Abstract: A context for a service request made by a service consumer can be used to establish a constraint rules set that is applied by a service provider. A context associated with a first service request can be received from a service consumer. An identity of the service consumer can be verified. A constraint value request associated with the service request can be received from a service provider responding to the service request. One or more constraints can be derived from the first context. An identity of a service provider that will fulfill the service request can be verified. The one or more constraints can be provided to the service provider. Related systems, apparatus, methods, and/or articles are also described.

Abstract: To obtain user approval of network transactions at different levels of security, a network site selects a form in which a transaction with be presented to the user from a group of transaction presentation forms including presentation of the transaction in a browser pop-up window on a user network device, in a security software application window on the user network device, and in a security application window on another user network device. The network site also selects a type of approval of the transaction required from the user from a group of transaction approval types including approval requiring no action by the user after presentation of the transaction, the user to actively approve the presented transaction, and the user to sign the presented transaction. The transaction, the selected transaction presentation form, and the selected type of user transaction approval, are transmitted to obtain approval of the transaction by the user.

Abstract: Methods, apparatus, systems and computer program products are described and claimed that provide for automatically and positively determining that an associate accessing a business domain/application using an application-specific associate identifier is the same associate that is accessing another business domain/application using another application-specific associate identifier. Once the positive determination of same associate is made, a federated identifier key is generated and applied to all of the platforms in which the associate can be positively identified, so as to globally identify the associates across multiple enterprise-wide domains/applications. As such, the present invention eliminates the need to manually analyze associate data to determine if an associate interfacing with one domain/application is the same associate interfacing with another domain/application.

Abstract: Techniques for concurrent access to a resource object, such as a database object, include generating a lock data structure for a particular resource object. The lock data structure includes data values for a resource object identification, a lock type, and a version number. The version number is related to a number of changes to the resource object since the lock data structure was generated. By carrying a lock version number in a lock data structure managed by a lock manager, improved optimistic locking is provided in a database. In particular, the approach enables introduction of optimistic locking to a legacy database without requiring burdensome changes to a database table schema.

Abstract: The invention relates to password-based authentication in group networks. Each device has an authentication token irreversibly based on the password. The authentication involves a first device at which the password P is entered and a second device towards which the authentication occurs. The first device determines a check token Mj for the second based on the password and its own authentication token Rl and this check token is sent to the second device, where it is compared with the authentication token of that device. The procedure may include update of a device to exclude a non-trusted device from the group or change the password. Advantageous features are that the information in one device does not allow retrieval of the password and that the password is only exposed at one device, and only temporarily, during the authentication.

Abstract: Secret information, such as seeds, codes, and keys, can be automatically renegotiated between at least one sender and at least one recipient. Various mechanisms, such as counters, events, or challenges, can be used to trigger automatic renegotiations through various requests or communications. These changes can cause the current secret information to diverge from older copies of the secret information that might have been obtained by unintended third parties. In some embodiments, a secret can be configured to “decay” over time, or have small changes periodically introduced that can be determined to be valid by an authorized party, but can reduce the effectiveness of prior versions of the secret information.

Abstract: Provided are a computer program product, method and system for dynamically providing algorithm-based password/challenge authentication. A page is generated including selectable conversion operators to enable generation of an algorithm that applies at least one selected conversion operator of the selectable conversion operators on a string to generate a password. A created algorithm created using the at least one selected conversion operator in the page is received. The created algorithm is associated with a username for use in authenticating access by a presenter of the username to a computer service.

Abstract: A system and method to prevent the installation by a hacker of malicious software onto networked electronic systems, computers, and the like, by removing the read, write and execute administrator permission files of a system's OS, and placing them in a in a separate, protected server in the cloud. The secure cloud server records the system's unique ID(s). After relocation of the authorized administrator's permissions files, a strong password is requested from the authorized administrator. Thereafter, the network path to the secure cloud server files is encrypted and recorded on the protected system. This path change replaces the former local path in the computer system to those files. The result of these changes to the OS on a protected system eliminates the hacker's access to the system from a network to illicitly become an administrator of the hacked system.

Abstract: A multifactor authentication (MFA) enforcement server provides multifactor authentication services to users and existing services. During registration, the MFA enforcement server changes a user's password on an existing service to a password unknown to the user. During normal usage when the user accesses the existing service through the MFA enforcement server, the MFA enforcement server enforces a multifactor authentication enforcement policy.

Abstract: A system includes an access management server and a cooperation server, wherein the access management server comprises issuance unit that issues a token corresponding to the managed user account in response to a request of the cooperation server, and deletion unit that deletes a user account, of the managed user accounts, which satisfies a predefined deletion condition, and the cooperation server comprises acquisition unit that acquires, when acquisition of a token corresponding to the user account managed by the access management server is requested by another server, if the deletion unit has not deleted the user account, an issued token corresponding to the user account, and to cause, if the deletion unit has already deleted the user account, the access management server to re-register the user account to acquire a token issued for the re-registered user account.

Abstract: A system for providing an application associated with a portable communication device the ability to communicate via a secure element. The system has a digital identifier and digital token operably associated with the application; a card services module that provides an application programming interface to the secure element; and a secure data table associated with the card services module. The secure data table includes a list of trusted applications each identifiable by paired digital identifier and token. The card services module [includes] compares the identifier and the token with each of the identifier-token pairs in the table until a match indicates the application is trusted. The card services module issues commands to the secure element based on an action requested by a trusted application in conjunction with the presentation of the digital token. A method of providing an application with the ability to communicate via secure element is also disclosed.

Abstract: A method for providing security measures on a network device, such as a router, is disclosed. In one embodiment, a method includes receiving a request for a network resource. The method further includes determining a classification of the request, and generating, based on the determined classification of the request, a security measure corresponding to the determined classification of the request for authentication of the request. The method also includes permitting access to the network resource when a correct response is received to the security measure corresponding to the determined classification of the request.

Abstract: System, method, and apparatus for providing access to remote computing services are described. The method includes authenticating a user and a client device; establishing a connection to a server computer including: a server program executing on the server computer detecting the connection; the server program creating a blocking process on the server computer to block access of the user to a service on the connection, authorizing, using a client program executing on the client device and the server program, the user to use the service on the server computer including: terminating the blocking process, the user using the service; and the user closing the connection to the server computer. Embodiments of the present invention provide secure remote access to computing services.

Abstract: A data processing system including a memory configured to store confidential data and non-confidential data; a cache memory which is configured to cache data stored in the memory and which comprises a first cache memory region and a second cache memory region; a processing circuit configured to carry out, in a first state of the data processing system, a cryptographic algorithm which operates on the confidential data and on the non-confidential data, wherein the confidential data are cached using the first cache memory region and the non-confidential data are cached using the second cache memory region; and an invalidating circuit configured to invalidate the first cache memory region when the data processing system switches from the first state into a second state.

Abstract: A method is used in managing authentication of virtual clients. An identifier for a virtual client is generated by a virtual server. The identifier is added to a configuration file by the virtual server. The configuration file is associated with the virtual client. The virtual client is authenticated based on the identifier.

Abstract: A system is described comprising a service provider and an identity provider. A user requests access to the service provider and the service provider seeks user credentials from the identity provider. In use, the service provider issues an authentication request, which request specifies details of a plurality of acceptable authentication formats. The identity provider responds to the request either by providing authentication details for said user in one of the formats specified in the request, or by returning an error message indicating that it cannot support any of the specified authentication formats.

Abstract: Provided are a method, system, and computer storage device for managing zone information for devices in a network. A zone table includes entries indicating whether devices in at least one zone are permitted to communicate. An attributes table has attributes of the devices indicated in the zone table. A determination is made of attributes from the attributes table for devices indicated in the zone table entries as being permitted to communicate. The entries in the zone table indicating that devices can communicate are verified by determining whether the attributes for the devices indicated as permitted to communicate in the entries in the zone table are consistent with the determined devices being able to communicate. Information is outputted indicating whether the entries in the zone table indicating that devices can communicate are in error.

Abstract: A semantics engine is described that produces a semantically-impaired but equivalent version of the original source code that can be compiled and executed using conventional tools for commonly used programming languages. This semantically-impaired source code and the compiled assemblies it produces are incomprehensible to anyone who would attempt to read them. The semantics-impairing process is irreversible both at the source and the assembly levels and the machine code generated by the semantically-impaired source code is exactly the same as that produced by the original source code. The semantics engine achieves confidentiality without using encryption or compression. All protective modifications are made directly to copies of the original source code thereby introducing no intermediate forms of the code.

Abstract: Systems, methods, and other embodiments associated with flexible supplicant access control are described. One example method includes collecting a network information associated with a network to which an endpoint is to be communicatively coupled. The network information comprises a network identification and information to facilitate the evaluation of network threats. The example method may also include classifying the network based, at least in part, on the network information, to assign a variable level access parameter (VLAP) to the network based on the policy locally configured on the endpoint or centrally managed by the administrator. The VLAP may establish three or more access levels for the network at the endpoint. The example method may also include communicating the network identification and the network VLAP to a second endpoint, a security agent, a security application, and so on.

Abstract: A method and system for password recovery in computer applications is disclosed. Passwords in the same computer application may be recovered according to different criteria. Criteria for password recovery vary according to the sensitivity of the password-protected material. Criteria for recovery of a password protecting sensitive information have more stringent criteria than criteria for recovery of passwords protecting less sensitive information. In certain embodiments, passwords may be recovered through the use of third party agents. Recovered passwords are associated with unique identifiers, such as email addresses and phone numbers that facilitate communication with a user. Recovered passwords may be transmitted to users via email, phone, and text message or by any other means associated with the unique identifier.

Abstract: This invention provides a system and method to search for and securely download Digital MultiMedia Evidence (DME) data from a central DME repository to portable USB, smart phone, tablet, laptop, desktop, or other data storage devices, with a clear chain of custody and access control audit trail reporting, so the DME can be used to prepare for and conduct legal proceedings.

Abstract: Systems, methods and articles of manufacture for generating a video such that when another person views the video, the other person can view non-private information but not private information of the person who generated the video. A first interview screen is generated by a financial application and displayed to a first person or user of a financial application. The screen includes private data related to the first person. A video of the interview screen is generated and may be transmitted over a network to a second person who may also utilize a financial application. The video is displayed to the second person, but the second person cannot view the private data related to the first person.

Abstract: Aspects of a method and system for hardware enforced virtualization in an integrated circuit are provided. In this regard, a mode of operation of an integrated circuit may be controlled such that the integrated circuit alternates between a secure mode of operation and an open mode of operation. Various resources of the integrated circuit may be designated as open or secure, and secure resources may be made inaccessible while the integrated circuit operates in the open mode. Access to the secure resources may be controlled based on a configuration of one or more registers and/or switching elements. Resources designated as secure may comprise, for example, a one-time-programmable memory. The integrated circuit may comprise ROM and/or one-time-programmable memory that stores one or more instructions, wherein execution of the one or more instructions may control transitions between the secure mode and the open mode.

Abstract: In particular implementations, a mobile device management system allows network administrators to control the distribution and publication of applications to mobile device users in an enterprise network.

Abstract: A device and a method for graphical passwords. A device displays an initial image comprising a plurality of graphical elements, each graphical element having at least two variants; receives user input to select a variant of a number of the graphical elements, thereby generating a modified image; and generates the secret value from at least the selected variants of the graphical elements. The graphical elements are advantageously seamlessly integrated in the images, thereby making the system resistant to shoulder surfing attacks.

Abstract: A method and system for securing a user transaction involving a subscriber unit (“SU”) (having a processor, memory, and a display configured to accept user input), a credential information manager (“CIM”) (having a processor and memory), and a transaction service provider (“TSP”) (having a processor and memory). A cyber identifier (“CyberID”), a subscriber identifier (“SubscriberID”), and subscriber information, each associated with the user, is stored in the CIM. A transaction request is sent from the SU to the TSP, which creates a transaction identifier (“TID”), stores it in the TSP memory and transmits it to the SU. The SU transmits an authentication request, the TID, and SubscriberID to the CIM, which authenticates the SubscriberID and verifies the TID to the TSP. The TSP verifies the TID and reports it to the CIM, which transmits the CyberID and subscriber information to the TSP, and transmits a transaction authorization to the SU.

Abstract: A computer-implemented authentication method is described. The method includes the steps of (a) receiving an authentication request at an authentication computing system, the request including a resource identifier, (b) identifying one or more authentication pools associated with the resource identifier, each authentication pool including at least one authentication method implementation, (c) executing a pool authentication process for the one or more identified authentication pools, and (d) transmitting a response to the identification authentication request based on the execution of the pool authentication process for the one or more identified authentication pools.

Abstract: Embodiments are directed to establishing separate security identities for a shared service and shared service instances, and to managing shared and service instance credentials. In one scenario, a computer system establishes a shared credential for a shared service that includes multiple shared service instances, where the shared credential uniquely identifies the shared service. The computer system establishes a service instance credential for each shared service instance that uniquely identifies each shared service instance and maintains a relationship between the service instance and the shared service. The relationship provides service instance access to the shared credentials as the shared credentials are updated over time. Then, upon determining that the shared credentials have been updated and are no longer valid, the shared service instance accesses the updated shared credentials using the established relationship.

Abstract: A method of obtaining password data for entry to an application running on a device. The method may include running a password manager application on a device. The password manager application may identify one or more applications installed on the device. The password manager application may display the identified applications on a display of the device. The password manager application may receive a user selection of a displayed application. The password manager application may determine whether an entry exists for the selected application in a memory associated with the password manager application. If no entry exists, the password manager application may generate an entry comprising password data for the selected application. If an entry exists, the password manager application may retrieve password data relating to the selected application.

Abstract: User authentication is provided. At least one of a social network and a business network of each user in a plurality of users is accessed. User history data of each user in the plurality of users is monitored in the at least one of the social network and the business network. Challenge questions requiring a user response are generated based on monitoring the user history data of the users. The user response to a generated challenge question is evaluated. A set of events is triggered based on evaluating the user response.

Abstract: The invention relates to a telecommunication method having the following steps: establishing a first connection (101) between a first ID token (106) and a first computer system (136) via a second computer system (100) for reading at least one first attribute from the first ID token, generating a first soft token, wherein the first soft token comprises the at least one first attribute and a time specification, and wherein the first soft token is signed by the first computer system, sending the first soft token from the first computer system to a third computer system (150), wherein the first connection is a connection with end-to-end encryption.

Abstract: For enabling single sign-on among applications, a linkage ID indicating connection between the authentication apparatus 1 including the client function and the server apparatus 2 is shared among a plurality of applications. For that, a SV information management unit Aa of the authentication apparatus 1 having the client function manages the linkage ID by storing it in a predetermined storing unit. An AP information management unit Ab manages and stores connection information between applications in a predetermined storing unit, wherein the connection information includes an application name corresponding to an application. Then, an AP decision unit determines whether an application name included in a received linkage ID request is registered in the AP information management unit Ab, obtains the linkage ID from the SV information management unit Aa when the application name is registered in the AP information management unit Ab, and returns the linkage ID to a source of the linkage ID request.

Abstract: A system for managing license files comprises a memory operable to store a socket module. The system further comprises a processor communicatively coupled to the memory and operable to receive a command to open a license file, wherein the command is associated with a first user identifier. The license file is stored in a first remote node and is associated with a second user identifier. If the second user identifier matches the first user identifier, the processor is further operable to use the socket module to establish a socket connection with the first remote node. The processor is further operable to, using the socket connection, retrieve from the first remote node a file descriptor associated with the license file. The processor is further operable to apply an update to the license file, wherein the update is addressed according to the file descriptor. If the second user identifier does not match the first user identifier, the processor is further operable to prevent the updating of the license file.

Abstract: The present invention extends to methods, systems, and computer program products for domain controller safety-features and cloning. Embodiments include cloning virtual domain controllers. Cloning permits virtual domain controllers to be rapidly deployed by copying/cloning the entire operating system state of an existing virtual domain controller. Other embodiments provide safety features protecting domain controllers running within virtual machines from introducing distributed corruption into a directory services data system. Protection is facilitated by detecting when a hypervisor or Virtual Machine Manager (“VMM”) uses features that cause a virtual machine to be rolled back in time outside of an operating system's awareness. In response to detecting a feature that causes rollback, safeties can be implemented to compensate for otherwise divergent state and prevent the introduction of duplicate unique identifiers.

Abstract: According to this disclosure, a user is identified (and selectively granted access to protected resources) by using information that describes the user's interpersonal relationships. This information typically is stored in a datastore, such as a digital address book, an online profile page, or the like. The user's digital address book carries an “acquaintance pattern” that changes dynamically in time. This pattern comprises the information in the user's contact list entries. In this approach, the entropy inherent in this information is distilled into a unique acquaintance digest (or “fingerprint”) by normalizing the contact list data, and then applying a cryptographic function to the result.

Abstract: A method of configuring a network access device connected to an access network connected to a plurality of service networks, the network device having a first network address allocated to a subscriber of services of a first service provider provided by a first service network, with a new network address allocated to a second subscriber of services of either the first service provider, or a second service provider provided by a second service network. The method comprises the steps of: sending a request from the network access device to the access network with user credentials for the second subscriber requesting access to the first service provider or a change to the second service provider; receiving a response from the access network; and initiating a network address change request using a configuration protocol.

Abstract: A method and system for tuning to a scrambled television channel is provided. One implementation involves receiving a channel selection from a user, tuning to the selected scrambled channel, checking a cache for Conditional Access (CA) descrambling information associated with the selected channel, and in case of a cache hit, then retrieving the descrambling information associated with the selected channel from the cache for descrambling the scrambled channel.

Abstract: A method and apparatus for secure generation of a short-term key SK for viewing information content in a Multicast-broadcast-multimedia system are described. A short-term key is generated by a memory module residing in user equipment (UE) only when the source of the information used to generate the short-term key can be validated. A short-term key can be generated by a Broadcast Access Key (BAK) or a derivative of BAK and a changing value with a Message Authentication Code (MAC) appended to the changing value. A short-term key (SK) can also be generated by using a private key and a short-term key (SK) manager with a corresponding public key distributed to the memory module residing in the user equipment (UE), using a digital signature.

Abstract: Aspects of the subject matter described herein relate to a simplified login for mobile devices. In aspects, on a first logon, a mobile device asks a user to enter credentials and a PIN. The credentials and PIN are sent to a server which validates user credentials. If the user credentials are valid, the server encrypts data that includes at least the user credentials and the PIN and sends the encrypted data to the mobile device. In subsequent logons, the user may logon using only the PIN. During login, the mobile device sends the PIN in conjunction with the encrypted data. The server can then decrypt the data and compare the received PIN with the decrypted PIN. If the PINs are equal, the server may grant access to a resource according to the credentials.

Abstract: Consent management between a client and a network server. In response to a request for consent, a central server determines if requested user information is included in a user profile associated with a user and if the user has granted consent to share the requested user information. A user interface is provided to the user via a browser of the client to collect the requested user information that is not included in the user profile and the consent to share the requested user information from the user. After receiving the user information provided by the user via the user interface, the service provided by the network server is allowed access to the received user information, and the central server updates the user profile. Other aspects of the invention are directed to computer-readable media for use with profile and consent accrual.

Abstract: A method, apparatus and computer program product for controlling access to host access credentials required to access a host computer system by a client application is provided. The host access credentials are stored in a restricted access directory. The method comprises authenticating directory access credentials received from a client application. The authenticated client application then requests the host access credentials and a determination as to whether the authenticated client process is authorized to access the requested host access credentials, and, if authorized, these are provided to the client application.

Abstract: To authenticate a user of a mobile communication device for login or transaction authorization, a first application on the device directs transmission of a request for authentication of the user to a security server. A second application on the device receives the request for authentication from the security server and directs presentation of the received request for authentication to the user by the device. The second application receives a user input to the device indicating that the requested authentication should proceed and in response directs transmission of an indication that the requested authorization should proceed, to the security server. In response to this latter transmission, the second application receives a PIN from the authentication server. The first application directs transmission of the PIN received by the second application to the network site, which validates the transmitted PIN, in order to authenticate the user or the transaction to the network site.

Abstract: This disclosure relates to a digital certificate management system configured to consolidate information related to digital certificates across enterprise systems. In some implementations, the system may be configured to automate recurring harvesting of digital certificate information from current and/or future enterprise systems associated with one or more companies. The system may be configured to standardize the digital certificate information in a centralized database. The system may be configured to identify owners associated with individual digital certificates and pro-actively notify the owners of information associated with digital certificate due dates, for example. In some implementations, the system may be configured to escalate the notifications to the owners and/or other entities as expiration dates approach. In some implementations, the system may comprise an application server, enterprise systems, and/or other components.

Abstract: Systems and methods for reactively authorizing publication of information by a third party are coordinated through the use of a presence server. The presence server communicates with other communication nodes/devices to determine and relay publication information. Publication requests that are initially unauthorized, from the perspective of the presence server, are resolved.

Abstract: A relationship and sharing account system includes computing devices configured to execute modules including a user account module configured to store a plurality of user accounts, each corresponding to a user and including user information, at least some of which is accessible to other users, a login module, a communication module configured to obtain information sharing requests, which specify the sharing of information to other users, a sharing account creation module configured to create a user sharing account linked to an existing user account and corresponding to a subsidiary user, and an information duplication module configured to a) automatically copy information in a user sharing request input by the subsidiary user to the linked user account; or b) notify the user corresponding to the linked user account when an information sharing request is input by the subsidiary user and require approval before sharing the information with other users.

Abstract: Disclosed herein are example embodiments for behavioral fingerprinting via inferred personal relation. For certain example embodiments, at least one indication of personal relation for at least one authorized user may be inferred via at least one user-device interaction, and the at least one indication of personal relation may be incorporated into at least one behavioral fingerprint that is associated with the at least one authorized user, with the at least one behavioral fingerprint including one or more indicators of utilization of one or more user devices by the at least one authorized user.

Abstract: A method for associating a web event with a member of a group of users is implemented at a first computing device. The method includes: receiving a data access request from a second computing device; determining whether the user has previously provided personal information and authorization to the first computing device through the second computing device; if the user's personal information and authorization are found: generating a record for the data access request; if the user's personal information is found but the user's authorization is not found: generating a record for the data access request; and if neither of the user's personal information and authorization is found: identifying one or more user identifiers that are associated with the second computing device; and returning personal information associated with the one or more user identifiers to the second computing device.

Abstract: An approach is provided for performing cloud based computer network security services. Data traffic from a plurality of networks corresponding to a plurality of subscribers are received. Data traffic is routed to a security platform over a communication path to one or more service aggregators to process the data traffic according to one or more security services performed by the security platform. The security services are provided as a managed service by a service provider. The processed data are received from the one or more service aggregators, and routed to the corresponding one of the networks.

Abstract: Systems and methods provide a gaming machine that is protected from the introduction of rogue code. One aspect of the systems and methods includes disabling a user access feature, such as a login or network access feature of an operating system executing on the gaming machine. A further aspect of the systems and methods includes removing debuggers and debugging information from an operating system or application executing on the gaming machine.

Abstract: Systems and methods for weak authentication data reinforcement are described. In some embodiments, authentication data is received in a request to authenticate a user. In response to detecting weak authentication data, the systems and methods determine whether the user was previously authenticated as a human user. An example embodiment may include initiating an authentication process based on determining that the user was previously authenticated as a human user.