Abstract: An environment manager in a computer executes multiple environments concurrently. A user management framework (UMF) virtual machine on the computer runs an authentication domain that supports user profile management of the multiple environments.

Abstract: Methods and systems are provided for implementing application layer security. According to one embodiment, security rules applicable to end users of a private IP network and particular resources accessible within the network are maintained by a network appliance. A packet originated within the network is received by the network appliance. An application type associated with the packet is determined based on layer 7 information within the packet. Layer 7 information fields are extracted from the packet that are indicative of an identity of an end user associated with the packet. An SSO process is performed including receiving and authenticating credentials of the end user on behalf of multiple resources within the network based on the identity of the end user. One or more security rules are identified and applied to the packet based on the identity of the end user and the determined application type.

Abstract: A system that incorporates teachings of the subject disclosure may include, for example, a method for facilitating, at a system including at least one processor, establishment of a communication session with a device coupled to a Universal Integrated Circuit Card (UICC) by way of network equipment of a default Mobile Network Operator (MNO), receiving, at the system, information descriptive of an MNO selection, selecting, at the system, from a database of credentials of a plurality of MNOs first credential information according to the received information, wherein the first credential information is associated with a first MNO of the plurality of MNOs, and transmitting, from the system, the first credential information to the UICC over the communication session by way of the device to cause the UICC to facilitate establishment of communications with network equipment of the first MNO according to the first credential information. Other embodiments are disclosed.

Abstract: A system for providing access to a distributed marketing platform is disclosed. In particular, the system may be utilized to allow a local marketer to access marketing resources for one or more brands through the use of a sub-account. The system may generate the sub-account for the local marketer, which may be utilized by the local marketer to access a master account associated with a particular brand that the local marketer desires to connect with. Access to the master account and its resources may be granted to the sub-account if the local marketer submits valid key and account information to an online portal associated with the master account. Additionally, the sub-account may be allowed to connect to other master accounts associated with other brands by using the online portal and without violating master account agreements of direct-solicitation and cross-promotion of the master accounts to the sub-account.

Abstract: An information processing apparatus operated by a user carrying an authentication device, includes: an operation panel accepting an operation performed by the user; and an apparatus hardware processor controlling the operation panel. The apparatus hardware processor performs a matching process of determining whether or not operation history information which is time series data of a sequence of operations performed by the user and accepted by the operation panel, and operation information about an operation of the operation panel performed by the user authenticated as a user permitted to use the information processing apparatus and acquired from the authentication device carried by the user, are related to operation of the same operation panel. If it is determined by the matching process that the operation history information and the operation information, match as information about operation of the same operation panel, the apparatus hardware processor performs an operation acceptance process.

Abstract: In one embodiment, a computer program product includes a computer readable storage medium having program instructions embodied therewith. The embodied program instructions, in response to being executed by a processing circuit, cause the processing circuit to receive an eye gaze of a source user generated by a source augmented reality or virtual reality device (source AR/VR device) on a receiver AR/VR device and determine gazed content from the eye gaze of the source user using a password key phrase determination feature. The embodied program instructions also cause the processing circuit to generate a symmetric password key utilizing the gazed content according to a set of password determination rules and receive encrypted data from the source AR/VR device on the receiver AR/VR device. Additionally, the embodied program instructions cause the processing circuit to decrypt the encrypted data using the symmetric password on the receiver AR/VR device.

Abstract: Systems and methods are provided for authenticating a user. The systems and methods include receiving a request to generate a user profile from a device of a user. The systems and methods may determine first information associated with a first entity from the request, and may also determine second information associated with a second entity distinct from the first entity from the request. The systems and methods may access, using system credentials not associated with the user, multiple distinct data sources in a specified order to retrieve additional information. Accessing these multiple distinct data sources may include retrieving a first item of the additional information using the first information, and retrieving a second item of the additional information using the second information. The systems and methods may authenticate the user based on the additional information, and may generate a user profile based in part on the additional information.

Abstract: Provided is a communication system in which a terminal communicates with a server via a portable communication network used for communication between smartphones. The smart phone includes first pre-shared key and encryption keys, the terminal includes a second pre-shared key, the server includes the encryption keys same as the encryption keys included in the smartphone, authentication between the terminal and the smartphone is performed by using the first pre-shared key and the second pre-shared key, and the terminal and the server perform communication via the smartphone by performing key synchronization of the encryption keys while setting a hash value of the encryption keys as an ID.

Abstract: Provided is an information processing apparatus including a physical unclonable function (PUF) to generate a unique key using a process variation in a semiconductor manufacturing process, and an encryption unit to encrypt a password and/or bio-information received from a user using the unique key.

Abstract: The present disclosure discloses a method, a device, and a system for updating authenticating information in the field of Internet technologies. The method comprises: receiving a service processing request containing user information and service object information; extracting according to the user information, first authentication information associated with the service object information from prestored authentication information; authenticating the first authentication information; displaying an information update interface when the first authentication information fails to be authenticated; obtaining second authentication information from the information update interface; replacing the first authentication information with the second authentication information; authenticating the second authentication information; and processing the service processing request if the second authentication information is authenticated.

Abstract: Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Abstract: To prevent legitimate message recipients from forging new messages and to encrypt messages for a specific set of recipients (channel), a root key is encrypted and combined with a base session management key to render a combined root key, which in turn is encrypted with a public key of at least one recipient device to render a session management key. The public key of each of “N” intended recipient device encrypts the combined root key to render “N” session management keys. The session management keys are then combined with the combined root key to render a multicast root key, which is signed with a private key of a sending device. The signed multicast root key is combined with the session management keys to render an encrypted, signed multicast root key that is used to encrypt digital information prior to transmitting the digital information.

Abstract: The present invention presents a method for transmitting a broadcast signal. According to the present invention, the method for transmitting a broadcast signal presents a system capable of supporting a next-generation broadcast service in an environment supporting a next-generation hybrid broadcast using a terrestrial broadcast network and an Internet network. In addition, presented is an efficient signaling method capable of covering both a terrestrial broadcast network and an Internet network in an environment supporting a next-generation hybrid broadcast.

Abstract: Systems and methods for malware attack prevention are provided. The malware attack prevention system features a heuristic module, an analysis environment and an interception module. The heuristic module is configured to (i) receive incoming data from a particular source over a first communication path and (ii) analyze the incoming data to determine whether the incoming data is suspicious, where the suspicious incoming data represents a prescribed likelihood that the incoming data is associated with a malware attack. The analysis environment is configured to analyze the suspicious incoming data to identify whether the suspicious incoming data is associated with a malware attack. Lastly, the interception module is configured to redirect a subsequent flow of data from the particular source to the malware attack prevention system in response to determining, by at least the heuristic module, that the incoming data is suspicious.

Abstract: Disclosed is a method of substituting for authentication of subscriber terminals of a mobile communication network for a third party site in a radio mobile communication system, the method including: obtaining traffic information for each subscriber terminal from the mobile communication network to which the subscriber terminals connect; receiving an authentication request for a first subscriber terminal from the third party site that has received a service request of the first subscriber terminal from the mobile communication network; and authenticating, if an IP address of the first subscriber terminal is one of IP addresses of the subscriber terminals contained in the traffic information, the first subscriber terminal using traffic information of the first subscriber terminal, and providing an authentication result to the third party site.

Abstract: The present invention relates to a method to manage a One Time Password key, referenced OTP key, used in an OTP algorithm in a user device having access to an unsafe storage including the steps of retrieving a Personal Identification Number, named PIN, of a user of the user device, deriving a symmetric key from the PIN, encrypting the OTP key using the derived symmetric key, storing the encrypted OTP key in the unsafe storage, decrypting the OTP key using the derived symmetric key, and generating a next OTP key using an incremental parameter, wherein the start value of the incremental parameter of the OTP key generation is random.

Abstract: Methods, systems, and computer program products are provided that enable secure remote modification of device credentials using device-generated credentials. A plurality of credentials policies is stored by the user device. The credentials policies are merged to generate a merged credentials policy. An instruction is received by the user device from a trusted service to initiate a device credentials change. A new device credentials is generated on the user device based at least on the merged credentials policy.

Abstract: Database management and security is implemented in a variety of embodiments. In one such embodiment, data sets containing sensitive data elements are analyzed using aliases representing sensitive data elements. In another embodiment, the sensitive data elements are stored in an encrypted form for use from a secure access, while the alias is available for standard access.

Abstract: A computer system includes a management computer for automatically changing a password used to authenticate a user to a service application. A user device includes a password vault managed by a password management application. The management computer monitors for an event signifying that the password is to be changed, e.g., a predetermined number of uses, etc. A new password is assigned, and a first message is generated and sent to the service application including the new password and an indication that it is to be used for subsequent user authentication. A second message is also generated and sent to the password management application, also including the new password and an indication that it replaces a current password in the vault for user authentication. The new password is automatically used by both the service application and the user device during subsequent authentications until expiration.

Abstract: System, method and media for managing user credentials by securely caching credentials to access shared, secure resources for subsequent reuse. When a user accesses a shared, secure resource for the first time, the system determines credentials for the user, which are then stored in a file readable only by that user but in a location hidden from that user. On subsequent attempts to access the resource, a system process running on behalf of the user accesses the hidden file to prepopulate the user's credentials so that they need not be re-entered. In this way, stored processes can access the resource with the correct user's credentials without requiring that they be entered every time.

Abstract: Disclosed is a method for generating a privilege-based key using a computer. In the method, a privilege is received from an application, and verified as being associated with the application. The computer cryptographically generates a second key using a first key and the privilege. The second key is provided to the application.

Abstract: A method is performed at an application platform running at a computer server for logging in to an application (App) by an end user, the method comprising: receiving a login request from a server associated with the application; obtaining an App identity (ID) and a key from the login request; verifying the obtained App ID and key with predefined information associated with the application and the terminal; and when the verification succeeds, sending, to the application server, a message including first user account number information of the end user at the application platform. The application server is configured to generate second user account number information of the end user at the application according to the first user account number information and return the second user account number information to the terminal so that the end user can log into the application using the second user account number information.

Abstract: Methods and systems for securing data are provided. For example, one method includes providing context information for an input/output (I/O) operation to a security module by an adapter communicating with a computing device and a storage device via a network; storing encryption parameters associated to a security association handle by the security module; using a workflow handle by the security module to obtain the security association handle for retrieving stored encryption parameters for encrypting payload transmitted by the adapter and for decrypting payload received by the adapter; predicting a first frame header for encrypting the payload transmitted by the adapter and a second frame header for decrypting payload received by the adapter; providing the encrypted payload for transmission to the adapter by the security module, after discarding the first predicted header; and providing the decrypted payload to the computing device by the security module, after discarding the second predicted header.

Abstract: A system and method is disclosed for converting smart cell phone applications to applications that operate on basic cell phones. The invention has a classifying process that classifies one or more functions of a cell phone application into those functions capable being performing by a basic cell phone and those functions, missing functions, that can not be performed by a basic cell phone. Substitute functions for the missing functions are developed. An emulator monitors the execution of the cell phone application and provides the substitute cell phone functions at points in the execution where a missing function is to be executed. Therefore, the smart phone application is converted into a basic phone application that can be executed by the basic cell phones with reduced functionality. The invention can run on a smart phone or a server. The invention can also be provided as a server based service for basic cell phone users.

Abstract: Methods and systems are provided for implementing application layer security. According to one embodiment, an application layer packet is received by a network appliance and one or more information fields, selected based on an application type associated with the packet, are used to identify an associated end user. Then, security rules that match the traffic pattern, traffic content and identified end user can be applied to the packet. Identification of end users based on application layer information allows different security rules to be implemented for end users or groups thereof. Application of security rules based on identification of an end user based on application layer information can also facilitate implementation of an application-layer-based single sign-on (SSO) process.

Abstract: A communication apparatus capable of communicating with an external device via a wireless network, comprises: a transmission unit configured to transmit relevant information regarding data to be transmitted to the external device, before connecting to the wireless network; a reception unit configured to receive a response to the relevant information transmitted; a connection unit configured to connect to the wireless network, in a case where the response is received; a data communication unit configured to establish communication and transmit the data, after the connection unit has connected to the wireless network; a conversion unit configured to convert data; and a specification unit configured to specify relevant information regarding data to be converted, wherein in a case of converting the data to be transmitted, the transmission unit transmits relevant information regarding the data to be converted.

Abstract: A working method of a dynamic token, including the steps of grouping, by the dynamic token, the second hash data to obtain a plurality of byte groups, transforming respective byte groups into corresponding binary data by shifting and combining the bytes contained in respective byte groups; performing modulo operation on a first preset value by using sum of all the binary data obtained by transforming to a modulo result, performing modulo operation on a second preset value by using the obtained modulo result so as to obtain the first bit interception result. According to this working method, on the basis of different purpose codes, an authentication server authenticates the dynamic passwords applicable to each application scenarios, reducing the risk of keys used for generating dynamic passwords being stolen, improving the security of a token authentication system.

Abstract: Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a client identifier and an encrypted portion and/or an authorization signature, wherein a client authorization key allocated by the central network authority can be reproduced by a server, other than said central network authority, from the client identifier and a derivation key provided to the server by the central network authority to decrypt the encrypted portion and/or to validate the communication using the authorization signature.

Abstract: Disclosed are various embodiments for an instance monitoring service. Instances are associated with alarm conditions indicating a deviation in the operational health of the instance. Upon an alarm condition being satisfied, a remedy operation may be applied to restore the operational health of the instance. A notification system may let customers know of satisfied alarms, and confirm or cancel remedy operations.

Abstract: The present invention relates to a method for the notification of a resource subscription in a machine-to-machine (M2M) system and devices for same, the method comprising the steps of: detecting a change in the resources to subscribe to comprising a subscription resource as a child resource; generating a notification message including a value indicating the event category of the change in accordance with the second attribute information configured in the subscription resource; and determining if a reception device is reachable on the basis of the scheduling information configured in a scheduling resource for an M2M device and the scheduling information configured in a scheduling resource for the reception device, wherein: if the reception device is determined to be reachable on the basis of the scheduling information, the notification message is immediately transmitted to the reception device; and if the reception device is determined to be unreachable on the basis of the scheduling information, the notificat

Abstract: A method includes receiving a first biometric data set representative of a first biometric sample provided by a user and public parameters. The method includes generating a first set of exchange information based thereon and communicating it to a system server. The method includes receiving a second set of exchange information based on the public parameters and a second biometric data set representative of a second biometric sample and is symmetric with respect to the first set of exchange information. The method includes computing a session key for the communication session by applying a first hash function based on a hash key to a subset of the second set of exchange information and a second hash function based on a projected key to a subset of the first set of exchange information. The method includes using the session key in communications during the communication session.

Abstract: A method and apparatus for fine-grained, trust-based rate limiting of network requests distinguishes trusted network traffic from untrusted network traffic at the granularity of an individual user/machine combination, so that network traffic policing measures are readily implemented against untrusted and potentially hostile traffic without compromising service to trusted users. A server establishes a user/client pair as trusted by issuing a trust token to the client when successfully authenticating to the server for the first time. Subsequently, the client provides the trust token at login. At the server, rate policies apportion bandwidth according to type of traffic: network requests that include a valid trust token are granted highest priority. Rate policies further specify bandwidth restrictions imposed for untrusted network traffic.

Abstract: An embodiment of the invention may include a method, computer program product and computer system for password management. The embodiment may include a computing device that creates a password inventory. The password inventory may be a list of one or more passwords, where each of the one or more passwords corresponds to a password key. The embodiment may update the password inventory without input from a user. The embodiment may receive a first login request from a first device. The embodiment may transmit information detailing a first password key to the first device, where the first password key corresponds to a first password from the list of one or more passwords. The embodiment may receive information detailing a first entered password from the first device. The embodiment may determine whether the first entered password is identical to the first password from the list of one or more passwords.

Abstract: Embodiments of the present invention disclose a method, computer program product, and system for authenticating a user. The application server receives a user log in request and determines if a unique identification accompanies the received user log in request. The application server uses the unique identification to authenticate the identity of the user. The application server determines if the unique identification has been previously received by searching a first database to see if the unique identification was already stored in the first database. If the unique identification is not in the first database then the application server stores the unique identification and grants the user access to the one or more applications hosted on the application server.

Abstract: A method and system for password mediation including identifying an HTTP request issued by a client application executing on a client device, the HTTP request indicating an operation to be performed for a user of the client application at a destination system, obtaining user credentials using the HTTP request, requesting security information for the user with respect to the destination system, determining whether the user is allowed to perform the operation based on the security information, and upon determining that the user is allowed to perform the operation, modifying the HTTP request based on the security information and sending the modified HTTP request to the destination system.

Abstract: Techniques for accelerated authentication include receiving first data that indicates a first portion of user credentials for a first user but not a second portion. It is verified whether the first portion of user credentials is valid. If the first portion of user credentials is valid, then second data that indicates a valid value for the second portion of user credentials for the first user is sent. Other techniques include receiving first data that indicates a first portion of user credentials for a first user but not a second portion of user credentials for the first user. A first message that indicates the first portion of user credentials is sent to a remote process that initiates authentication of the first user based on the first portion of user credentials before receiving second data that indicates the second portion of user credentials for the first user.

Abstract: Methods, systems, computer-readable media, and apparatuses for providing secure resources to a native operating system resource are described herein. Using one or more aspects described herein, a mobile device may determine that a native operating system service requests to access content located within a wrapped application. The mobile device may transmit, to the native operating system service, a server path to a loopback web server within the wrapped application to elicit a request from the native operating system service to the loopback web server for the content. In response to receiving a request comprising the server path to the loopback web server to retrieve the content from the loopback web server, the mobile device may instruct the loopback web server to transmit an unencrypted version of the content to the native operating system service.

Abstract: The embodiments herein provide a secure computing resource set identification, evaluation, and management arrangement, employing in various embodiments some or all of the following highly reliable identity related means to establish, register, publish and securely employ user computing arrangement resources in satisfaction of user set target contextual purposes.

Abstract: There is provided a reception device configured to receive content broadcast via a broadcasting network, the reception device including an application execution unit configured to execute a link application that is able to change a layout of a screen with reference to a video of the received content, and an application control unit configured to control the application execution unit based on application control information relating to the link application so that activation of the link application is restricted.

Abstract: This disclosure relates to enforcing restrictions on data collected from a first set of systems and disseminated to a second set of systems. For example, a method for enforcing a set of restrictions includes receiving a first trait and a second trait that include data describing a user that has interacted with an online service. The first trait is labelled with a first usage restriction and the second trait is labelled with a second usage restriction different from the first usage restriction. The method further includes combining the first trait and the second trait into a segment. The segment preserves labelling of the first trait with the first usage restriction and the second trait with the second usage restriction. The method further includes controlling use of the segment based on the first usage restriction and the second usage restriction.

Abstract: Embodiments are provided for mutually authenticating a pair of electronic devices. According to certain aspects, the electronic devices may connect to each other via an out-of-band communication channel. The electronic devices may each output audio signals and detect audio signals output by the other electronic devices. Based on timestamps associated with audio output and detection events, each of the electronic devices may calculate relevant time and distance parameters, and transmit the calculated parameters to the other electronic device via the out-of-band communication channel. The electronic devices may compare the calculated parameters to determine mutual authentication.

Abstract: An approach for assessing a service offering selected by a user in a networked computing environment (e.g., a cloud computing environment) is provided. In one aspect, a network environment containing the service offering is monitored for a software configuration activity performed by the user. This software configuration activity is analyzed to identify the software application that is being configured. A set of provider-managed service offerings can be searched for any provider-managed service offering that contains an offered application corresponding to that of the software application. This managed service offering can be included in an alternative suggestion for the service offering.

Abstract: A mechanism is provided for selective password synchronization. An indication is received that a password is to be changed for an account in a plurality of accounts associated with an individual, where the indication includes a new password. Responsive to receiving the indication of the password change, the account is grouped with one or more other accounts in the plurality of accounts thereby forming a first subset of accounts, where grouping the account with the one or more other accounts in the plurality of accounts excludes at least one account in the plurality of accounts thereby forming a second subset of accounts. The new password is propagated to the first subset of accounts according to a first policy. The new password is propagated to a second subset of accounts of the plurality of accounts according to a second policy, where the second policy is different from the first policy.

Abstract: The disclosed embodiments include methods and systems for providing payment token transactions by a mobile device. The mobile device may be operable to obtain a payment token, where the payment token is associated with one or more payment token parameters and the mobile device may be configured to communicate with a financial service provider system over a first network when connectivity to the first network is available to the mobile device. The mobile device may provide the payment token to a contactless payment terminal (CPT) associated with a merchant, during a purchase transaction involving a product provided by the merchant, where the mobile device may communicate the payment token to the CPT over a local network that is different from the first network such that connectivity between the mobile device and the first network is not required.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for receiving, from a computer system, a request comprising a phone number, identifying a primary channel and one or more secondary channels based on, at least in part, respective performance data of the primary and secondary channels, sending a first message comprising a first text string via the primary channel to a destination device associated with the phone number, after sending the first message, determining that a conversion event for the message and the primary channel did not occur within a specified time period, and based on the determining, sending a second message comprising the first text string via a particular secondary channel to the destination device.

Abstract: In one embodiment, a method is performed by a computer system comprising physical computer hardware. The method includes discovering a controlling-user network for at least one user. The controlling-user network comprising a plurality of controlling users. The plurality of controlling users each control one or more sites of a content-management system. The method further includes profiling the plurality of controlling users based, at least in part, on information gleaned from sites on the content-management system controlled by the plurality of controlling users. In addition, the method includes exposing the controlling-user network to the at least one controlling user using a result of the profiling.

Abstract: A system that incorporates teachings of the subject disclosure may include, for example, a method for facilitating, at a system including at least one processor, establishment of a communication session with a device coupled to a Universal Integrated Circuit Card (UICC) by way of network equipment of a default Mobile Network Operator (MNO), receiving, at the system, information descriptive of an MNO selection, selecting, at the system, from a database of credentials of a plurality of MNOs first credential information according to the received information, wherein the first credential information is associated with a first MNO of the plurality of MNOs, and transmitting, from the system, the first credential information to the UICC over the communication session by way of the device to cause the UICC to facilitate establishment of communications with network equipment of the first MNO according to the first credential information. Other embodiments are disclosed.

Abstract: A method including: receiving, at a conference unit, a command to establish a conference call between the conference unit and another conference unit, the conference unit being connected to at least one access point and the access point being accessible by a terminal; utilizing, by the conference unit, an internet telephony protocol to setup at least one media line between the conference unit and the other conference unit; establishing at least one data channel that transmits LAN traffic between the conference unit and the other conference unit utilizing the internet telephony protocol; establishing, by the conference unit, a connection with the terminal, the terminal being part of a combined local area network; and receiving, at the conference unit, an input from the terminal via the connection to access the combined local area network.

Abstract: A user equipment (UE) is configured to send a direct communication request to a peer UE, wherein the direct communication request comprises a signature authenticating an identity of the UE. The UE is configured to process a direct communication response from the peer UE to authenticate an identity of the peer UE, wherein the direct communication response comprises a signature authenticating the identity of the peer UE. In response to processing the direct communication response from the peer UE to authenticate the identity of the peer UE, the UE is configured to engage in direct communication with the peer UE.

Abstract: The disclosed embodiments provide a system that enables access to a resource. During operation, the system obtains, from a first service, a request for access to the resource on a second service by a user using the first service. Next, the system provides, in a response to the request, an intent token for accessing the resource by the user to the first service. Upon receiving the intent token from an authorized user on the second service, the system enables access to the resource on the second service for the user on the first service.