Abstract: An intermediate server (104) is operable in a distributed key management system (300). The intermediate server comprises one or more processors (205) and an intermediate key material repository (302) to store digital rights management key material. The intermediate server can be operable in the system between a master server (101) and a local server (106), with the local server to deliver content (108) to one or more subscriber devices (109,110). The intermediate server, or optionally a management system (117) can pre-populate the intermediate key material repository with one or key material (1005) corresponding to fragments (1001) of the content prior to the fragments of content being requested by the one or more subscriber devices.

Abstract: A method for associating a web event with a member of a group of users is implemented at a first computing device. The method includes: receiving a data access request from a second computing device; determining whether the user has previously provided personal information and authorization to the first computing device through the second computing device; if the user's personal information and authorization are found: generating a record for the data access request; if the user's personal information is found but the user's authorization is not found: generating a record for the data access request; and if neither of the user's personal information and authorization is found: identifying one or more user identifiers that are associated with the second computing device; and returning personal information associated with the one or more user identifiers to the second computing device.

Abstract: An apparatus and a method for managing security of a terminal which increases reliability of an electronic signature. The apparatus includes a controller for detecting coordinate values of input positions of an electronic pen as interruption information when the interruption is received, and a memory for storing the detected input positions as additional electronic signature information.

Abstract: In one embodiment, a system includes a processing circuit and logic integrated with the processing circuit, executable by the processing circuit, or integrated with and executable by the processing circuit. The logic is configured to cause the processing circuit to initiate a password selection session on a source augmented reality or virtual reality device (hereafter the source AR/VR device). The logic is also configured to cause the processing circuit to generate a symmetric password key according to a set of password determination rules. Also, the logic is configured to cause the processing circuit to encrypt data using the symmetric password key prior to sending the encrypted data to a receiver AR/VR device. Moreover, the logic is configured to cause the processing circuit to send the encrypted data from the source AR/VR device to the receiver AR/VR device. The symmetric password key is not exchanged with any other device.

Abstract: Particular systems, methods, and program products for web-based security systems for user authentication and processing in a distributed computing environment are disclosed. A computing sub-system may receive an electronic processing request and a first signed data packet having a first payload that was hashed and encrypted using a first private key. The first payload may comprise first processing output and a first timestamp. The sub-system may verify the first signed data packet by decrypting it using a first public key. The sub-system may execute computing operations to satisfy the electronic processing request, producing second processing output. The sub-system may configure a data packet with a second payload comprising at least the second processing output and a second timestamp. The sub-system may encrypt the second payload using a second private key producing a second signed data packet. The sub-system may transmit to a second sub-system the second signed data packet.

Abstract: A wireless local area network system establishes a PASSPOINT™ connection between a mobile station and a hotspot using an enhanced single SSID method or an enhanced dual SSID method. In the dual SSID method, an access point associates and authenticates a mobile device to a secondary SSID of the access point during enrollment and provisioning. After enrollment, the access point authenticates the mobile station to a primary SSID of the access point using the credential that the mobile station received from an online sign-up (“OSU”) server in connection with the secondary SSID. In the single SSID method, an access point performs two levels of authentication. During authentication, communications are limited to an 802.1x controlled port running on the mobile station and access point. After a first authentication, communications between the OSU server and the mobile station are unblocked. After the second authentication, all traffic from the mobile station is unblocked.

Abstract: A method of handling wireless charging authentication for an electronic device of a wireless charging system includes sending a first message to a controller of the wireless charging system to notify the controller that an authentication is required by a wireless charger of the wireless charging system; receiving a second message including authentication information from the controller; and sending a third message including the authentication information to the wireless charger, in order to satisfy the authentication.

Abstract: Static and dynamic embodiments are presented for generating chaff passwords for use in a password-hardening system. Chaff passwords are generated by obtaining a source set of passwords comprising at least one valid password for each of a plurality of users; and generating a chaff set of passwords for a given user, wherein the chaff set comprises at least one valid password for the given user and a plurality of chaff passwords for the given user, wherein the plurality of chaff passwords for the given user are obtained from the source set of passwords. Chaff passwords can also be generated by modifying portions of base passwords based on a distribution with which particular strings of digits and symbols appear in user passwords. Location oblivious chaff passwords are generated from a chaff set of passwords obtained from a chaff generation method by applying a random permutation over the elements of the obtained chaff set of passwords.

Abstract: To prevent legitimate message recipients from forging new messages and to encrypt messages for a specific set of recipients (channel), a root key is encrypted and combined with a base session management key to render a combined root key, which in turn is encrypted with a public key of at least one recipient device to render a session management key. The public key of each of “N” intended recipient device encrypts the combined root key to render “N” session management keys. The session management keys are then combined with the combined root key to render a multicast root key, which is signed with a private key of a sending device. The signed multicast root key is combined with the session management keys to render an encrypted, signed multicast root key that is used to encrypt digital information prior to transmitting the digital information.

Abstract: A method and apparatus are provided for access credential provisioning. A method may include receiving, at a first mobile apparatus, information about a second mobile apparatus. The first mobile apparatus may be provisioned with network access credential information to be transferred from the first mobile apparatus to the second mobile apparatus. The method may further include causing the information about the second mobile apparatus to be provided to a provisioning apparatus for the network. The method may additionally include receiving authorization form the provisioning apparatus to transfer the network access credential information from the first mobile apparatus to the second mobile apparatus. The method may also include, in response to receipt of the authorization, causing the network access credential information to be provided to the second mobile apparatus. A corresponding apparatus is also provided.

Abstract: A system for auditing authorized key files associated with secure shell (SSH) servers is disclosed. In an example, the system may include a purpose-built SSH audit server. The SSH audit server may be configured to receive an authorized key file and a list of users. The SSH audit sever may generate and provide unique registration codes for each of the users in the list. The SSH audit server may associate particular users with particular public keys as each of the users accesses the SSH audit server using a public key and inputs a registration code.

Abstract: An approach is provided for proxy-based access controls. A proxy platform causes, at least in part, designation of at least one monitoring client of a proxy server. The proxy platform receives an input for associating one or more accessing clients with the at least one monitoring client. The at least one monitoring client manages access to one or more resources of the proxy server by the one or more accessing clients.

Abstract: Embodiments of the present disclosure provide for configuring and managing mesh nodes during occasional failure of mesh nodes or addition of new mesh nodes. The disclosed system first determines whether a mesh node is a mesh portal or a mesh point. If it is a mesh portal, the mesh node will advertise its capacity as a mesh portal to other mesh nodes in the network. If it is a mesh point, the mesh node attempts to automatically recover connection to the wireless mesh network if it identifies a unique wireless network based on its associated network identifier. If more than one network identifiers are discovered, the mesh node delays establishing connection to the wireless mesh network until a selection is received.

Abstract: In one embodiment, a method includes initiating a password selection session on a source augmented reality or virtual reality device (hereafter the source AR/VR device). The method also includes tracking an eye gaze of a source user using the source AR/VR device. In addition, the method includes determining gazed content from the eye gaze of the source user using a password key phrase determination feature. Additionally, the method includes generating a symmetric password key utilizing the gazed content according to a set of password determination rules. Moreover, the method includes performing an operation using the source AR/VR device, the operation being secured by the symmetric password key. The symmetric password key is not exchanged with any other device.

Abstract: Provided are techniques for cyclic based data partitioning policy with automatic physical schema management. A data partitioning policy for data is received, wherein the data partitioning policy identifies a condition for automatically implementing the data partitioning policy and criteria for modifying a set of partitions. In response to the condition occurring, the data partitioning policy is automatically applied to select at least one partition from the set of partitions based on the criteria. An operation is performed on the at least one partition to modify the set of partitions.

Abstract: Embodiments of the present application relate to a method and system for managing user accounts. The method includes receiving a registration request from a current user, wherein the registration request comprises a login name main part, determining, in a database, whether a conflicting old user exists, wherein a conflicting old user corresponds to another user that has a conflicting login name main part that is the same as the login name main part received in connection with the registration request, in the event that a conflicting old user exists, executing a login password differentiation process that requires a user to register a different login password that is different from a login password associated with the conflicting old user, and storing the different login password to the database in connection with a registration of the current user.

Abstract: Provided are techniques for cyclic based data partitioning policy with automatic physical schema management. A data partitioning policy for data is received, wherein the data partitioning policy identifies a condition for automatically implementing the data partitioning policy and criteria for modifying a set of partitions. In response to the condition occurring, the data partitioning policy is automatically applied to select at least one partition from the set of partitions based on the criteria. An operation is performed on the at least one partition to modify the set of partitions.

Abstract: An approach is provided for providing authentication session sharing between browsers and run time environments in network communication. An interface receives an authentication context associated with a first service. The interface causes, at least in part, storage of the authentication context in a first cache associated with the interface. The interface causes, at least in part, population of the authentication context to a second cache associated with a second service. The second cache is not directly linked to the interface. The authentication context in the second cache authenticates access to the second service.

Abstract: A remote keyless system for a vehicle includes a plurality of slave transmitter modules arranged in a plurality of locations in the vehicle. A master transceiver module is configured to pair with a wireless device; wirelessly transmit data to and receive data from the wireless device; transmit first wired messages to the plurality of slave transmitter modules to send first wireless messages to the wireless device; receive a plurality of second wireless messages directly from the wireless device, wherein the second wireless messages comprise data including received signal strength indicators (RSSIs) corresponding to each of the plurality of slave transmitter modules, respectively; and determine a location of the wireless device relative to the vehicle based on the RSSIs in the plurality of second wireless messages.

Abstract: A system and method for using a single-use password to add SSO functionality to a service of a Service Provider belonging to an F-SSO federation that does not support F-SSO functionality for the service. In response to receiving notification from an Identity Provider that a user has requested access to the service, the Service Provider uses information provided by the Identity Provider to identify and authenticate the user, and then uses standard API calls to create and send a temporary password to the user. This password may be created as a function of the user's physical location or IP address and may be communicated out-of-band. Upon determining that the user has correctly returned the temporary password to the Service Provider, the Service Provider generates and sends the user a strong single-use password through a secure in-band communication, through which the user may access the service.

Abstract: In an assessment or audit of a computer system, an auditing subsystem will parse software development kit (“SDK”) interfaces and obtain customer usage, configuration and security information by applying requests for information to the application programming interfaces provided by the SDK interfaces.

Abstract: During a data protection operation, a system exploits a virtual hierarchy to centralize the configuration and management of operating system credentials of numerous virtual guests. For each virtual guest, the system uses the credential to collect a single Globally Unique Identifier (GUID) previously generated and stored in-guest by any data protection agent. The system stores the collected GUID as a custom property in the context of the virtual hierarchy. The system also exploits the virtual hierarchy custom properties to determine if GUIDs are copies due to virtual guest replication. The system ensures GUID uniqueness by requesting regeneration of the GUID by in-guest data protection agents. Using GUIDs that are unique across the virtual hierarchy, the system can correlate application data of multiple in-guest data protection agents.

Abstract: Disclosed is a portal push method, which comprises: a broadband remote access server (BRAS) equipment acquiring a website identification list, after the BRAS equipment receives a hypertext transport protocol (HTTP) request message sent by a user terminal. The BRAS equipment determines whether to send portal pages to the user terminal according to whether the identification of a target website visited by the user client has a matched item in the list. The embodiments of the present disclosure further provide a corresponding BRAS equipment. The technical solutions of the embodiments of the present disclosure can reduce push times of invalid portals and improve portal push success rate.

Abstract: A method provides device access security via use of periodically changing Quick Response (QR) codes. The method includes: generating (706) a first authentication QR code and assigning (708) the generated QR code as the current authentication mechanism for accessing the device. Contemporaneously with the generation of the QR code, at least one QR code validity parameter is established (710) to define when access to the device can be provided to a second device that provides the correct authentication QR code along with the access request. The method includes, in response to a pre-defined trigger (712) of the QR code validity parameter: generating (704) a new authentication QR code, different from a previously generated authentication QR code; assigning (708) the new authentication QR code as the current authentication mechanism for accessing the device; and enabling access to the first device to only second devices that provide the current authentication QR code.

Abstract: As individuals increasingly engage in different types of transactions they face a growing threat from, possibly among other things, identity theft, financial fraud, information misuse, etc. and the serious consequences or repercussions of same. Leveraging the ubiquitous nature of wireless devices and the popularity of (Short Message Service, Multimedia Message Service, etc.) messaging, an infrastructure that enhances the security of the different types of transactions within which a wireless device user may participate through a Second Factor Authentication facility. The infrastructure may optionally leverage the capabilities of a centrally-located Messaging Inter-Carrier Vendor.

Abstract: A user equipment. The user equipment comprises a processor, a memory, a trusted security zone, wherein the trusted security zone provides hardware assisted trust, a ticket generator stored in the trusted security zone to generate a plurality of access codes, and a code generator stored in the trusted security zone. The code generator generates a different one-time-password for each of the plurality of access codes, wherein the one-time-password is not displayed on the user equipment, stores the one-time-password in the trusted security zone, and transmits the one-time-password to a trusted server through a trusted channel. Responsive to an associated access code from the plurality of access codes being displayed and upon request of a user of the user equipment, the code generator displays the one-time-password and invalidates the one-time-password promptly after the display ends.

Abstract: Systems, devices and methods are directed toward authenticating users to provide access to the users. A portable communication device, suitable for use in authenticating a user, includes a memory including a reference biometric for a user, a biometric reader, and a processor coupled to the memory and biometric reader. The processor is configured to, among other operations, compare a biometric of the user, as captured at the biometric reader, to the reference biometric stored in the memory. When the captured biometric matches the reference biometric, the processor is configured to authenticate the user and transmit an authentication signal to thereby provide access to the user. In various aspects, the authentication signal includes an identifier associated with the user, whereby other devices are able to recognize the user and authenticate the user based on the authentication signal, generally, without the user being separately authenticated at the other devices.

Abstract: A system and method is disclosed for converting smart cell phone applications to applications that operate on basic cell phones. The invention has a classifying process that classifies one or more functions of a cell phone application into those functions capable being performing by a basic cell phone and those functions, missing functions, that can not be performed by a basic cell phone. Substitute functions for the missing functions are developed. An emulator monitors the execution of the cell phone application and provides the substitute cell phone functions at points in the execution where a missing function is to be executed. Therefore, the smart phone application is converted into a basic phone application that can be executed by the basic cell phones with reduced functionality. The invention can run on a smart phone or a server. The invention can also be provided as a server based service for basic cell phone users.

Abstract: A method of addressing an unauthorized disclosure of sensitive information at an imaging device, including receiving an indication of the unauthorized disclosure of sensitive information; receiving or generating preliminary information about the unauthorized disclosure; and transmitting the indication and the preliminary information to a remote location to initiate an investigation on the unauthorized disclosure. After receiving the indication, the method includes entering a reduced function mode by the imaging device; receiving a clearance key when in the reduced function mode; and after receiving the clearance key, exiting the reduced function mode and entering a normal mode of operation.

Abstract: An electronic device includes multiple applications that can access a smart card or other security apparatus. A first application that is to use the security apparatus prompts a user for a security string such as a PIN or password. Upon receipt of the PIN or password, the first application unlocks the security apparatus for use. Additionally, the first application receives a token from a security service that interfaces with the security apparatus. The token can be shared by the first application with other applications. For example, the first application can share the token with other trusted applications. The other applications that receive the token can refrain from issuing a prompt for a security string and receiving a response from the user. The token can be used instead of the security string to obtain access to the security apparatus.

Abstract: Example embodiments of the present invention relate to a method and a system for immediate recovery of virtual machines encrypted in the cloud. The method includes retrieving at least a portion of data from an off-premise replica site configured to store an encrypted first data part of an I/O as data at the off-premise replica site according to a second metadata part of the I/O. The first data part of the at least the portion of the data then may be decrypted at the on-premise recovery site according to a private key not available to the replica site and stored at the on-premise recovery site in a cache at the recovery site.

Abstract: An approach is provided to allow remote support representatives to carry out remote support session with minimal access and privileges to remote systems. An attempt is detected to establish a remote support session via a remote support appliance that is configured to establish the remote support session between a first device associated with a support representative and a second device associated with a user. A credential that provides an elevated access privilege is retrieved in response to the detection. The credential is provided to the first device for use in the establishment of the remote support session.

Abstract: A digital rights management (DRM) including a transfer of a rights object (RO) to a second user in consideration of requirements of a movement of a rights object of a first user (a terminal, an equipment), charge, etc., by providing a post browsing session when the rights object occupied by the first user is transferred to a second user via a server.

Abstract: An embodiment of the invention may include a method, computer program product and computer system for password management. The embodiment may include a computing device that creates a password inventory. The password inventory may be a list of one or more passwords, where each of the one or more passwords corresponds to a password key. The embodiment may update the password inventory without input from a user. The embodiment may receive a first login request from a first device. The embodiment may transmit information detailing a first password key to the first device, where the first password key corresponds to a first password from the list of one or more passwords. The embodiment may receive information detailing a first entered password from the first device. The embodiment may determine whether the first entered password is identical to the first password from the list of one or more passwords.

Abstract: A method, a system, a registry, a repository and a computer program product are disclosed for securely accessing sensitive medical data records stored in a repository. Before accessing security-critical data in the repository, a registration inquiry with a separate registry must be carried out in order to obtain a security token having limited temporary validity, for example in the form of a barcode. A data source and/or a data sink can then use the security token to access the security-critical data in that an index module indexes the data record inquired about on the repository.

Abstract: A system, method, and apparatus are provided for using distinctive signals associated with an electronic device to authenticate or validate a cookie or other identifier issued to the device from a website or other source. When the device receives content (e.g., a web page) from the source, it also receives code for collecting the signals, which is executed when the content is rendered. The device transmits the signals to the source or other specified destination, where they may be processed (e.g., hashed) and retained. Upon subsequent access to content from the source, signals are again collected, transmitted to the source, and compared with those that were previously retained. If the current signals do not match the retained signals, the current device may be spoofing the valid/original device, and the source may take appropriate action (e.g., prevent some activity, require further authentication). Matching may be performed online and/or offline.

Abstract: Methods and systems are provided for providing services to an individual at a transportation terminal. In one method, an item is received with a mobile robot from an individual at a first location at the transportation terminal. The item is autonomously secured with the mobile robot using a component of the mobile robot to thereby prevent unauthorized individuals from accessing the secured item. The secured item is autonomously transported with the mobile robot from the first location to a second location at the transportation terminal. The mobile robot is capable of independent navigation without need for physical or electromechanical guidance devices in an environment within which the mobile robot operates.

Abstract: An embodiment of the invention may include a method, computer program product and computer system for password management. The embodiment may include a computing device that creates a password inventory. The password inventory may be a list of one or more passwords, where each of the one or more passwords corresponds to a password key. The embodiment may update the password inventory without input from a user. The embodiment may receive a first login request from a first device. The embodiment may transmit information detailing a first password key to the first device, where the first password key corresponds to a first password from the list of one or more passwords. The embodiment may receive information detailing a first entered password from the first device. The embodiment may determine whether the first entered password is identical to the first password from the list of one or more passwords.

Abstract: Systems and methods for testing to tell computers and humans apart and generating said tests are described. An interface is generated that includes a challenge and a response is provided, and a plurality of user selections of locations in the interface are received. A server compares the x coordinate and the y coordinate of each user selection with x and y coordinates for a subset of the plurality of characters in the response to obtain a distance value for each user selection. The server then sums the distance values for each user selection to obtain a total distance value. The server subsequently compares the total distance to a predetermined threshold, the server validating the user response when the total distance is less than the predetermined threshold, the validating causing access to be provided to web content specified in the user request.

Abstract: Systems and methods for testing to tell computers and humans apart and generating said tests are described. An interface is generated that includes a challenge and a response. The challenge includes a plurality of challenge characters in a challenge region. The response includes a plurality of response characters that includes the plurality of challenge characters drawn in a response region. The drawing the response characters includes drawing a first response character, calculating a second set of coordinates for a second response character, and drawing the second response character. After all of the response characters have been drawn, locations of each of the challenge characters within the response are identified, and a maximum allowed distance is calculated based on the identified locations of the challenge characters within the response.

Abstract: A cloud configuration management method implemented in a cloud configuration management system communicatively coupled to one or more cloud nodes in a cloud system includes creating a plurality of golden configurations for each of a plurality of roles, wherein each of the one or more cloud nodes has one of the plurality of roles for operation in the cloud system; defining metadata rules for each of the plurality of golden configurations; performing a configuration analysis to audit the one or more cloud nodes using the metadata rules; and providing results of the configuration analysis to determine misconfiguration of any of the one or more cloud nodes.

Abstract: A user utilizing a first user device can request to be authenticated to a web site. The first user device may send an authentication request to the server operating the web site. The server may then send a first signal to a second user device associated with the user. A second signal can be generated based on reading the first signal. The second user device may send the second signal to the server. The server can compare the first signal and second signal and may authenticate the user if the signals match.

Abstract: In an approach for changing a password. Aspects of an embodiment of the present invention include an approach for changing a password, wherein the approach includes a processor identifies a resource protected by a password. A processor discovers at least one information source containing information relevant to a process for changing the password of the resource. A processor constructs a set of procedures to change the password using the information relevant to the process for changing the password. A processor alters the password of the resource according to the constructed set of procedures.

Abstract: Disclosed are various embodiments of a first computing device for obtaining an authentication credential for a cryptographic module of a second computing device. The authentication credential is obtained via a communication session with a module interface of the second computing device. Configuration data is determined for the cryptographic module based at least in part upon the authentication credential. The configuration data is transmitted to the second computing device via the communication session.

Abstract: The present disclosure describes systems and methods of an authentication framework to implement varying authentication schemes in a configurable and extendable manner. This authentication framework provides a level of abstraction in which requirements for credential gathering and authentication workflow are independent from the agents or authentication implementation that does the credential gathering and authentication workflow. A higher level of abstraction and a more comprehensive authentication framework allows handling the associated authentication transactions of complex authentication schemes without requiring any specific understanding of their internals. For example, the requirements to gather certain credentials for a particular authentication scheme may be configured and maintained separately from the client-side authentication agent that gathers the credentials.

Abstract: An approach for assessing a service offering selected by a user in a networked computing environment (e.g., a cloud computing environment) is provided. In one aspect, a network environment containing the service offering is monitored for a software configuration activity performed by the user. This software configuration activity is analyzed to identify the software application that is being configured. A set of provider-managed service offerings can be searched for any provider-managed service offering that contains an offered application corresponding to that of the software application. This managed service offering can be included in an alternative suggestion for the service offering.

Abstract: A method comprising: storing, at a server, an electronic resource that has been electronically signed by a user; associating the electronic resource with an identifier; receiving, at the server and from a client device, a request to identify the user who electronically signed the electronic resource, the request including a reference to the identifier; responsive to receiving the request to identify the user who electronically signed the electronic resource, identifying, based on the reference to the identifier, the electronic resource stored at the server; responsive to identifying the electronic resource stored at the server, identifying the user who electronically signed the identified electronic resource; and transmitting, from the server to the client device, an indication of an identity of the user who electronically signed the electronic resource.

Abstract: Methods, systems, computer-readable media, and apparatuses for providing secure resources to a native operating system resource are described herein. Using one or more aspects described herein, a mobile device may determine that a native operating system service requests to access content located within a wrapped application. The mobile device may transmit, to the native operating system service, a server path to a loopback web server within the wrapped application to elicit a request from the native operating system service to the loopback web server for the content. In response to receiving a request comprising the server path to the loopback web server to retrieve the content from the loopback web server, the mobile device may instruct the loopback web server to transmit an unencrypted version of the content to the native operating system service.

Abstract: Methods, systems, and devices are described for managing network communications. A traffic manager module may receive a message from a first network device to a second network device. The traffic manager module may serve as a proxy between the first network device and the second network device. The traffic manager module may perform an application layer inspection at the traffic manager module on at least one of the message or a response to the message from the second network device, and forward the message or the response to the message to a third network device based on the application layer inspection at the traffic manager module.

Abstract: Risk-based credential management is provided. A request to checkout credentials is received. The credentials are associated with at least one managed resource. A risk value of the request is determined. The determination of the risk value is based, at least in part, on risk information of the requesting device. A determination is made whether to deny the request based, at least in part, on the risk value and a first predetermined threshold of a checkout policy.