. The policy decision point is arranged to provide, in response to received decision requests, access control decisions in dependence on one or more policies stored in the policy store, each policy specifying a predetermined access control decision to be provided in response to a particular access request made in respect of a particular attribute or combination of attributes. The policy decision point is associated with at least one policy enforcement point arranged to implement access control in accordance with access control decisions provided by the policy decision point in response to decision requests submitted by the policy enforcement point, the policy enforcement point having associated therewith an attribute store providing data relating to attributes in respect of which access requests have previously been made via the policy enforcement point.