Abstract: Security is provided in a wireless communication system in a moving vehicle by requiring user input of one or more security codes for validation before the system permits communication. One code, a security access code, corresponds to the vehicle travel segment and is given to the passenger(s) in transit. The second type of code, a personal identification number (PIN), is given to the passenger after baggage check-in. The PIN code is correlated to the passenger and/or seat assignment. PIN use enables associated data systems to report the seat number or location of all parties engaging in wireless communications within the vehicle.

Abstract: Techniques for establishing a trusted cloud service are provided. Packages are created for services that include certificates, configuration information, trust information, and images for deploying instances of the services. The packages can be used to deploy the services in trusted environments and authenticated to deploy in sub environments of un-trusted environments. The sub environments are trusted by the trusted environments. Also, clouds are prospected for purposes of identifying desirable clouds and creating the packages for deployment.

Abstract: A proposed password is decomposed into basic components to determine and score transitions between the basic components and create a password score that measures the strength of the proposed password based on rules, such as concatenation, insertion, and replacement. The proposed password is scored against all known words, such as when a user is first asked to create a password for an account or access. The proposed password can also be scored against one or more previous passwords for the user, such as when the user is asked to change the user's previous password, to determine similarity between the two passwords.

Abstract: A computer-implemented method for securing data and facilitating transactions. The method including the steps of collecting data from a sender party into a memory of a computer and generating an encrypted code representative of the sender party data stored in the memory of the computer. A graphic image representative of the encrypted code in the computer is generated and is provided from the computer to the sender party. The generated graphic image is then captured in an electronic device associated with a recipient party that the sender party desires to perform a transaction with whereafter the generated graphic image or the encrypted code it represents is transmitted from the recipient party electronic device to the computer to perform the transaction with the sender party.

Abstract: A computer-implemented method is disclosed. The method involves: providing to a first client computing device a first instance of a first software program that includes a first secret ID value; receiving a first account creation request that includes the first secret ID value; associating the first account creation request with the first client computing device; and approving the first account creation request and creating a first account for the first client computing device if less than a first threshold of previous account creation requests that include the first secret ID value have been previously received, and a presumption that the first client computing device is a spammer does not apply; or denying the first account creation request if either the number of previously received account creation requests that include the first secret ID value is equal to or greater than the first threshold, or the presumption that the first client computing device is a spammer applies.

Abstract: End users of a multi-factor authentication service can utilize an account management service, and third-party website can register to utilize the multi-factor authentication service. Registering a third-party website can comprise the multi-factor authentication service receiving a valid digital identity certificate for the third-party website, and receiving an agreement to terms of use of the multi-factor authentication service for the third-party website. Once received, the multi-factor authentication service can enable the third-party website to utilize the service (e.g., switch the service on, or send an authorization key to the third-party website). Further, registering a user to the multi-factor authentication service can comprise determining availability of service, and providing a location-specific access code. Additionally, registering the user can comprise registering the user's mobile device, for example, to provide multi-factor authentication.

Abstract: A method allows access to a set of secure databases and database applications over an untrusted network without replicating the secure database. The method involves authenticating a user using a first authentication application. When the user is verified, then the user's credentials are directed to a second authentication application associated with a secure database based on a first set of user settings retrieved for the user. The second authentication application, based on a second set of user settings, grants the user access to the secure database and database applications associated with the secure database.

Abstract: An accounting function in a network between originating and terminating networks is disclosed. A transit network node is provided with an appropriate indication regarding its role in inter-operator accounting, for example if it should act as an intermediary node or not. A transit network node configured to function in an appropriate manner to function in an intermediary role in the inter-operator accounting is also disclosed. The intermediary role can be optional.

Abstract: Methods and apparatus for authenticating a user are disclosed. According to one aspect of the present invention, a method for authenticating a user includes displaying a first representation of a challenge. The challenge is based on a ruleset. The method also includes receiving a first input, determining if the first input furthers a successful completion of the first representation of the challenge, and determining if the first input completes the first representation of the challenge. If it is determined that the first input completes the first representation of the challenge and that the first input furthers the successful completion of the first representation of the challenge, the method further includes positively augmenting a security indicator.

Abstract: An apparatus, system, and method enable a new platform storage system to have access to an external storage system having data encrypted thereon by an existing platform storage system. Encryption information corresponding to the encrypted data in the external storage system is stored in a memory in the existing platform storage system. The encryption information stored in the memory of the existing platform storage system is transferred to an encryption table stored in the new platform storage system, so that the new platform storage system can read the encrypted data stored in the external storage system.

Abstract: A method for providing a user device with a set of access codes comprises, in the user device, storing an encryption key a an identification code, and sending a message containing the identification code to a server via a communications network. In the server, an encryption key is stored corresponding to the key stored in the user device, allocating the set of access codes on receipt of the identification code from the user device. A look up function is performed based on the identification code received in the message to retrieve the key from storage. The set of access codes is encrypted using the retrieved key to produce an encrypted set. A message containing the encrypted set is sent to the user device via the network. In the user device, the encrypted set received from the server is decrypted using the key in storage, and storing the decrypted set of access codes for use by a user of the user device.

Abstract: A method for secure access and communication of information in a distributed media network is disclosed and includes detecting, at a first geographic location, when a media peripheral is communicatively coupled to at least one computing device at the first geographic location within the distributed media network. The media peripheral may be validated for use at the first geographic location using at least one identifier. The at least one identifier may be associated with the media peripheral. The at least one identifier may be used to facilitate communication by and/or to the media peripheral over the distributed media network. The at least one identifier associated with the media peripheral and at least one identifier of a user may be requested utilizing the media peripheral. The at least one identifier associated with the media peripheral is a serial number of the media peripheral.

Abstract: Managing metadata in a metadata transmission server by generating a plurality of metadata fragment data by partitioning metadata to be transmitted based upon predetermined segment units, selecting predetermined metadata fragment data from among the plurality of the metadata fragment data, generating metadata-related authentication information using the selected metadata fragment data, and transmitting the selected metadata fragment data and the metadata-related authentication information including data format information indicating type of the selected metadata fragment data. A metadata receiving client uses the transmitted metadata fragment data, the metadata-related authentication information and the metadata format type information to authenticate the received metadata.

Abstract: OBJECTIVE A user is prevented from inadvertently inputting authentication information to an unauthorized authentication system. In this manner, authentication information leakage is certainly avoided. SOLUTION A validity checking system includes an information processing card, an authentication system that performs mutual authentication with the information processing card, and a checking device. The information processing card includes a validity authenticating means that authenticates the validity of the authentication system, and an impersonation preventing means that carries out an impersonation preventing process on the result of the authentication performed by the validity authenticating means.

Abstract: An individual's social network is used to authorize information flow to the individual and to authenticate the individual for access to certain information or services. Information flow to the individual is authorized if the source of the information is a member of the individual's social network who is connected to the individual along a path that does not traverse through anyone on a gray list of the individual. The black list identifies those members who previously sent unwanted communication to the individual or posted content that was deemed offensive by the individual. The gray list identifies those members who are one degree separated from any black list member.

Abstract: The disclosure discloses a method and system for enhancing the security of a user security model. In the solution of the disclosure, after a Simple Network Managing Protocol (SNMP) server acquires a multi-byte original password of a user, detects whether the original password is composed of a specific byte string repeated multiple times; and if so, the user is prompted to reconfigure a password. In accordance with the solution provided by the disclosure, the disclosure greatly enhances the security of version V3 for the SNMP server side, solves the problem that the vulnerability exists in the security defined in version V3 in the prior art, and avoids the security hidden danger caused by the fact that illegal users can use the password different from the password of the authorized user to log on the SNMP server.

Abstract: Techniques for generating a human user test for online applications or services may include splitting the visual objects in an image into multiple partial images, and forming one or more alignment positions. At each of the alignment positions, some of the visual objects appear recognizable while some bogus visual objects also appear to prevent robots from recognizing the alignment positions. A user is requested to find the multiple alignment positions to return recognizable visual objects. A system determines that the user is a human user if the recognizable visual objects input by the user match the visual objects in the image.

Abstract: Systems and computer-implemented methods are disclosed for providing controller access to a normally single-user account. In an example system, a primary user is provided with a primary password to the user account. A secondary user may be temporarily authorized by generating a temporary password selected independently of the primary password. The user account may be accessed by entering either the primary password or the temporary password. The temporary password is automatically revoked in response to granting access with the primary password. The secondary user is thereby provided with temporary access to the user account that is revocable by the primary user at any time without having to share the primary password with the secondary user and without having to change the primary password.

Abstract: To provide key management layered on a quasi-out-of-band authentication system, a security server receives a request for activation of a user interface window for a particular user from a network device via a communication channel. It then transmits an activation PIN to an out of band authentication system for forwarding to the user's telephone via a voice or text message. It next receives the previously transmitted PIN from the network device via the communication channel, and authenticates the user based on the received PIN. After authenticating the user, it establishes a secure, independent, encrypted communication channel between the user interface window and the security server on top of the original communication channel. It then generates and transmits to the user interface window and/or receives from the user interface window via the secure communication channel, key material and certificate material for public key and/or symmetric key cryptography based operations.

Abstract: Member profile information for a control set of one or more control members and for a fraudulent set of one or more fraudulent members are obtained. Each member in the control set is at least believed to be legitimate and each member in the fraudulent set is at least suspected of being fraudulent. A test associated with identifying fraudulent members is generated using the member profile information for the control set and for the fraudulent set; the test inputs one or more pieces of member profile information for a member being tested.

Abstract: It is desirable to provide a secure search mechanism to provide for searching over any and all content, such as across an enterprise. A secure search, however, requires access to the secure content repositories holding the data to be searched. In some cases the credentials required to crawl a repository may be extremely sensitive, or the user may be reluctant or unwilling to store user identification information in memory or on disk for any longer than is absolutely necessary. An approach is provided that allows a user or an administrator to provide security credentials to be stored and used only during a crawl, and to erase the credentials from the system when the crawl is complete.

Abstract: A management apparatus capable of communicating with a plurality of external devices includes a storage unit to store management information including authentication information for authenticating a user in the external device, a first transmission unit to transmit an authentication result of the user in the external device and user information necessary for authenticating the user by the external device among the management information to the external device by referring to the management information stored in the storage unit in response to a request from the external device, a selection unit to, when a content of the management information is changed, select an external device to be a transmission destination of the changed management information based on the change thereof, and a second transmission unit to transmit the changed management information to the external device selected by the selection unit.

Abstract: Claim based identities are transformed to a set of credentials and securely stored in a secure data store using a number of encryption schemes. The credentials are then used to authenticate applications requiring specific credential types. For each call to the secure store system, a client application may provide a claims token issued by a trusted source, which is used to search for corresponding credentials in the secure data store if the credentials have been created previously for the user.

Abstract: The present invention facilitates access to a restricted service related to secure transactions via a network. The present invention allows a user to select a minimum security level of authentication for its own login to a restricted service. The user's selected minimum security level of authentication may be registered in an authentication method system, so that the user must use the selected minimum security level for authentication in order to gain access to the restricted service. Alternatively, the user may specify that the selected minimum security level for authentication may be over-turned by the user, or optionally re-set to a new authentication method depending on the needs of the user. As such, the present invention allows the user the flexibility to select its own authentication method for accessing a restricted service.

Abstract: Described are methods and systems related to providing permission to a user to perform an action on a workflow driven ticket. The ticket is accessed to determine an action type to be performed on the ticket and a correlated object associated therewith. A role based permission tuple is determined based upon a role of the user. A ticket based permission tuple is determined by generating a universal permission tuple based upon the action type and generating a dependency map based upon the correlated object. The dependency map is mapped to the universal permission tuple to construct the ticket based permission tuple. The role based permission tuple is supplemented with the ticket based permission tuple, to provide the required permission to execute the action. Upon an execution of the action, the permission is partially revoked, by removing the ticket based permission tuple.

Abstract: Techniques are disclosed for attaching security policies to secured computing systems. A security policy is attached to a parent domain. The parent domain includes a first secured computing system. The security policy is a natural language description for controlling access to the secured computing system. Upon determining that the parent domain propagates the security policy, a first generation child domain is identified. The first generation child domain includes a second secured computing system. The first generation child domain is associated with the parent domain in a hierarchical relationship. It is determined that the first generation child domain inherits the security policy based on an inheritance rule. The security policy is attached to the first generation child domain.

Abstract: A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one broad aspect, certificate identification data that uniquely identifies a certificate associated with a message is generated. The certificate identification data can then be used to determine whether the certificate is stored on a computing device. Only the certificate identification data is needed to facilitate the determination alleviating the need for a user to download the entire message to the computing device in order to make the determination.

Abstract: A method for communicating between a first device and a second device, includes the steps of the first and second device communicating by exchanging messages that are based on signals that are transmitted through a first communication channel and/or through a second communication channel, wherein the first and second communication channel have different signal propagation velocities; at least one of the first and second device computing the distance to the other device based on communication signal delays caused by the signal propagation velocities; wherein the method includes the further steps of controlling access of the second device to the first device depending on the computed distance.

Abstract: An approach is provided for electronic delivery of documents to a digital postal address. A user identifier is correlated with collected information. The user identifier is dynamically validated based on the correlation for delivery of postal mail in electronic form.

Abstract: A system for controlling access to an application on a portable communication device having a secured element and a user interface comprises memory associated with the secure element; a card management module operably associated with the portable communication device and with the secure element capable of controlling the secured element to facilitate writing to and reading from the memory; and a password management module operably associated with the card management module, the portable communication device user interface, and the application, the password management module receiving an application identifier associated with the application, a user name, and a password from the user interface, and providing an access command to the application based on whether the received user name and password match information stored in the memory.

Abstract: The present invention is directed towards systems and methods for validating an order purchased with an unspecified term. The order may comprise an order for an access ticket or admission ticket or access token, an order for goods or services, or any combination of access, goods, and services. Validation may comprise determining the ticket or token is valid and/or allowing access based on a determined data value for an access term unspecified at the time of purchase; or determining that the order is valid and fulfilling the order based on an identified data value for a term unspecified at the time of purchase. A data value may be set for the unspecified term and a hierarchical tree searched for a leaf corresponding to the set value for the unspecified term and one or more terms specified at time of purchase, the existence of the leaf indicating the order is valid.

Abstract: Systems and methods are disclosed for privacy-preserving flexible user-selected anonymous and pseudonymous access at a relying party (RP), mediated by an identity provider (IdP). Anonymous access is unlinkable to any previous or future accesses of the user at the RP. Pseudonymous access allows the user to associate the access to a pseudonym previously registered at the RP. A pseudonym system is disclosed. The pseudonym system allows a large number of different and unlinkable pseudonyms to be generated using only a small number of secrets held by the user. The pseudonym system can generate tokens capable of including rich semantics in both a fixed format and a free format. The tokens can be used in obtaining from the IdP, confirmation of access privilege and/or of selective partial disclosure of user characteristics required for access at the RPs. The pseudonym system and associated protocols also support user-enabled linkability between pseudonyms.

Abstract: An individual's social network is used to authorize information flow to the individual and to authenticate the individual for access to certain information or services. Information flow to the individual is authorized if the source of the information is a member of the individual's social network who is connected to the individual along a path that does not traverse through anyone on a gray list of the individual. The black list identifies those members who previously sent unwanted communication to the individual or posted content that was deemed offensive by the individual. The gray list identifies those members who are one degree separated from any black list member.

Abstract: Modular authentication and session management involves the use of discrete modules to perform specific tasks in a networked computing environment. There may be a separate authentication server that verifies the identity of the user and an authorization client that grants various levels of access to users. There may also be an authentication client that receives an initial request from a requesting application and forwards the request to the authentication server to verify the identity of the use. The authorization client may then be invoked to provide the necessary level of access. The use of discrete modules allows multiple business applications to use the same modules to perform user authentication tasks, thus alleviating the unnecessary multiplication of code.

Abstract: One embodiment of a system for providing services to subscribers of a network supports the provision of a plurality of different services to multiple subscribers. A processor arrangement is provided for hosting the different services. A data structure is provided for storing data associated with subscribers of the system, wherein data associated with subscribers of the system comprises a plurality of sets of data, each set of data relating to a respective level of authentication. A trust model comprises a set of relationships between the sets of data, and the trust model determines the access rights of subscribers to different services in dependence on the data set which has been used to authenticate the subscriber in a given subscriber session. The use of this trust model enables services and other access rights to be provided to a subscribed which match the level of authentication which has been applied to the subscriber during any particular session.

Abstract: Various technologies and techniques are disclosed for managing web service developer keys. A generic key identifier can be generated based on an original web service key. The generic key identifier is used within source code of an application being developed. Upon receiving a request to run the application, the generic key identifier is transformed back into the original web service key prior to calling an associated web service. Multiple users can securely share the same application that uses the web service. When one user who does not have his own original web service key accesses the application, that user can be prompted to obtain and enter the original web service key once the key has been obtained from a provider of the web service.

Abstract: A management device configured to communicate with at least one second management device and at least one terminal device via a network includes an acquiring system configured to acquire first management information managed by the management device, a receiving system configured to receive second management information managed by each of the at least one second management device from each of the at least one second management device, a management information request receiving system configured to receive a management information request for the first management information and the second management information from the at least one terminal device, and a sending system configured to send, to the at least one terminal device, the first management information acquired by the acquiring system and the second management information received by the receiving system in response to the management information request being received by the management information request receiving system.

Abstract: Security is optimized in the context of a credential transformation service (CTS) by utilizing a web services client runtime to gather information for determining whether or not a target web service is hosted in a security domain used by a client application and for determining whether or not the target web service uses an authentication mechanism substantially identical to that used by the client application. The gathered information is carried in an endpoint reference (EPR) of the target web service. In response to the client receiving the EPR, the client applies an optimization process to eliminate a possible unnecessary invocation of the CTS, wherein the target web service is an authoritative manageable resource having minimal or no responsibility for providing its identity, and having minimal or no responsibility for advertising any creation and destruction lifecycle related events.

Abstract: Configuration information for a network device may be associated with a protection state that may restrict the modification of portions of the configuration information that are set to the protected state. The network device may be configured using configuration information defined as a group of hierarchically arranged configuration statements. Permissions may be stored for the network device relating to users permitted to modify the configuration information. The permissions may include permission tags, or other information defining the protection state, associated with the configuration statements. Intended modifications to the configuration information may be processed based on whether the intended modifications affect configuration statements associated with one of the permission tags.

Abstract: A flexible authentication system is described herein that fluidly switches between a federated authentication model and a local short-lived token model that does not require sophisticated authentication infrastructure at the relying party site. Upon detecting an event that causes the identity provider to be unavailable for authentication, the relying party switches to a temporary token model. The system generates a bearer token or challenge associated with the user's identity and (optionally) associated with time data that limits the period during which the token is valid. The relying party communicates the short-lived token to the user using contact information associated with the user and already stored by the relying party. Upon receiving the short-lived token, the user provides the short-lived token to the relying party, and the relying party processes the token to validate the user's identity and then allows the user to access the relying party's online services.

Abstract: A method of validating an identifier is disclosed. In one embodiment an authenticating party system receives an identifier for validation and determines a first validation code associated with a current value of a counter. The first validation code is compared with the received identifier and, in the event that the identifier does not match the first validation code, the authenticating party system compares the identifier with one or more further validation codes associated with respective other values for the counter, said respective other values comprising N consecutive counter values succeeding the current value of the counter. If the identifier matches one of the further validation codes associated with a respective other value for the counter, the current value of the counter is updated to correspond with the respective other value for the counter associated with the matching further validation code.

Abstract: Systems and methods for continuous measurement of an analyte in a host are provided. The system generally includes a continuous analyte sensor configured to continuously measure a concentration of analyte in a host and a sensor electronics module physically connected to the continuous analyte sensor during sensor use, wherein the sensor electronics module is further configured to directly wirelessly communicate sensor information to one or more display devices. Establishment of communication between devices can involve using a unique identifier associated with the sensor electronics module to authenticate communication. Times tracked at the sensor electronics module and the display module can be at different resolutions, and the different resolutions can be translated to facilitate communication. In addition, the frequency of establishing communication channels between the sensor electronics module and the display devices can vary depending upon whether reference calibration information is being updated.

Abstract: A tool facilitates a balancing of security with usability enabling secure user access to multiple secure sites and locations from several computing devices. Access to the multiple secure sites and locations occur by utilizing a roamable credential store (RCS), which is highly resistant to offline attack. The RCS facilitates a protected Unified Credential Vault (UCV) via a multi-stage encryption process such that user credentials are protected by making offline dictionary attacks prohibitively expensive to an attacker without causing usability to deteriorate commensurately.

Abstract: Techniques for dynamic generation and management of password dictionaries are presented. Passwords are parsed for recognizable terms. The terms are housed in dictionaries or databases. Statistics associated with the terms are maintained and managed. The statistics are used to provide strength values to the passwords and determine when passwords are acceptable and unacceptable.

Abstract: A method and apparatus for associating session ticket includes a ticketing authority server. The ticketing authority server receives a ticket generation request and information about a client node. It identifies a master session ticket associated in a storage element with the client node. The ticketing authority server then generates a derivative session ticket for the client node and associates the derivative session ticket with the master session ticket. Finally, the ticketing authority server stores information about the client node and the derivative session ticket in the storage element.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for performing multi-factor authentication. In one aspect, a method includes determining that the identity of a user has been successfully proven using a first of two or more authentication factors, allowing updates or requests for updates to be initiated after the identity of the user has been successfully proven using the first authentication factor, logging the updates or requests for updates that are initiated after the identity of the user has been successfully proven using the first authentication factor, determining that the identity of the user has not been successfully proven using a second of the two or more authentication factors, and reverting the updates, or discarding the requests for updates, based on determining that the identity of the user has not been successfully proven using the second authentication factor.

Abstract: The invention includes a method and apparatus for providing secure remote access to enterprise networks. An apparatus includes a network interface module adapted for maintaining a secure network connection with a network device independent of a power state of a host computer associated with the apparatus a storage module for storing information associated with the secure connection, and a processor coupled to the network interface and the memory where the processor is adapted for automatically initiating the secure connection without user interaction.

Abstract: A password registering method used in an electronic device includes displaying one visual dial on a touch screen of the electronic device; recording rotation parameters of the visual dial rotated by a user, and generating input information according to the rotation parameters; and registering the password according to the generated input information the user's confirming the rotation operation.

Abstract: The techniques of this disclosure generate a random network identifier to a network device to set up a wireless network. The generated random network identifier may be compared to network identifiers of other wireless networks within the range of the network device. If the generated network identifier matches any of the network identifiers within the range, a new random network identifier may be generated, until a generated network identifier does not match any of the network identifiers within the range. The network device may then assign the generated unique network identifier as the wireless network's network identifier and send the network identifier to all the devices that wish to join the wireless network.

Abstract: A “trusted service” establishes a trust relationship with an identity provider and interacts with the identity provider over a trusted connection. The trusted service acquires a token from the identity provider for a given user (or set of users) without having to present the user's credentials. The trusted service then uses this token (e.g., directly, by invoking an API, by acquiring another token, or the like) to access and obtain a cloud service on a user's behalf even in the user's absence. This approach enables background services to perform operations within a hosted session (e.g., via OAuth-based APIs) without presenting user credentials or even having the user present.