Abstract: A wireless device may perform a local authentication to reduce the traffic on a network. The local authentication may be performed using a local web server and/or a local OpenID provider (OP) associated with the wireless device. The local web server and/or local OP may be implemented on a security module, such as a smartcard or a trusted execution environment for example. The local OP and/or local web server may be used to implement a provisioning phase to derive a session key, associated with a service provider, from an authentication between the wireless device and the network. The session key may be reusable for subsequent local authentications to locally authenticate a user of the wireless device to the service provider.

Abstract: Attested identities are provided. An applicant requests an attested identity. Attesting resources provide assertions that include roles, rights, and privileges for the attested identity. The collection of assertions from each of the attesting resources represents the attested identity.

Abstract: An authentication program on a network authenticator establishes a secure communication channel with an embedded device. The authentication program receives security credentials from an embedded device. The authentication program receives from the embedded device via the secure communication channel either a secret for the embedded device or a request to generate the secret for the embedded device. The authentication program registers the secret for the embedded device.

Abstract: Systems and methods are disclosed for privacy-preserving flexible user-selected anonymous and pseudonymous access at a relying party (RP), mediated by an identity provider (IdP). Anonymous access is unlinkable to any previous or future accesses of the user at the RP. Pseudonymous access allows the user to associate the access to a pseudonym previously registered at the RP. A pseudonym system is disclosed. The pseudonym system allows a large number of different and unlinkable pseudonyms to be generated using only a small number of secrets held by the user. The pseudonym system can generate tokens capable of including rich semantics in both a fixed format and a free format. The tokens can be used in obtaining from the IdP, confirmation of access privilege and/or of selective partial disclosure of user characteristics required for access at the RPs. The pseudonym system and associated protocols also support user-enabled linkability between pseudonyms.

Abstract: A device to device network allows an entity to seamlessly access content stored on various devices. Many devices can be registered on a network; however, an entity will only have access to devices for which the entity is authorized to access. In one embodiment, the entity can only access devices that have been authenticated with the same username. While using the device-to device network, an entity can transfer files, stream files, create and use play lists, send commands to various devices and explore the contents of various devices.

Abstract: The present invention relates to the field of authentication of users of services over a computer network, more specifically within the paradigms of federated authentication or single sign-on. A known technique consists of associating different trust levels to different authentication mechanisms, wherein the respective trust levels give access to different information resources, notably to provide the possibility to protect more sensitive resources with a stronger form of authentication. The present invention provides a mechanism to allow the trust level to decrease without re-authenticating with the single sign on system, down to the level at which it is no longer sufficient to obtain access to a desired resource. Only then, the user needs to reauthenticate.

Abstract: A client apparatus transmits environmental information acquired from an environmental information acquisition device as well as a biometric authentication information matching result to a server apparatus. The server apparatus verifies the validity of the environmental information such as a luminance as well as the validity of the biometric authentication information matching result. If an environment is problematic, the server apparatus notifies the client apparatus that the environmental information is problematic. The client apparatus overcomes the problem of the environment such as the luminance based on the notification from the server apparatus and then retries a biometric authentication. The possibility of re-failure due to the environmental problem can be reduced during a retry of the biometric authentication.

Abstract: An information management method includes: receiving a request for certain operation of certain electronic information associated with operation right information that defines permitted operation for each user; determining as to whether or not at least one of (i) a history of previous operations, executed by the user, of the certain electronic information and (ii) a history of previous operations, executed by the user, of a location associated with the certain electronic information meets a predetermined condition, and if it is determined that the at least one of (i) the history of previous operations, executed by the user, of the certain electronic information and (ii) the history of previous operations, executed by the user, of the location associated with the certain electronic information meets the predetermined condition, starting to execute the certain operation.

Abstract: An authentication system includes a plurality of personal authentication servers, a client terminal, a replacing portion and a renewing portion. The plurality of personal authentication servers store at least a part of enrolled data different from each other for user personal authentication and perform authentication with stored enrolled data according to authentication request from a client terminal. The client terminal stores identification information for specifying the personal authentication server storing each enrolled data, and requests an authentication to the personal authentication server specified with the identification information. The replacing portion replaces at least a part of the enrolled data between the plurality of personal authentication servers according to the authentication request condition to the plurality of personal authentication servers from the client terminal. The renewing portion renews the identification information according to the replacing result of the replacing portion.

Abstract: An ownership sharing method and apparatus using a secret key in a home network remote controller are provided. A user who owns a home device generates an ownership authentication key using the secret key shared with the home device through the user's terminal device, and transmits the ownership authentication key to a terminal device of a particular user who wishes to share the ownership. The particular user can use the home device using the shared ownership authentication key, allowing for ownership of a device in home network environments based on a secret key that can be easily shared, obviating complicated calculation procedures that are no needed to share the ownership between an owner of a device and his family or customers, and achieving high security that is guaranteed based on the secret key.

Abstract: A method including generating a first and second One Time Password (OTP) token from a shared clock, receiving a third OTP token, and comparing the second and the third OTP tokens. A system including a number generator residing on a first server to generate first and second One Time Password (OTP) tokens from a shared clock, a transmitter residing on the first server to transmit the first and the second OTP tokens, a receiver residing on a second server to receive the first, the second, and a third OTP tokens, and a comparator residing on the second server to compare the second and the third OTP tokens to authenticate an identity of a party who generates the third OTP token.

Abstract: Method and systems for user authentication are provided according to the embodiments of the invention. The method mainly includes: sending, by a management station, an authentication request message of an authentication protocol to a managed device via a management protocol, and sending user authentication information to the managed device; and authenticating the user by the managed device via the authentication protocol or a authentication server based on the received user authentication information, and returning an authentication acknowledgement message of the authentication protocol carrying the authentication result to the management station via the management protocol. The system mainly includes a management station and a managed device; or, a management station, a managed device and a backend authentication server. With the present invention, methods and systems for user authentication with a good extensibility and a widened application are provided.

Abstract: Each of multiple computing devices of a user is registered by obtaining therefrom identifying indicia, obtaining from the user a device-specific password for the computing device, and storing the obtained identifying indicia and device-specific password for the computing device in an entry for the user in a credentials database. The user requests access to a restricted service by way of a particular one of the multiple computing devices with credentials including the device-specific password for the particular computing device, and identifying indicia are obtained therefrom. The obtained identifying indicia and the device-specific password of the particular computing device appear in the entry, and the user is thus granted access to the restricted service.

Abstract: Described herein is a method that includes receiving multiple requests for access to an exposed media object, wherein the exposed media object represents a live media stream that is being generated by a media source. The method also includes receiving data associated with each entity that provided a request, and determining, for each entity, whether the entities that provided the request are authorized to access the media stream based at least in part upon the received data and splitting the media stream into multiple media streams, wherein a number of media streams corresponds to a number of authorized entities. The method also includes automatically applying at least one policy to at least one of the split media streams based at least in part upon the received data.

Abstract: A method for receiving/sending multimedia message uses a wireless LAN, and communicates with a gateway via the wireless LAN so as to send and receive multimedia messages. Furthermore, the gateway of the invention detects whether the user device is located within the wireless LAN. If yes, then multimedia messages are sent and received via the wireless LAN; and if not, then via conventional telecom network. The invention also discloses a corresponding gateway and a corresponding user device.

Abstract: A method of activating a wireless IP device by providing access to an installer to a customer's personal router or modem/router combination and providing access to the installer to a wireless Access Point which is supplied by the installer where the Access Point has a first slot for a default SSID2 password for a first wireless IP device and a second slot for an SSID1 password for a second wireless IP device. Connecting a first wireless IP device while in its initial or default state to the first slot where the first device and the wireless Access Point have a common default SSID2 code and factory preprogrammed public key and where, as soon as the device is powered up, the IP device immediately begins communicating through the wireless access point and the customer's router or modem/router to the internet, checking into a control server.

Abstract: A method and apparatus for providing a passphrase-based security setup for a hybrid network including multiple network interfaces configured for communicating over one or more communication media are provided. The method includes receiving a passphrase from a user at a network interface of the multiple network interfaces. The received passphrase is then used for authenticating the device for one or more network interfaces. The authentication can be performed irrespective of a communication medium used by the network interfaces.

Abstract: Methods and apparatus, including computer program products, are provided for credential transfer. In one aspect there is provided a method. The method may include receiving, at a first device, an authorization token; determining, at the first device, a delegation token, one or more credentials, and metadata; and providing, by the first device to a second device, the delegation token, the one or more credentials, and the metadata. Related apparatus, systems, methods, and articles are also described.

Abstract: The field of invention relates generally to managing authentication data. The authentication management card is a current art standalone credit/smart card sized (100) processing (101) and memory device (102) (103) (104) that is powered by a battery with an extended life (105) with an integrated alphanumeric display (106) and an interface keypad (107) connected to the processor through the Input/Output Interface (108). The operating system on the card (401) verifies access to the authentication management card by a user entered PIN code (402). The application (403) provides the interface to the user to retrieve authentication data on the authentication management card using a PIN challenge. Random strong authentication data is stored either in an encrypted format (405) or in the form of an algorithm (404) on the card and can be retrieved using a PIN challenge.

Abstract: A wireless device user controls participation in a study panel. The device contains a data collection agent installed by the user, the manufacturer, or a distributor. The user enlists in a study panel. The essential steps include: a user obtains a panel identification identity and provides it to a data collection agent; the data collection agent receives the panel identification identity and uses it to initiate the transfer of a data collection profile. Upon receiving the data collection profile, the data collection agent on the wireless device is configured to participate in a specific study. The agent is controlled by the profile to record metrics and user selections, transform the data into a package, and transmit the package to a destination package reception server determined in the profile.

Abstract: A hijack avoidance technique avoids presenting an access to more than one of a chain of authentication objects, such as a chain of Lightweight Directory Access Protocol (LDAP) authenticators. A pre-filter determines whether an authentication object should be presented with the access by comparing either all or a portion of a domain suffix, an IP address, or other identification other than the user ID with predetermined values. If the filter criterion is met, the associated authentication object accepts or rejects the access. Otherwise, the access is passed to the next authentication object in the chain. The first authentication object may be associated with a hosting entity and successive authentication objects each associated with different customers of the hosting entity.

Abstract: An approach for managing access to electronic documents uses document retention and document security policies. In response to detecting a request to access a particular electronic document stored on a network device, a document retention policy and a document security policy are applied to the particular electronic document. If, based upon application of the document retention policy to the particular electronic document, a determination is made that the particular electronic document is to be deleted, then the particular electronic document is deleted from the network device. If, based upon application of the document security policy to the particular electronic document, a determination is made that access to the particular electronic document should be denied, then access to the particular electronic document is denied.

Abstract: An information processing device creates a hash value from an event log every time the event occurs. The information processing device generates a digital signature by encrypting the hash value with its own private key. The device transmits the signature-bound event log obtained by binding the digital signature with the event log to a log management apparatus. The log management apparatus decrypts the hash value from the event log of the received signature-bound log information using a device public key. The apparatus also generates a new hash value from the event log verifies the coincidence of the decrypted hash value and the new hash value, and authenticates signature-bound event logs for which this coincidence has been verified. The apparatus stores signature-bound event logs that have been authenticated. Every time an event occurs, the device transmits an event log bound with a digital signature that is created using its private key.

Abstract: The invention provides an apparatus and a method for improving the control of access by a terminal device in a WLAN environment having an access point for determining whether the device utilizes an IEEE 802.1x protocol by the access point communicating to the device, a packet, whereby if the devices utilizes a IEEE 802.1x protocol the device appropriately responds and otherwise the access point determines that the terminal device protocol does not employ a IEEE 802.1x protocol and selects an authentication mechanism compatible with the terminal device. If the device is not an IEEE 802.1x client, an IP packet filtering is configured to redirect a user HTTP request to a local server, and when the HTTP requests are thereby redirected, the HTTP server presents the terminal device with information specifically related to the browser based authentication.

Abstract: Systems and methods for filtering fraudulent email messages are described. In one embodiment, a method includes receiving an email message, determining whether the email message is indicative of fraud, and creating a fraud filter based on the email message if the email message is fraudulent.

Abstract: A user sets an apparatus name easily identified by the user to a terminal, transmits the apparatus name together with user identification information to a terminal management server for managing a terminal, and the terminal management server registers the apparatus name as associated with the user identification information, thereby allowing the terminal management server to uniquely identify each terminal based on the apparatus name associated with the user identification information. Furthermore, a user can easily identify an apparatus name, thereby realizing a service utilizing system capable of reducing the laborious procedure of operating the terminal management server, and easily identifying each terminal.

Abstract: A method for authorizing access to a first computing device is provided. The method comprises the first computing device forming a challenge, encoding the challenge into a symbol, and displaying the symbol. The first computing device receives a request for access from a user. Access to the first computing device is allowed in response to provision of an access code to the first computing device by the user. The access code is formed by a server in response to capturing the symbol, decoding the symbol into the challenge, forming a request from the challenge, and providing the request to the server. The server forms a decision to allow access by the user to the first computing device.

Abstract: Systems and methods for authentication using paired dynamic secrets in secured wireless networks are provided. Each authenticated user is assigned a random secret generated so as to be unique to the user. The secret is associated with a wireless interface belonging to the user, so that no other wireless interface may use the same secret to access the network. The secret may be updated either periodically or at the request of a network administrator, and reauthentication of the wireless network may be required.

Abstract: A receiving unit receives information selected by a user on an operating screen. A detecting unit detects a function executing part corresponding to the information received by the receiving unit. A determining unit determines that the user authentication is required when a function is to be executed, when “the user authentication is required” is set for at least any one of a function allocated to a function executing part that is detected by the detecting unit, the function allocated to another function executing part, and the operating screen that includes the function executing part to which the function is allocated. A function executing unit executes a function allocated to the function executing part selected by the user, wherein the user is authorized to execute the function.

Abstract: Embodiments of the invention provide systems and methods for the storage of One-Time Passwords (OTPs) on a device (principal) that needs to authenticate from time to time. It utilizes recent availability of data storage capacity not previously exploited in this arena. Also disclosed is the means to initialize and modify the system (all principals) in a secure manner, and the means to store the OTP production means on a device in a secure manner, even if the device has no built-in protected storage.

Abstract: Techniques are disclosed for improving security in virtual private network. In one embodiment, key information is generated for a virtual private network (VPN) connection between a first device and a second device. A plurality of shares is then generated based on the key information. A first set of one or more shares is stored on a dongle that is paired to the first device. A second set of one or more shares is stored on the first device. In response to a request to resume the VPN connection, the first set of shares is retrieved from the dongle. The key information is reconstructed based on the first set of shares and the second set of shares. The reconstructed key information may then be used to resume the VPN connection.

Abstract: An information processing system is supplied capable of holding a security; and transferring an output authority which is had by a transfer source portability terminal to a transfer destination portability terminal.

Abstract: A security system for a computer network that has a plurality of devices connected thereto comprises a security subsystem, a master system and a secure link. The security subsystem is connected to at least some of the devices in the network. The security subsystem is configured to monitor activities of the at least some devices on the network and detect attacks on the at least some devices. The master system monitors the integrity of the security subsystem and registers information pertaining to attacks detected by the security subsystem. The secure link is connected between the security subsystem and the master system. The master system monitors the integrity of the security subsystem and receives the information pertaining to the attacks through the secure link.

Abstract: A mobile terminal apparatus is provided to process a copyright-protected content based on rights that permit the processing of the content. The mobile terminal apparatus includes a priority information selecting unit selecting a piece of priority information associated with one of many processing conditions for the content to be processed, from among pieces of priority information for determining a priority for each of the rights. The mobile terminal apparatus also includes a right selecting unit determining a priority of each of the rights based on the selected piece of priority information, and selecting a right having a highest priority among the rights, according to the determined priority. The mobile terminal apparatus also includes a content processing unit processing the content based on the selected right.

Abstract: An information processing apparatus, an information recording medium, an information processing method, and a computer program are provided. In an information recording medium storing many pieces of content, a configuration that allows use management on segmented content basis is provided. A plurality of content management units corresponding to title, index and other information are set by partitioning stored content in an information recording medium. Different unit keys that are encryption keys are allocated to different content management units. At least the content real data included in each content management unit is encrypted by use of the unit key and the encrypted data is stored. In content reproduction, units are identified and decryption is executed by use of a unit key corresponding to each unit for reproduction. In an information recording medium storing many pieces of content for example, each of segmented pieces of content may be managed.

Abstract: A biometrics authentication system using biometrics media simplifies the process, and reduces the costs, of issuing a portable communication terminal having biometrics functions. A biometrics application program is downloaded from a server to a portable communication terminal, an area for authenticated biometrics information is caused to be created, and biometrics information on an individual card of the user is stored in a common area of the portable communication terminal. Thus, the portable communication terminal has the functions of an individual card storing biometrics information, and the portable communication terminal can be used as an individual card for biometrics authentication.

Abstract: Bootstrapping an electronic communication device in a communications network by receiving a detection message from a detection source that a new device/subscriber combination is detected by the communications network and sending a notification message with basic device management parameters and subscriber identification to an operator's business system, notifying the operator's business system that a new device/subscriber combination has been detected, and to send—in response to the notification message—an order message to a smartcard management system to update a smartcard of the device with the basic device management parameters.

Abstract: A method is provided to perform network access control. A computing device utilizing Online Certificate Status Protocol responder functionality determines whether attempted communication should be allowed between other computing devices appropriately configured with Internet Protocol Security (IPsec), digital certificates and OCSP client software. This determination is based on a set of rules considering the role or roles of the computing devices attempting to communicate, and whether the computing devices attempting to communicate have previously exhibited suspicious or undesirable behavior.

Abstract: A multifactor authentication (MFA) enforcement server provides multifactor authentication services to users and existing services. During registration, the MFA enforcement server changes a user's password on an existing service to a password unknown to the user. During normal usage when the user accesses the existing service through the MFA enforcement server, the MFA enforcement server enforces a multifactor authentication enforcement policy.

Abstract: The present invention facilitates access to a restricted service related to secure transactions via a network. The present invention allows a user to select a minimum security level of authentication for its own login to a restricted service. The user's selected minimum security level of authentication may be registered in an authentication method system, so that the user must use the selected minimum security level for authentication in order to gain access to the restricted service. Alternatively, the user may specify that the selected minimum security level for authentication may be over-turned by the user, or optionally re-set to a new authentication method depending on the needs of the user. As such, the present invention allows the user the flexibility to select its own authentication method for accessing a restricted service.

Abstract: When a PC 10 connects to a PD 20, the PC 10 decides whether or not the PD 20 holds a group ID and if the PC 10 decides PD 20 holds the group ID, PC 10 decides whether or not the group ID held in the PC 10 and the group ID held in the PD 20 coincide with each other. If the both IDs are not decided that they don't coincide with each other, the PC 10 acquires a device ID corresponding to PD 20 from PD 20 and transfers the device ID and a terminal ID of the PC 10 to a server apparatus 32. Then the PC 10 receives, from the server apparatus 32, a user link completion information representative that an association between first user ID corresponding to the terminal ID and second user ID corresponding to the device ID is completed.

Abstract: Cryptographic keys are distributed to computer systems to be remotely managed by a management node. First secure channels are established between the management node and trusted computing platforms associated with the computer systems. Cryptographic keys are sent to the trusted computing platforms via the first secure channels, wherein the cryptographic keys are stored in the trusted computing platforms and retrieved from the trusted computing platforms by the computer systems. Second secure channels are established with the computer systems using the retrieved cryptographic keys. Commands are remotely executed on one or more of the computer systems via the second secure channels.

Abstract: Methods and systems for communicating information between computer networks in which the information to be communicated is required at one location (e.g. for processing) but only available at another location. The information may be absent deliberately (for privacy reasons) or may simply be unavailable as an artifact of the computer network(s) involved. The required information, such as the internal client IP address, is inserted into the outgoing network communication in a manner that does not to materially affect the normal transit or utility of the network communication (e.g. as custom headers). The information is preferably inserted in an encrypted form, so that it may pass over a public network and be invulnerable to unauthorised scrutiny.

Abstract: A portable or embedded access device is provided for being coupled to, and for allowing only authorized users access to, an access-limited apparatus, device, network or system, e.g. a computer terminal, an internet bank or a corporate or government intranet. The access device comprises an integrated circuit (IC) providing increased security by bridging the functionality of biometrics input from a user and, upon positive authentication of the user's fingerprint locally to provide secure communication with the said access-limited apparatus, device, network or system, whether local or remote. A corresponding method of using the portable device or the embedded device is disclosed for providing a bridge from biometrics input to a computer locally, into secure communication protocol responses to a non-biometrics network. A method of providing secured access control and user input in stand-alone appliances having an embedded access control or user input device according to the invention is also disclosed.

Abstract: Machine-readable media, methods, apparatus and system for a community-based trust are provided. In an embodiment, it may be determined whether a requesting node obtains a trust from a targeting node through an endorsement from an intermediate node. If the requesting node obtains the trust through the endorsement from the intermediate node, an intermediate trust level that indicates how much the targeting node trusts the intermediate node may be obtained; and a new trust level that indicates how much the targeting node trusts the requesting node may be calculated based upon the intermediate trust level.

Abstract: A halting key derivation function is provided. A setup process scrambles a user-supplied password and a random string in a loop. When the loop is halted by user input, the setup process may generate verification information and a cryptographic key. The key may be used to encrypt data. During a subsequent password verification and key recovery process, the verification information is retrieved, a user-supplied trial password obtained, and both are used together to recover the key using a loop computation. During the loop, the verification process repeatedly tests the results produced by the looping scrambling function against the verification information. In case of match, the trial password is correct and a cryptographic key matching the key produced by the setup process may be generated and used for data decryption. As long as there is no match, the loop may continue indefinitely until interrupted exogenously, such as by user input.

Abstract: A workflow request having a set of device specific operations and credentials is obtained. The workflow request is parsed to locate at least one of the set of device specific operations and credentials. The located device specific operations and credentials are replaced with at least one logical device operation and logical credentials to create a generalized credential and protocol workflow.

Abstract: A user of a first packet-based communication network is authorised to access a second packet-based communication network. In at least some embodiments, an authorisation request is received from a user terminal of the user at a first network element of the first packet-based communication network, the authorisation request comprising a first user identity. Responsive to the authorisation request, a request is transmitted to create a second user identity from the first network element to a second network element of the second packet-based communication network. The second network element creates the second user identity for use in the second packet-based communication network, the second user identity being derivable from the first user identity according to a predetermined rule. The second user identity in the second packet-based communication network is stored for use with subsequent communication events over the second packet-based communication network.

Abstract: Tokens can be sent from a token generator using wireless radio frequency signals, such as in the form of a network name. A computing device operates in a first mode when receiving the tokens and in a second mode when not receiving the tokens. Also, the network name can include a URL, a part of a URL, or data usable to obtain a URL. A computing device can utilize the URL to obtain content from a data communication network. The computing device can display a link to the content, which may include a graphical icon associated with the content.

Abstract: In various embodiments, techniques for flexible resource authentication are provided. A principal attempts to login to a target resource using first credentials. The target resource does not recognize the first credentials and in response thereto forwards the first credentials to an identity service. The identity service authenticates the principal via the first credentials and supplies second credentials to the target resource. The target resource recognizes and authenticates the second credentials and grants access to the principal.