Abstract: An online credential platform enables organizations and people to create, manage, exchange and verify professional and personal credentials to support trust, reputation and transactions. The platform can allow credential issuers to create credential types and then assign them to proxies that represent real world persons or entities. Following this, it can allow other sites and applications to verify a person's or entity's credentials within the scope of their site or application reliably and with maximum privacy/anonymity.

Abstract: A system is provided. The system comprises a computer system and an application that, when executed on the computer system, creates a virtual private site in response to a request from a first portable electronic device, the site storing and displaying electronic content posted by the first device. The application also receives a first message from the first device containing a request to authorize a second portable electronic device to access content from the virtual private site and associates a unique identifier for the second device with a credential for the second device. The system also receives a second message containing a request from the second device to access electronic content from the virtual private site. The system also verifies the unique identifier received in the second message, verifies the credential received in the second message, and transmits the electronic content to the second portable from the virtual private site.

Abstract: A method and system for renewing certificates stored on tokens is described.

Abstract: A tamperproof ClientID system to uniquely identify a client machine is invoked upon connection of a client application to a backend. Upon initial connection, the backend issues a unique ClientID containing a checksum. The client application prepares at least two different scrambled versions of the ClientID and stores them in respective predetermined locations on the client machine. Upon subsequent connection to the backend, the client application retrieves and unscrambles the values at the two locations, verifies the checksums and compares the values. If the checksums are both correct and the values match, the ClientID value is sent to the backend, otherwise the client application sends an error code.

Abstract: The current invention is directed to embedded, wireless cloud-connector devices and systems that allow the embedded, wireless cloud-connector devices to be deployed in a variety of embedding devices, applications, and uses. The embedded, wireless, cloud-connector devices to which the current application is directed are implemented using a single integrated circuit, or set of integrated-circuit chips, and each interfaces to a device, product, or system in which the cloud-connector devices are embedded as subcomponents as well as to a communications-services provider. The cloud-connector devices provide data exchange between devices, products, and systems in which they are embedded and cloud providers that provide cloud-computing services, data-message routing, and wireless services through wireless carriers.

Abstract: One aspect of the present invention can include a system, a method, a computer program product and an apparatus for federating policies from multiple policy providers. The aspect can identify a set of distinct policy providers, each maintaining at least one policy related to a service or a resource. A federated policy exchange service can be established that has a policy provider plug-in for each of the distinct policy providers. The federated policy exchange service can receive requests for policies from a set of policy requesters. Each request can include a resource_id or a service_id used to uniquely identify the service or resource. The federated policy exchange service can dynamically connect to a set of the policy providers to determine policies applicable to each request. For each request, results from the policy providers can be received and processed to generate a response. The federated policy exchange service can provide the response to each policy requestor responsive in response to each response.

Abstract: Systems and methods for managing credentials distribute the credentials to subsets of a set of collectively managed computing resources. The collectively managed computing resources may include one or more virtual machine instances. The credentials distributed to the computing resources may be used by the computing resources to perform one or more actions. Actions may include performing one or more functions in connection with configuration, management, and/or operation of the one or more resources, and/or access of other computing resources. The ability to use credentials may be changed based at least in part on the occurrence of one or more events.

Abstract: A system and method for authenticating a user in a secure computer system. A client computer transmits a request for a sign-on page, the secure computer system responds by transmitting a prompt for a first user identifier, and the client computer transmits a request including a first identifier, a second identifier stored in an object stored at the client computer and a plurality of request header attributes. A server module authenticates the first and second user identifiers, and compares the transmitted plurality of request header attributes with request header attributes stored at the computer system and associated with the first and second user identifiers. If the first and second user identifiers are authenticated, and if a predetermined number of transmitted request header attributes match stored request header attributes, the server software module transmits a success message, and the user is allowed to access the secure computer system.

Abstract: Embodiments of the invention facilitate the use of a contactless memory token to automate log-on procedures to a remote access server using dynamic one-time passwords (OTPs). A series of workflow steps establishes the identity of the user and charges a token with a number of dynamic OTPs that can be subsequently verified using, for example, a Radius server sitting behind a VPN or SSL/VPN server.

Abstract: An improved technique for assessing the security status of a device on which a soft token is run collects device posture information from the device running the soft token and initiates transmission of the device posture information to a server to be used in assessing whether the device has been subjected to malicious activity. The device posture information may relate to the software status, hardware status, and/or environmental context of the device. In some examples, the device posture information is transmitted to the server directly. In other examples, the device posture information is transmitted to the server via auxiliary bits embedded in passcodes displayed to the user, which the user may read and transfer to the server as part of authentication requests. The server may apply the device posture information in a number of areas, including, for example, authentication management, risk assessment, and/or security analytics.

Abstract: A system, method and computer program product for using delegation as a mechanism to manage business activity by taking on a shared identity. In some implementations, the system includes a user interface module for receiving input signals from and sending information to a user, a delegate authentication module and an identity translation module. The delegate authentication module is operable to determine that an individual user identity is authorized to act as a delegate for an organization having an identity on a network-based software application and generate a verification signal. The delegate authentication module is coupled to the user interface module to receive the input signals from the user. The identity translation module is operable to translate the input signals from the user to a format such that they appear to be from the identity of the organization.

Abstract: Systems and methods for One-Time Password (OTP) authentication with infinite nested hash chains are described. In one aspect, a methodology includes a client device that provides a one-time password (OTP) authentication server with certain registration information. The client device generates, via the OTP authentication server, an authenticated OTP with infinite nested hash chains, These generating operations use a first hash function (hA (?)) for updating a seed chain, a second hash function (hB (•)) for OTP production, an OTP seed number stOTP for a tth authentication, and two authentication seeds of numbers s2t?1Auth and s2tAuth, for the tth authentication.

Abstract: The present invention discloses a dynamic password authentication method and a system thereof. The method comprises: a server receives first information sent from the client, generates second information according to the first information, sets every transmission bit in the second information to be in corresponding brightness status or color status to obtain a third information and sends it to a client; the client transforms the third information into impulse optical signal and outputs it; a dynamic password device transforms the impulse optical signal into intermediate information, extracts part or all of it and transforms it into display information; the dynamic password device receives trigger information, generates a first dynamic password; the server generates a second dynamic password or a set of second dynamic passwords and verifies whether the first dynamic password is legitimate by it. Security of authentication is improved by the present invention.

Abstract: Methods, systems, and computer programs for verifying a password are disclosed. For example, the password can be verified on a mobile device to control user access to the mobile device. In some implementations, a mobile device includes a user interface, a main processor, and a co-processor. The user interface receives a submitted password value from a user. The main processor calls the co-processor to provide a hash chain input value based on the submitted password value. The main processor evaluates a hash chain based on the hash chain input value provided by the co-processor. Evaluating the hash chain generates a submitted password verification value. The submitted password verification value is compared to a stored password verification value stored on the mobile device. Access to mobile device functionality may be permitted or denied based on a result of the comparison.

Abstract: A method for authenticating an OTP (one time password) and an instrument therefor, in which the method includes determining whether the OTP token is authenticated successfully, if the OTP token is not authenticated successfully, setting size of an authentication window to be a first predetermined time length and authenticating the obtained OTP according to the authentication window; if the OTP token is authenticated successfully, determining whether the interval between the authentication success time and the current system time is longer than a second predetermined time length, if yes, setting size of the authentication window to be a third predetermined time length and authenticating the obtained OTP according to the authentication window and the authentication success time, in which the third predetermined time length is shorter than the first predetermined time length; otherwise, setting size of the authentication window to be a fourth predetermined time length and authenticating the obtained OTP accordin

Abstract: Systems and methods according to the present invention provide a proactive approach to controlling access to information that may be correlated with a governmentally issued personal identifier. Included are systems and methods for proactive control of information access and liability incursion. Further included are systems and methods for emulating information access to an authorized person. Generally, a method according to the present invention includes the steps of requesting verification from a subscriber at any time that information is requested from registered information holders and any time that liability may be incurred through registered information holders. In this way, the subscriber, rather than reacting to invasive information or identity theft, may proactively control access to such information, thereby preventing the theft in the first place.

Abstract: Systems, methods, and computer readable media for encapsulating multiple Windows® based credential providers (CPs) within a single wrapping CP are described. In general, CP credentials and fields from two or more encapsulated or wrapped CPs may be enumerated and aggregated in such a way that the order of fields from each CP is preserved, fields that may be used only once are identified and appear only once, and fields are given a new unique field identifier. The union of all such fields (minus duplicates of any one-use-only fields) may be used to generate a mapping so that the wrapping CP and CP credential may “pass-through” calls from the operating system's logon interface to the correct wrapped CP and CP credential. The disclosed techniques may be used, for example, to provide single sign-on functionality where a plurality of sign-on credentials may be used (e.g., user name/password and smart card PIN).

Abstract: A method for granting a grace period entitlement, the method comprising receiving a grace period entitlement message, establishing whether a grace period flag indicates that a grace period may be granted, granting a grace period to an expired entitlement based, at least in part, on the grace period entitlement message, only if the grace period flag is “off”, and setting the grace period flag to indicate that the grace period has been granted. Related methods and apparatus are also described.

Abstract: A computer readable storage medium is disclosed having a computer program stored therein, which in a particular embodiment, the computer program includes but is not limited to machine readable instructions that when executed by a computer manage a plurality of sub accounts under a main account in a data distribution system, the computer program including but not limited to instructions to assign the plurality of sub accounts under the main account in a main account data structure at a server in the data distribution system; instructions to assign a plurality of end user devices to each one of the plurality of sub accounts; and instructions to receive end user device attribute data from at least one of the end user devices to the main account data structure after the attribute data is created at the at least one end user device.

Abstract: Methods for redirecting, on a client, a communication of the client to a server to upon determining the server is not useable to communicate to the client include the steps of: establishing, by an client agent on a client, a transport layer connection between the client and an intermediary appliance, the intermediary appliance providing access to one or more servers; receiving, by the client agent from the intermediary appliance, address information identifying at least one of the one or more servers available to communicate; determining, by the client agent, the transport layer connection is unusable to communicate; establishing, by the client agent, a second transport layer connection between the client and one of the identified available servers to bypass the appliance. Corresponding systems are also described.

Abstract: A digital certificate may be extracted from communications between a web browser and a web server computer. The digital certificate may be verified independent of the web browser by comparing the digital certificate against contents of a database containing digital certificates of legitimate websites or by consulting a remotely located security server computer. For example, the digital certificate may be forwarded from a client computer running the web browser to the security server computer. The security server computer may obtain a digital certificate from the web server computer and compare it to the one received from the client computer to detect man-in-the-middle attacks, for example.

Abstract: Embodiments enable secure zero-touch remote provisioning/management of a computer system. A computer system is shipped to end customers with its remote management controller enabled but not provisioned. During automatic testing, for example, provisioning authentication data is embedded into the remote management controller. The computer system vendor harvests the provisioning authentication data or derivative data therefrom from the remote management controller and stores it in a database. Upon sale of the computer system, the computer system vendor provides to the end-customer the harvested data of the computer system's remote management controller. The end-customer can then remotely authenticate a remote provisioning/management console to the remote management controller.

Abstract: A firewall cluster having three or more firewall processing nodes sharing the same shared IP address. Port numbers are assigned to the firewall processing nodes within the cluster and are used to distinguish between traffic sent to the cluster. Each network connection is assigned a destination port number. Each node receives the network connection and its assigned port number and determines if the assigned destination port number matches one of its assigned port numbers. If so, the node processes the network connection. If the assigned destination port number does not match one of its assigned port numbers, the network connection is discarded.

Abstract: A method of managing a domain, a method of extending a domain, and a method of selecting a reference point controller are provided. The method of operating the domain includes: receiving a request for authenticating a reference point controller from a reference point controller candidate; invalidating a membership of the stored reference point controller; generating a unique reference point controller membership for verifying that the reference point controller candidate is a new reference point controller; and transmitting the generated reference point controller membership to the reference point controller candidate. Accordingly, even when an error occurs in the reference point controller, the function of the reference point controller can be rapidly replaced by using the reference point controller candidate.

Abstract: An information distribution system that includes an information reading apparatus reading out data distributed from an information medium and an information display apparatus having an information acquisition unit for acquiring the data distributed from said information reading apparatus, a display for displaying the data acquired by said information acquisition unit, and a display limitation unit for imposing display limitations on the data acquired by said information acquisition unit according to the state of connection between said information reading apparatus and the information display apparatus.

Abstract: According to various embodiments, a session manager generates, stores, and periodically updates the login credentials for each of a plurality of connected IEDs. An operator, possibly via an access device, may provide unique login credentials to the session manager. The session manager may determine the authorization level of the operator based on the operator's login credentials, defining with which IEDs the operator may communicate. According to various embodiments, the session manager does not facilitate a communication session between the operator and a target IED. Rather, the session manager maintains a first communication session with the operator and initiates a second communication session with the target IED. Accordingly, the session manager may forward commands transmitted by the operator to the target IED. Based on the authorization level of the operator, a session filter may restrict what may be communicated between an operator and an IED.

Abstract: A computer-implemented method represents a list of informational items using a bit array. The method converts an informational item to a cryptographic value using a cryptographic algorithm and extracts a plurality of n-bit samples from the cryptographic value. The n-bit samples includes at least a first field and a second field. The first field identifies a group of bits of the bit array and the second field identifies one or more individual bits within the group of bits. The individual bits are set to a pre-determined value according to the first field identifying the group of bits and the second field identifying the individual bits within the group of bits.

Abstract: A system and method for authentication of a user using “lightweight” identities. The system and method provides for establishment of user credentials for a particular electronic mail address by an identity server through the recordation of a mail token and private token after receiving a request for credentials from the user. The identity server sends a private token to the user and sends a verification message to the user containing a specific link to the identity server for verification of the user along with the mail token, and then can verify the user by confirming that a mail token and private token recorded by the identity server match a mail token and a private token received from the user. After the verification process is successful, the identity server issues credentials that consist of a certificate either with or without a private key to the user which serves as an authenticated, unique, lightweight identity that a user can assume to access various services.

Abstract: Authentication method by one-time password from a user (10) having a computer terminal (11) and a telephone terminal (12) who wishes to access an online resource from an information system (20), said method including a step of triggering a call to said telephone terminal with a caller identifier comprising the one-time password.

Abstract: Example method, apparatus, and computer program product embodiments are disclosed to improve user experience and security in sharing Wi-Fi network credentials. A method embodiment comprises receiving in a wireless device, a wireless message including private credential information to access a wireless network; determining by the wireless device, that the received private credential information is not stored in a cache of known network access points in the wireless device; and storing by the wireless, the received private credential information, in a credential database for network access points.

Abstract: A system and a method are described for presenting media content for users to view over the internet. Rights pertaining to said media to be viewed are uploaded to servers by users holding such rights to rent or resell such media content. Servers restrict the viewing of the content in accordance with the limitations of the uploaded rights such that copyright rules are respected at all times.

Abstract: A method for managing password strength including receiving a password on a data processing system for a user, filtering for personal information about the user from multiple independent data sources accessible across a computer network, computing the password strength by the data processing system using an algorithm which compares the password to the filtered personal information about the user, and presenting feedback to the user through a user interface on a data processing system display regarding the computed password strength.

Abstract: A method correlates audit information in a multi-tenant computing infrastructure. The method leverages a user's authentication to the infrastructure, such as via federated single sign-on (F-SSO) from an identity provider. Preferably, the user's tenant identifier in the environment is derived based on identity information obtained during the F-SSO exchange. This tenant identifier is propagated to one or more other components in the infrastructure that are accessed by the user. As audit event from multiple components in the computing infrastructure are generated, these audit events are annotated with the tenant identifier and stored in an audit repository. In response to a request to view the tenant's audit data, a collection of tenant-specific audit events are then retrieved from the audit repository and displayed in a single tenant view. This approach ensures that audit event information is not leaked inadvertently between tenants.

Abstract: A method, system or computer usable program product for managing password strength including receiving a password on a data processing system for a user, filtering for personal information about the user from multiple independent data sources accessible across a computer network, computing the password strength by the data processing system using an algorithm which compares the password to the filtered personal information about the user, and presenting feedback to the user through a user interface on a data processing system display regarding the computed password strength.

Abstract: Disclosed herein are methods for protecting user information on a client device that may have a plurality of users. A user interface with a public machine designation portion is presented to a user prior to the start of the authentication process. The public machine designation removes web service account descriptions and any user specific information stored on the client device. Also, the client device is prevented from storing any new user specific information that is provided to the client device. The public machine designation is a persistent feature that may only be disabled by an affirmative action from the user.

Abstract: Various embodiments of the present invention generally relate to trademark searching and notification systems. More specifically, various embodiments of the present invention relate to systems and methods for informing requesters about trademarks similar to a provided input. Some embodiments of the present invention provide for a proactive system in which users are notified of similar trademarks before using specific term(s) and users proceed after understanding which trademarks actually exist and what areas those trademarks actually entail, and possibly being notified of newly applied trademarks and modified trademarks at later times that are similar to the specific term(s) being used.

Abstract: A method for generating a password for a user account. The method includes selecting a media item from a media library associated with a user; selecting a portion of the media item; generating a password based on the selected portion of the media item, where at least a portion of the password is based on selecting a first letter of a word included in the portion of the media item; and presenting the password as a suggested password to the user.

Abstract: Systems and methods for authenticating a user of a service are disclosed. A host of a service provides a user interface that can be accessed via a display of a terminal. Upon successfully transmitting a first set of credentials, the host requests a random image to be generated by an authentication server. The authentication server transmits the random image to the host, as well as to a mobile device that is associated with the user of the service. The mobile device receives a picture message including the image. The user interface displays a list of images on the display. The user matches the received image with an image among the list of images, wherein a successful match follows in the user being granted access to the service. Consequently, an additional layer of security using a visual identification of a user is provided.

Abstract: A software installation package includes encrypted source code. An installer receives an encryption key for decrypting the encrypted source code. The installer further causes the establishment of a temporary virtual machine. The encrypted source code is decrypted, using the encryption key, on the temporary virtual machine. A compiler executing on the temporary virtual machine compiles the source code into an application. The application is transferred from the temporary virtual machine to an operating environment. The temporary virtual machine is then destroyed, thereby also destroying any decrypted copies of the source code.

Abstract: In one embodiment, a method of the invention has the steps of: (A) establishing an access-layer security association (SA) between a mobile node (MN) and an authentication authorization accounting (AAA) server; (B) deriving a secondary key from an extended master session key (EMSK) corresponding to the access-layer SA; (C) providing the secondary key to a home agent; and (D) based on the secondary key, establishing an SA corresponding to an Open System Interconnection (OSI) layer higher than the access layer for securing communications between the home agent and a selected network node. In various embodiments, the selected network node can be (i) the MN, (ii) a proxy node configured on behalf of the MN, or (iii) a proxy node configured on behalf of the home agent.

Abstract: An apparatus and a method for storing an encrypted username and password. In one embodiment, a username is encrypted. A password associated with the username is encrypted. A user identifier associated with the username is encrypted. The encrypted username, the encrypted password, and the user identifier are stored in one or more database.

Abstract: A single identity and billing relationship can be employed for multiple UE (user equipment) associated with a subscriber. Specifically, each of the multiple UEs can employ LTE (Long Term Evolution) radio technology to authenticate and register with a femto access point. Further, the transport level billing associated with the multiple UE can be facilitated by the femto access point by employing a femto id (identity) and/or credentials. Moreover, the femto access point can be employed by the multiple UEs as a network hub and can be employed by the UEs to perform authentication to connect to a core network. In addition, the femto access point can determine an authorized IP cloud associated with a registered UE and allow the registered UE to access only the authorized IP cloud.

Abstract: Provided are a method, system, and computer storage device for managing zone information for devices in a network. A zone group table includes entries for different pairs of zones, wherein each entry indicates whether access between a pair of the zones is permitted. An attribute zone table indicates whether devices in the zones are initiator, target and/or initiator/target. For a selected zone, indication is made of whether ports in the devices in the selected zone have an initiator, target and/or initiator/target attribute as indicated in the attribute zone table. A determination is made as to whether all the ports in the devices in the selected zone have the same attribute of initiator, target or initiator/target. If so, a division proposal is indicated for the selected zone proposing to separate devices in the selected zone into at least one new zone.

Abstract: An encrypted file is decrypted to gain access to a stored hash value for a credentials setting component. A test hash value of the credentials setting component is formed. Before decrypting a set of encrypted credentials to form decrypted credentials, it is required that the test hash value of the credentials setting component match the stored hash value of the credentials setting component. The decrypted credentials are then passed to the credentials setting component to set credentials that instructions are to be executed under.

Abstract: A method of establishing a communication channel between a network client and a computer server over a network is described. The network client may be configured to communicate with the computer server over the network and to communicate with a token manager. The token manager may be configured with a parent digital certificate that is associated with the token manager. The token manager or network client generates a credential from the parent digital certificate, and transmits the credential to the computer server. The credential may be associated with the computer server. The network client may establish the communications channel with the computer server in accordance with an outcome of a determination of validity of the credential by, the computer server.

Abstract: Creation of update of a security context between user equipment and MSC/VLR (Mobile Switching Centre/Visitor Location Register) for circuit switched domain services is provided. The creation or update is based on conversion of the security context used in an evolved Universal Terrestrial Radio Access Network (E-UTRAN) in the Mobility Management Entity (MME) to a security context for the circuit switched domain target system and transferring it to a MSC/VLR. When user equipment is moved from E-UTRAN to GSM EDGE Radio Access Network/Universal Terrestrial Radio Access Network (GERAN/UTRAN), a MME does not need to perform authentication and key agreement procedures to establish shared circuit switched security context for the user equipment.

Abstract: Embodiments of the invention provide a method and apparatus (“system”) that overcome the above-mentioned problems among others and provide an innovative solution aimed at creating an interactive, dynamic and effective multi-media object with HIP capabilities which may be used in online advertising, security, and user-defined security. The system leverages the existing HIP CAPTCHA real estate to create multi-media objects that guarantee a captivated audience, especially in online advertising. Combining interactive multi-media objects with HIP capabilities helps to meet a very critical need faced by advertisers and websites today—creating an effective impression of any multi-media object on a user (a guaranteed eyeball). Embodiments of the current invention introduce a variety of formats that involve interacting with a multi-media object to provide a more natural user interaction and ease of use while maintaining security.

Abstract: This document describes various techniques for distributing credentials based on hardware profiles. A resource access request including a hardware profile is transmitted to a remote entity having access to a previous hardware profile and a credential useful to access a resource is received if at least a portion of the hardware profile matches the previous hardware profile.

Abstract: An approach is provided for providing end-to-end privacy in multi-level distributed computations. A distributed computation privacy platform determines one or more privacy policies associated with at least one level of a computational environment. The distributed computation privacy platform also determines one or more computation closures associated with the at least one level of the computational environment. The distributed computation privacy platform further processes and/or facilitates a processing of the one or more privacy policies and the one or more computation closures to cause, at least in part, an enforcement of the one or more privacy policies.

Abstract: Aspects of the present disclosure provide techniques that may enable user activity information to be automatically generated and shared with other users of a social network. In one example, a method of automatically publishing, to one or more social network services, information about user activities regarding media content items includes receiving user activity information regarding a media content item, wherein a user is a member of one or more social network services, and the user activity information is generated in response to one or more activities taken by the user with respect to the media content item. The method may also include receiving an indication of one or more users of the one or more social network services to whom the user activity information is to be made accessible, and automatically publishing the user activity information to the one or more social network services.