Abstract: A user authentication system includes a profile generation unit at the side of a user terminal, and a profile storage unit and a confirmation/replication verification unit at the side of an authentication verification device. When authentication processing is executed in the user terminal, the profile generation unit aggregates input biometric information, registered biometric information, and information which duplicates collation processing contents, and sets a profile being an aggregation of data. The profile storage unit stores the profile at the outside of the user terminal with identification information of authentication processing. The confirmation/replication verification unit confirms the stored contents, and replicates collation processing. Accordingly, when verification is necessary, the validity of authentication processing in the user terminal is verified, and a service provider device is notified of this.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: A user account recovery method is described. The method includes storing an account recovery token at both an identity management system (IDM) and a service provider. In response to an indication that a user cannot access an account, a request for the account recovery token is sent by the relevant service provider to the IDM. On confirming the identity of the user, the IDM retrieves the account recovery token and returns the token to the service provider. The service provider compares the token received from the IDM with one or more locally stored tokens to initiate an account recovery process (which process may, for example, include prompting the user to provide a new password for the account).

Abstract: A system and method for secure document distribution is provided. The system includes a computer system and a secure document distribution engine. The system includes a two-factor authentication system that includes a password and a hardware component. Documents can be accessed from a network (e.g., the Internet, a cloud computing resource, etc.), via a link as an e-mail attachment, or as a stored file. Redistribution of documents by malicious authorized users is not possible without attribution due to the view-only nature of the system in combination with other measures that include event logging and document watermarking. Access can be revoked or blocked in real time, regardless of how the files were distributed or where they reside.

Abstract: A simplified future mobile terminal system converging multiple wireless transmission technologies by utilizing a cost-effective and spectrum-efficient mobile cloud solution based on the innovative virtual mobile server system of the open wireless architecture (OWA) platform.

Abstract: Federated systems for issuing playback certifications granting access to technically protected content are described. One embodiment of the system includes a registration server connected to a network, a content server connected to the network and to a trusted system, a first device including a non-volatile memory that is connected to the network and a second device including a non-volatile memory that is connected to the network. In addition, the registration server is configured to provide the first device with a first set of activation information in a first format, the first device is configured to store the first set of activation information in non-volatile memory, the registration server is configured to provide the second device with a second set of activation information in a second format, and the second device is configured to store the second set of activation information in non-volatile memory.

Abstract: A method and apparatus are provided for processing data. The method includes a step of receiving, during a first communication session established with said server, a request formulated by a first user defining at least one processing operation to be executed on first data, and a step of executing said processing operation on said first data, during a second communication session established with said server after said first session for a second user. The step of executing is applied on condition that the second user has been authenticated via a strong authentication method during the second session and that a relationship between the first and second users has been verified.

Abstract: Various embodiments are disclosed relating to performing a trusted copy and paste operations between a source application and a target application. For example, a trust system may receive a paste request for pasting copied source content, and may compare a source trust level associated with the source content to a target trust level associated with a target application. In this way, for example, harmful or disruptive code may be prevented from being pasted into the target application.

Abstract: Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include a state manager that is used to identify and maintain the source associated with a client browser that submits requests to the state manager. The state manager can allow requests that are authorized and request authorization for requests that are not. The state manager can maintain the states associated with each domain to reduce the number of transaction needed to authenticate and/or authorize subsequent requests to the same domain or to different domains.

Abstract: A method for validating authenticity of identity claims of one or more communicating entities in an online transaction over a network is disclosed. The method includes extracting identity information of the first communicating entity by the second communicating entity during online transaction and prompting a client to provide a unique resource name of the first entity. Further, the method includes validating the identity information extracted from the first entity by checking identity information already registered in a registry. Later the method includes authenticating the identity claims of the first entity based on the validation results. The method also includes steps for registering identity information of the first entity within the registry.

Abstract: A method for inhibiting phishing can include sending information from a mobile network device to a website server, generating a one time password at the mobile network device from the information, generating a one time password at the website server from the information, sending the one time password generated at the website server to the mobile network device when the mobile network device subsequently accesses the website, and comparing the one time password generated at the website server to the one time password generated at the mobile network device. In this manner, the website can be authenticated such that the occurrence of phishing is substantially mitigated.

Abstract: Techniques for credential auditing are provided. Histories for credentials are evaluated against a principal credential policy for a user and an enterprise credential policy for an enterprise as a whole. An audit trail is produced within a report for the histories. The report indicates whether compliance with the principal and enterprise credential policies occurred and if not at least one reason is provided as to why compliance was not met within the histories.

Abstract: An authentication mechanism for use in network-based services generates an authentication token. The authentication token is provided to a client device as part of the code comprising a content page. The content page code is received and loaded by a browser application at the client device. When the content page code is received and loaded by the browser application, the authentication token is loaded by the browser as well. Upon receiving subsequent input, the browser application may send a content request to the server. The content request includes the authentication token maintained by the browser application in the content page. A server may validate the authentication token provided in the request using version information and one or more master authentication tokens.

Abstract: Techniques for credential auditing are provided. Histories for credentials are evaluated against a principal credential policy for a user and an enterprise credential policy for an enterprise as a whole. An audit trail is produced within a report for the histories. The report indicates whether compliance with the principal and enterprise credential policies occurred and if not at least one reason is provided as to why compliance was not met within the histories.

Abstract: A resource in unencrypted form and a wrapped key are received in a request from an application server system and at a key server system. The wrapped key includes a resource encryption key and a user identifier that have been encrypted using a master key. The user identifier identifies a user that is permitted to use the resource encryption key to decrypt the resource. The request does not include the user identifier. The wrapped key is decrypted to access the resource encryption key. The resource in unencrypted form is encrypted into an encrypted resource with the resource encryption key. The encrypted resource is sent to the application server system.

Abstract: The present is a system and method for preserving user account security privileges during a migration or re-direction of data from one network attached storage (“NAS”) system to another. Certain NAS systems authenticate user accounts using Kerberos Delegation Technology. In addition, some NAS systems feature the ability to constrain delegation to certain services. While effective in limiting access and promoting network security, this constrained delegation restricts the ability of a storage virtualization system to migrate or re-direct data to other NAS systems, especially if the other NAS system resides or is identified by a different domain name. The present invention is a system and method for storing user account credentials that work with the former NAS system, and providing a way to translate these credentials to a new NAS system with a new domain, permitting seamless data migration and re-direction across domains.

Abstract: A reputation server is coupled to multiple clients via a network. Each client has a security module that detects malware at the client. The security module computes a hygiene score based on detected malware. The security module provides the hygiene score and an identifier of a visited web site to a reputation server. The security module also provides identifiers of files encountered at specified web sites to the reputation server. The reputation server computes secondary hygiene scores for web sites based on the hygiene scores of the clients that visit the web sites. The reputation server further computes reputation scores for files based on the secondary hygiene scores of sites that host the files. The reputation server provides the reputation scores to the clients. A reputation score represents an assessment of whether the associated file is malicious.

Abstract: One embodiment of the present invention provides a system that facilitates issuing rights in a digital rights management system. The system operates by sending a request to perform an operation on an item of content from a client to a rights-management server, wherein the request includes a usage parameter which specifies constraints involved in performing the operation. Next, the system receives a response from the rights-management server, wherein the response indicates whether or not the client has rights to perform the operation in accordance with the constraints specified by the usage parameter. Note that the response may also include a hint that facilitates generating subsequent requests to perform the operation. Finally, if the client has rights to perform the operation, the system performs the operation on the item of content.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for authenticating and authorizing an external entity. These mechanisms and methods for authenticating and authorizing an external entity can enable improved data security, more efficient data transfer, improved data access channels, etc.

Abstract: IC cards (R11, R12, and R21) are issued respectively to users ?, ?, and ?. An identification code (ID(11)) of a computer (11) supplied to user ? and environment information (ENV(11)) that indicates a normal network environment of the computer (11) are recorded in the IC card (R11) issued to user ?. When in order to use a computer, a user connects his/her IC card, the identification code and the network environment of the computer to be used are compared with the identification code and environment information recorded in the IC card and different access rights are provided in accordance to the degree of matching. The identification code may be a MAC address of a LAN circuit incorporated in the computer, and the environment information may be a default gateway address or the like. Different access rights can thus be set according to the computer or the network environment that is used.

Abstract: Authentication mechanisms are disclosed herein that authenticate user access to enterprises. For example, either an enterprise associated number or a social security number (SSN) can be provided to the enterprise to enter a first level. Then, any one of a ZIP code number, a device calling/contacting number, a date of birth, and a portion of the SSN can be provided to access applications in the first level. Lastly, a PIN can be provided to enter a second level of the enterprise. Additionally, these authentication mechanisms can be added and/or changed. In the former case, if a user used a SSN to enter the mentioned first level of the enterprise, then a date of birth can be used to update an authentication mechanism. Alternatively, if a user used an enterprise number to gain such access, then part of the SSN can be used for the update. If the user wants to change the authentication mechanism, the date of birth can be used for the update.

Abstract: A mechanism is provided for providing temporary generated codes by a server. Responsive to triplet authentication of a device to service provider network, a server receives an initial code from the device to request a temporary generated code. The server verifies the triplet authentication of device. The server determines whether there is a user account match to the initial code. The server determines a corresponding application server based on the initial code and the user account match. The server generates a temporary generated code to access the application server. The temporary generated code is transmitted to both the application server and the communication device, is set to expire at a preset time, is generated to allow the user access to a single session on the application server, and is generated to expire after the temporary generated code is input to access the single session on application server.

Abstract: A method and system for pre-shared-key-based network access control are disclosed. The method includes the following steps: 1) security policy negotiation is implemented between a REQuester (REQ) and Authentication Access Controller (AAC); 2) identity authentication and uni-cast key negotiation are implemented between REQ and AAC; 3) a group-cast key is notified between REQ and AAC. Applying the method and system, rapid bidirectional authentication can be implemented between a user and network.

Abstract: A software license engine allows an enterprise to model software license contracts and evaluate deployment of software for compliance with the software license contracts. Deployment of software products in the enterprise is modeled in a configuration management database. The software license engine maintains a license database for connecting software license contracts with software deployment modeled by the configuration management database. Users of the software license engine may use license types that are predefined in the software license engine or may define custom license types. The software license engine may indicate compliance or non-compliance with the software license contracts.

Abstract: A digital rights management system includes an authentication module and a decryption module. If desired, the modules can be implemented in separate integrated circuits. The authentication module retrieves authentication information for protected content and powers down after the authentication information is retrieved. The decryption module decrypts the protected content based on the authentication information while the authentication module is powered down.

Abstract: The contemplated embodiments of the invention provide a method for implementing a mandatory integrity control (MIC) system that provides access control for each and every object and subject that need access control, but in a way that allows legacy operating systems to continue with little modification. The invention provides a novel method that selects an integrity level designator for a subject, when the subject logs onto the computer system. The selected integrity level designator is then added to an existing data structure in the computer system. The existing data structure may be a part of a security descriptor stored in a system access control list of an object. The existing data structure may be a part of a list of security permissions that constitute an access token for a process executing as a subject.

Abstract: A platform of Trust Management software which is a single, customizable, complete distributed computing security solution designed to be integrated into an enterprise computing environment. Digital Network Authentication (DNA) is the centerpiece of the system of the present invention. It is a unique means to authenticate the identity of a communicating party and authorize its activity. The whole mechanism can be thought of as a trusted third party providing assurances to both clients and servers that each communicating entity is a discrete, authenticated entity with clearly defined privileges and supporting data. Furthermore, the level of trust to be placed in the authorization of every entity communicating within the system is communicated to every entity within a distributed computing environment.

Abstract: An image processing apparatus for providing at least a service to a service requester receives a service execution request and authentication information of a service requester from the service requester and issues a request for authenticating the service requester to an authentication service. Also, the image processing apparatus executes the requested service based on an authentication result transmitted from the authentication service. Further, the image processing apparatus manages an execution state of the executed service and an authentication state of the service requestor by associating the execution state with the authentication state.

Abstract: A system, method, and computer program product are provided to facilitate changing authentication information in an environment having two or more configuration items. Establishing a connection between the configuration items may require matching authentication information corresponding to the first configuration item with authentication information transmitted from the second configuration item. The system may include a repository storing at least one predetermined attribute corresponding to a configuration item, and a relation between the configuration item and another configuration item. The attribute and/or the relation may be updated by discovery that detects information regarding configuration items. In response to a request to change authentication information corresponding to the first configuration item, and based on the relation, an identification unit may identify a second configuration item influenced by the change.

Abstract: A system and method for automatic authentication includes automatically calculating a security code on a computer running a security program. The security program resides on the same computer as a web browser. In response to a user signing into a web based account on a web site accessed by the web browser, automatically verifying that the security program is registered with the web based account. In response to a second factor security code entry request on the web based account, automatically entering the security code into the web based account. The security code is transmitted to the web site transparently to the user for login.

Abstract: A distributed system in which time-dependent credentials are supplied by controllers that operate according to different local times. Errors that might arise from the controllers generating inconsistent credentials because of time skew are avoided by identifying credentials generated during transition intervals in which different ones of the controllers may generate different credentials at the same absolute time. During a transition interval, controllers and other devices may use credentials differentially based on the nature of the authentication function. Each controller may periodically renew its credentials based on self-scheduled renewals or based on requests from other devices, such that renewal times are offset by random delays to avoid excessive network traffic. Controllers may determine which credential is valid for any given time, based on a cryptographically secure key associated with that time and information identifying the entity that is associated with that credential.

Abstract: A system and method is described for controlling the password(s) of one or more programs through a universal program. The universal control program allows access to one or more other programs and allows editing of the passwords of the other programs directly through the universal access program.

Abstract: Files of computer documents are classified into confidential levels without extracting and analyzing contents of the files. Files created by particular users may be clustered into groups of files based on file characteristics, such as file type (e.g., file extension) and file naming convention. A prediction confidential score may be generated for each group of files. A log of a file retention resource may be consulted to identify files created by users. A file created by a user may be assigned a prediction confidential score of a group of files having the same file characteristic as the file and created by the same user. The prediction confidential score may be used to determine a confidential level of the file when the file is found to be inaccessible.

Abstract: A method for enabling access to digital rights managed (DRM) content from a server to a portable playback device using a device that functions as a proxy for enabling communication between the server and the portable playback device. The method provides for establishing a connection with a device capable of operating as a gateway device for passing data between the portable playback device and the server, requesting that the device establish a connection with the server and operate as a proxy for enabling data exchange between the portable playback device and the server, sending to the server, upon establishing the connection with the server via the device operating as a proxy, data indicating DRM solutions supported by the portable playback device, and a list comprising requested DRM content to be downloaded to the portable playback device, and receiving from the server, via the device operating as a proxy, the requested DRM content and DRM rules associated with the received content.

Abstract: A method for providing secret delegation may comprise receiving a credential secret applied to an algorithm associated with a distributed application in a trusted execution environment, causing delegation of the credential secret from one communication device to at least one other communication device, and modifying the credential secret prior to transfer of a modified version of the credential secret to the at least one other communication device in a manner that enables a generation of the credential secret to be determined. An apparatus and computer program product corresponding to the method are also provided.

Abstract: An ePHI-compliant gatekeeper system that provides single, controlled access, editable in real-time, to an individual patient's medical information that remains remotely stored within internal network architecture from a variety of disparate healthcare professionals, medical systems, and vendors networks. The ePHI-compliant gatekeeper system is an independent, cloud-based architecture to ensure that inherent infrastructure does not compromise existing privacy requirements and the proprietary interests of partnered platformed networks. The ePHI-compliant gatekeeper system includes user equipment and a cloud-based vetting system. The cloud-based vetting system includes a Software as a Service (SaaS) module and a Platform as a Service (PaaS) module. The SaaS module provides user authentication at login.

Abstract: To prevent gaming of a reputation system, a security token is generated for a security module using metadata about the client observed during the registration of the security module. The registration server selects metadata for use in generating the security token. The generated security token is provided to identify the client in later transactions. A security server may conduct a transaction with the client and observe metadata about the client during the transaction. The security server also extracts metadata from the security token. The security server correlates the observed metadata during the transaction with the extracted metadata from the security token. Based on the result of the correlation, a security policy is applied. As a result, the metadata in the security token enables stateless verification of the client.

Abstract: A system and method provide a framework for networked identity management in a user-centric model by providing the ability for a user to delegate permissions to release identity information, by enabling a mechanism for releasing one of a requested plurality of data sets and by providing facilities for the retrieval of identity information from an external server. Anonymization of identity data is enabled through the use of an anonymizer system that can optionally be integrated with an identity store such as a homesite.

Abstract: A method is provided for network identification based on high entropy data on a network which are not easily guessed or obtained outside the network, which can prevent an attacker from “spoofing” the network. A component in a client computer connected to a network may obtain over the network a network data block including device identification information of a device controlling the network. Upon parsing the network data block, such high entropy data as unique device identifiers may be obtained from the device identification information. Depending on availability of the unique device identifiers and authentication history of the client computer, different combinations of the unique device identifiers and/or other identification information may be used to generate a unique network identifier such as a network signature. The component may provide the network signature to applications within the client computer.

Abstract: Various methods and systems for propagating identity information in a composite application are presented. State data of a composite application, as executed for a particular entity, may be transferred to and stored by a computer-readable storage medium. The state data may include a portion of a set of subject information linked with the entity. A security attribute of the subject may not be present in the portion of the set of subject information in the state data transferred to the non-transitory computer-readable storage medium. After a period of time, such as an hour or a day, the state data of the composite application as executed for the entity may be retrieved and the security attribute of the set of subject information linked with the entity may be determined. The composite application may then continue to be executed for the entity.

Abstract: A system and method for performing backup operations is provided. Mechanisms facilitate a secure centralized backup system with a locally derived authentication model. A local centralized storage server may generate an authentication model, including credentials, and create a share/directory for each client. Clients store their credentials and use them to access centralized storage. Credentials are maintained and provisioned locally. A remote host server may establish trust by providing a list of clients in a circle.

Abstract: A method and system for public key infrastructure key and certificate management provides anonymity to certificate holders and protects the privacy of certificate holders from the compromise of a certificate authority. Functional separation is provided in the authorization of a certificate request and the assignment of certificates and key pairs. The authorizing certificate authority approves or denies each certificate request from a requestor whose identity is not made available to the assigning certificate authority. The assigning certificate authority, upon approval from the authorizing certificate authority, issues one or more certificates and optionally generates and provides the associated key pairs to the requester without disclosing these certificates and key pairs to the authorizing certificate authority.

Abstract: An exemplary method includes establishing, by a mobile phone device, a wireless local area network communication channel between the mobile phone device and a set-top box device, providing, by the mobile phone device, a graphical user interface for display on a display screen of the mobile phone device, the graphical user interface configured to facilitate inputting of one or more control commands by a user of the mobile phone device, and controlling, by the mobile phone device, at least one operation of the set-top box device via the wireless local area network communication channel in accordance with the one or more control commands. Corresponding methods and systems are also described.

Abstract: This invention allows connection of an apparatus with a low security level without lowering the security level of a network even when such apparatus issues a connection request. This invention is directed to an access point which makes wireless communications with a station using an encryption method (AES). Upon reception of a connection request message including information indicating an encryption method (WEP) that can be used by a station, the access point checks if the encryption method (WEP) recognized based on the received connection request message is different from the encryption method (AES). When it is determined that the two encryption methods are different, the access point launches a controller which makes wireless communications with the station using that encryption method (WEP).

Abstract: A system that that dynamically authenticates one or more users is described. During operation, the computer system determines a trust level for a user, where the trust level is a function of elapsed time since the user previously provided authentication information. Next, the computer system calculates a transaction risk level based on a type of user transaction performed by the user. Then, the computer system requests additional authentication information from the user based on the trust level and the transaction risk level.

Abstract: Aspects for secure access and communication of information in a distributed media network may include detecting when a legacy media peripheral is connected to a PC and/or a media processing system on the distributed media network. One or more identifiers associated with the legacy media peripheral may be established and utilized to facilitate communication of the legacy media peripheral over the distributed media network. At least one legacy media peripheral identifier and at least one identifier of a user utilizing the legacy media peripheral may be requested. The legacy media peripheral identifier may be a serial number of the legacy media peripheral, while the user identifier may be a user password and/or a user name. Media peripheral association software may be executed on the PC and/or the media processing system and utilized for media peripheral association and authentication in accordance with various embodiments of the invention.

Abstract: Dynamic application adaptation in software-as-a-service platform, in one aspect, may receive an access permission associated with a published shared data management data object in the software-as-a-service platform having shared data management and a plurality of applications deployed, look up one or more rules associated with one or more features of an application deployed on the software-as-a-service platform, based on the received access permission, and activate or deactivate said one or more features associated with said plurality of applications based on said one or more rules.

Abstract: Aspects of the present invention relate to systems and methods for providing non-subscriber access to a digital asset and, in particular, to methods and systems for providing non-subscriber access to a digital asset while providing provider protection. A temporary guest credential may be generated that may allow access to a limited workspace on a resource server. The temporary guest credentials may expire after a guest-account duration limit.

Abstract: A first server is configured to receive a first token from a user device, determine whether the first token is valid, request the user device to provide a set of credentials to a second server, based on determining that the first token is invalid, and receive a first response from the user device. The first response may include information identifying whether the user device is authenticated to communicate with the first server. The first server is further configured to send the first response to a third server. The third server may generate a second response to indicate authentication of the user device to communicate with the first server. The first server is further configured to receive the second response from the third server, generate a second token, based on receiving the second response, and send the second token to the user device.

Abstract: Managing a lifecycle of a shared privileged account via a proxy service which comprises an Identity Management (IdM) system that defines and manages identity services, which in turn manage privileged accounts used to access managed targets. Each of the identity services is mapped to a privilege group of the proxy service and an ID pool manager is implemented to manage sharing of the privileged accounts. A request is generated to access a managed target with a privileged account. A shared privileges module generates a shared ID authorization account and associates it with the requestor. The shared ID authorization account is populated with sign out information for a shared privileged account, which the requestor uses to access the corresponding managed target. When use of the shared privileged account is ended, the shared privileges module disassociates the requestor with the shared privileged account by deleting the shared ID authorization account.