Abstract: This disclosure is directed for improved techniques for configuring a device to generate a secondary password based at least in part on a secure authentication key. The techniques of this disclosure may, in some examples, provide for capturing, by a computing device, an image of a display of another computing device. The captured image includes at least one encoded graphical image, such as a barcode, that includes an indication of the content of a secure authentication key. The computing device may use the secure authentication key to generate a secondary password to be used in conjunction with a primary password to gain access to a password-protected web service.

Abstract: A tamperproof ClientID system to uniquely identify a client machine is invoked upon connection of a client application to a backend. Upon initial connection, the backend issues a unique ClientID containing a checksum. The client application prepares at least two different scrambled versions of the ClientID and stores them in respective predetermined locations on the client machine. Upon subsequent connection to the backend, the client application retrieves and unscrambles the values at the two locations, verifies the checksums and compares the values. If the checksums are both correct and the values match, the ClientID value is sent to the backend, otherwise the client application sends an error code.

Abstract: This disclosure is directed for improved techniques for configuring a device to generate a secondary password based at least in part on a secure authentication key. The techniques of this disclosure may, in some examples, provide for capturing, by a computing device, an image of a display of another computing device. The captured image includes at least one encoded graphical image, such as a barcode, that includes an indication of the content of a secure authentication key. The computing device may use the secure authentication key to generate a secondary password to be used in conjunction with a primary password to gain access to a password-protected web service.

Abstract: According to a first aspect there is provided systems and methods for receiving an encrypted signal from a portable communication device, the encrypted signal containing information associated with a command; and decrypting the encrypted signal to enable a set-top box to execute the command. According to a second aspect there is provided systems and methods for encrypting information to generate an encrypted signal, the information associated with a command entered via a control; and communicating the encrypted signal to the set-top box, the encrypted signal for decryption at the set-top box to enable execution of the command to operate the set-top box.

Abstract: An accessor function interfaces among a client, a relying party, and an identity provider. The identity provider can “manage” personal (i.e., self-asserted) information cards on behalf of a user, making the personal information cards available on clients on which the personal information cards are not installed. The client can be an untrusted client, vulnerable to attacks such as key logging, screen capture, and memory interrogation. The accessor function can also asked as a proxy for the relying party in terms of invoking and using the information cards system, for use with legacy relying parties.

Abstract: Multiple non-conflicting actions associated with filter rules may be located and applied to a packet using a single ACL lookup by causing action records to be created from ACEs in the ACL, and then causing the ACL lookup to return the action record rather than any one particular ACE. Radix tables may be created to enable a search engine to quickly locate the appropriate action record based on a particular set of attributes associated with the incoming packet. The action record can contain multiple actions taken from multiple ACEs that apply to the particular packet. By grouping all the actions into an action record, and then searching for an action record that applies to the packet, it is possible to apply all non-conflicting actions to the packet regardless of the number of ACEs that are used to specify those actions. Since all the actions are located together, the actions of all ACEs may be applied to a packet using a single ACL lookup.

Abstract: Methods and computer-readable media are provided to enable an Internet protocol (IP) data session to be established between a mobile device and a telecommunications network. To establish an IP data session, it may be determined, prior to authenticating the device, whether the device is authorized to communicate via IPv4, IPv6, or both. A mobile device may be capable of communicating via both IPv4 and IPv6, such as a dual-stack device, but the device may only be authorized for either IPv4 or IPv6. A request to establish the IP data session may first be received from a mobile device, and an IP version with which the mobile device is authorized to communicate may then be determined by querying a customer-profile database. This authorization information may be communicated to an authentication component that authenticates the devices, and subsequently, an IP data session is initiated.

Abstract: A design information providing system, which does not allow continuation of manufacturing of products unless a patent license contract is concluded, includes a terminal apparatus (40a) of a user manufacturing a product (BD player (50)) and includes a patent license issuing server (20a) issuing, to the terminal apparatus (40a), a contract certificate (60) certifying the conclusion of the contract, when a contract for a license necessary for manufacturing the BD player (50) is concluded with the user of the terminal apparatus (40a). Further, the design information providing system includes a design information providing server (an encryption key issuing server (30a)) transmitting an encryption key (80) to the terminal apparatus (40a) on condition of the confirmation of the contract certificate (60), when a request for design information (encryption key (80)) unique to the BD player (50) is transmitted from the terminal apparatus (40a).

Abstract: The invention provides methods and apparatus for detecting when an online session is compromised. A plurality of device fingerprints may be collected from a user computer that is associated with a designated Session ID. A server may include pages that are delivered to a user for viewing in a browser at which time device fingerprints and Session ID information are collected. By collecting device fingerprints and session information at several locations among the pages delivered by the server throughout an online session, and not only one time or at log-in, a comparison between the fingerprints in association with a Session ID can identify the likelihood of session tampering and man-in-the middle attacks.

Abstract: A removable communication card for mobile network devices, respectively a corresponding authentication method, which communication card includes a network interface module for bidirectional transmission of data with a network, an identification module for storing identification data for users, a measurement device for capturing biometric features of a user, and an analysis module with a processor unit for comparison with the stored identification data for the user.

Abstract: A user token management system in a client device on a network comprises an obtaining module, a web controller and a processing module. The obtaining module obtains a user token from a database in response to a retrieving request for retrieving authorization of a web service provider on the network. The web controller transmits an authenticating request for authenticating the user token to the web service provider and receives an authentication result authenticating the user token. The processing module deletes the user token from the database when that user token is not authenticated by the web service provider.

Abstract: A mechanism for strengthening authentication credentials for accessing any number of applications across multiple access interfaces and across multiple remote access sites is disclosed. The applications can be accessed by a set of authorized users by using multiple instances of a predictive scheme for generating and synchronizing the authentication credentials and by leveraging pre-existing infrastructure associated with the applications.

Abstract: A method receives a user login from a user. The method grants, to the user, access to a user account of the user maintained by a computerized document management system based on the user login. The computerized document management system is accessible to a plurality of users. The method receives a request from the user to provide a requested document and the method determines whether the requested document should be password protected. If the requested document should be password protected, the method generates a unique password for the requested document. The unique password is unique to the user and is based upon information contained within the user account by the computerized document management system. Again, if the requested document should be password protected, the method adds the unique password to the requested document to generate a password-protected document and sends the password-protected document to the first user.

Abstract: A user terminal includes a diagnosing unit 23 conducting a password diagnosis based on a password trial; a recording unit 24 recording time related to the password diagnosis; an information acquiring unit 21 acquiring the time related to the password diagnosis of the last time, which is recorded by the recording unit 24, as the time of last diagnosis and acquiring reference time for determining whether the password diagnosis is required or not; and a determining unit 22 determining whether or not the time of last diagnosis conforms with a predetermined condition with the reference time serving as a benchmark, wherein the diagnosing 23, if the determining unit 22 determines that the time of last diagnosis conforms with the predetermined condition with the reference time serving as the benchmark, performs the password diagnosis.

Abstract: Securing large networks having heterogeneous computing resources including provision of multiple services both to clients within and outside of the network, multiple sites, security zones, and other characteristics is provided using access control functionality implemented at hosts within the network. The access control functionality includes respective access control policies for indicating to each host from which other computers it can accept connections. Content of the access control policies can be determined based on application data flow needs, and can draw information from databases including DNS and security zone information for hosts to which the access control policies will be applied. Access control policies can be formatted automatically for different host with different characteristics from the same base logical rule set.

Abstract: In some embodiments, techniques for information security include receiving information related to an authentication credential, wherein the information is related to a failed authentication attempt; determining whether the authentication credential is related to a valid account; and performing a security measure related to the valid account, if it is determined that the authentication credential is related to the valid account. In some embodiments, techniques for information security include Determining that an authentication attempt has failed, applying a privacy-performing transformation such as a cryptographic hash or encryption to an authentication credential, and distributing the privacy-preserved credential. In some embodiments, techniques for information security include receiving and redistributing a privacy-preserved authentication credential.

Abstract: The invention relates to the authentication of users for a multi-function peripheral (MFP) device using handwritten signatures. Systems and methods are disclosed which relate to a MFP that conditions access to MFP operations based on an authenticating process that compares a prospective user's signature to previously saved signatures. The signatures are communicated to the MFP using the MFP's native scanning function.

Abstract: In an embodiment, a method includes registering applications and network services for notification of an out-of-band introduction, and using the out-of-band introduction to bootstrap secure in-band provisioning of credentials and policies that are used to control subsequent access and resource sharing on an in-band channel. In another embodiment, an apparatus implements the method.

Abstract: A method of establishing a communication channel between a network client and a computer server over a network is described. The network client may be configured to communicate with the computer server over the network and to communicate with a token manager. The token manager may be configured with a parent digital certificate that is associated with the token manager. The token manager or network client generates a credential from the parent digital certificate, and transmits the credential to the computer server. The credential may be associated with the computer server. The network client may establish the communications channel with the computer server in accordance with an outcome of a determination of validity of the credential by the computer server.

Abstract: An authentication system is provided. The authentication system comprises a first component configured to obtain information specific to an individual, a second component configured to dynamically formulate at least one challenge question based on the information, a third component configured to cause the at least one challenge question to be presented on a device when the device is used to perform an act that involves authentication, and a fourth component configured to judge authenticity based on an answer to the at least one challenge question.

Abstract: A centralized password repository (CPR) provides network users with a password portal through which the user can manage password access to domains and applications on the network. A subset of the domains and applications on the network may be required, by design, to maintain a separate password infrastructure. For these systems, the CPR establishes a secure and authenticated communication channel and software on the system interfaces with the password infrastructure to synchronize the password in the system password infrastructure with the password in the CPR. For other systems not required to maintain a separate password infrastructure, the CPR performs password services by responding to requests from those systems seeking to validate user IDs and passwords. The CPR enables an administrator to modify network privileges and enables a user to alter passwords on the network through a single interface.

Abstract: A secure network access point transmits a beacon transmission. A user device receiving it determines it does not have credentials necessary to attach with the secure network access point oint, and so a preliminary association is formed between the user device and the secure network access point. During the preliminary association, the user device receives or creates credentials necessary to associate with the secure network access point, forms an association with the secure network access point using the received or created credentials, and obtains internet connectivity via the secure network access point. In this embodiment there is only the secure network access point, but in another embodiment there is also a non-secure network access point which transmits a beacon using the same SSID as the secure network access point, and the preliminary association is with the non-secure network access point.

Abstract: A node may contain a secure store agent. A process executing on the node may request connection information from the secure store agent. An encryption key phrase may be accessed, responsive to the request for connection information, to decrypt the requested connection information. The requested connection information may be obtained from a secure storage file in a file system.

Abstract: The present invention disclosed a method and system of replacing smart cards. It uses a new identification device (a new SIM) to replace an old one (an old SIM) associated with a user account. The new identification device has an identification number (ICCID). The new identification device is activated in the following manner. The old identification device communicates with an identification-management center through a communication interface (mobile telephone). And the identification-management center recognizes the old identification device. The identification number of the new identification device is sent to the identification-management center through the communication interface. The identification-management center checks the identification number. If the identification number is correct, the user account will be assigned to the new identification device by the identification-management center.

Abstract: Authentication of a subscriber identity module issued by IMT-2000 network operator is performed with no decrease in the confidentiality of calculation processing, even in cases such as when a roaming network is a GSM network. An HLR of an IMT-2000 mobile communication network comprises an algorithm information attachment unit for attaching, to a RAND field of an authentication vector used to authenticate a USIM, information specifying an algorithm to be used in the authentication calculation.

Abstract: An approach is presented for authenticating access by a service. The server receives a request, from a service, for the server, wherein the request includes, at least in part, a service-specific secret or a derivation of the service-specific secret. Further, the server determines to generate a server-computed secret. Then, the server determines to authenticate the request based, at least in part, on a comparison of the service-specific secret or the derivation of the service-specific secret against the server-computed secret or a derivation of the server-computed secret. The service receives credentials from a credential manager. The secret is part of the credentials. The credential manager and the server share some secret pre-configured data like key tables. The generation of the service specific secrets is based on the shared data.

Abstract: A system and method for permitting user access to a computer controlled device. A display device displays a group of items to the user. Some of the items are known to the user and some are unknown to the user. An input device receives user input from the user. The user input indicates the presence or absence of the known items within the group of items without specifically identifying which items are known and which items are unknown. A computer is programmed to automatically compare the user input to a predetermined answer. If the user input is correct an access device allows access. In one preferred embodiment the user input includes a count of the number of known items within the group of items. In another preferred embodiment the group of items includes subgroups. The user input includes an identification of which subgroup has the largest number of known items. In another preferred embodiment the group of items is displayed in a grid. The known items are displayed in a pattern within the grid.

Abstract: A method and computer program for generation and multi channel verification of OTP (One Time Password) between two parties consisting of a service provider and a user, wherein said user has access to at least two communication channels, and wherein said user is logging into said service provider with a user ID via one communication channel and the service provider has the ability to communicate with an authentication server which again has the ability to communicate with said user via at least one other communication channel than the service provider.

Abstract: A method and a circuit for protecting a numerical quantity contained in an integrated circuit on a first number of bits, in a modular exponentiation computing of a data by the numerical quantity, including: selecting at least one second number included between the unit and said first number minus two; dividing the numerical quantity into at least two parts, a first part including, from the bit of rank null, a number of bits equal to the second number, a second part including the remaining bits; for each part of the quantity, computing a first modular exponentiation of said data by the part concerned and a second modular exponentiation of the result of the first by the FIG. 2 exponentiated to the power of the rank of the first bit of the part concerned; and computing the product of the results of the first and second modular exponentiations.

Abstract: Roles and policies are used to provide display and access to data in a flexible manner. Users and/or web applications can be mapped to user roles that dictate which displays or other application resources are available to the user or application. Roles are assigned to web applications individually, allowing for user roles to be used without requiring an independent mapping of users to roles. In some cases, application roles can be centrally managed, so that presentation systems also avoid the need for an independent mapping of user or application roles.

Abstract: A method of connecting to an online service where a terminal transmits information regarding a selected online service and first authentication information to an external device, receives second authentication information detected based on the transmitted information, from the external device, and is then logged into the selected online service based on the received second authentication information.

Abstract: Arrangements which permit the employment of dedicated user-access management architecture with more than text-based access. Particularly contemplated herein are arrangements for accepting user identifiers that are then communicated to an intermediate user-delineating architecture (i.e., architecture configured for permitting access to encrypted data or sections of a computer on a user-specific basis) in a manner to permit the user-delineating architecture to perform its own task of unlocking data or sections of a computer.

Abstract: A first information handling system (“IHS”) receives identification information of a first user of a second IHS. The first IHS initiates a network session in response to authenticating the identification information of the first user. Within the network session, the first IHS receives identification information of a second user of the second IHS. The first IHS authenticates the identification information of the second user.

Abstract: The disclosure herein relates to an improved local area network certification system, apparatus, and method. More particularly, the disclosure relates to a certification-based system, apparatus, and method where a certification authority issues and manages a first certification and grants LAN Information Technology Executives and Network Administrators the capacity to request and store on a local gateway User-Specific, Permission-Coded Certificates to control the transfer of data within the LAN and with external sources.

Abstract: A first communication apparatus 1 stores a first customer information registered by a user in order to receive a first service. A second communication apparatus 2 stores a first customer information registered by the user in order to receive a second service. A transmission mean 3a of a third communication apparatus 3 transmits request information requesting to receive the first service to the first communication apparatus 1 together with identification information of the user. A reception mean 3b receives customer information necessary for user registration for the first service from the first communication apparatus 1 according to the transmission of the request information. When the customer information necessary for the user registration for the first service is already included in second customer information, a display mean 3c displays the customer information in the second customer information on an input screen for user registration.

Abstract: In order to develop a method for carrying out a protected function of an electrical field device in such a manner that a high degree of security against unauthorized accesses to the electrical field device can be ensured irrespective of the nature of the communication link between a user and the electrical field device, an identification device for the electrical field device and a security device are used to check whether a stated protected function of the electrical field device can be carried out, or should be refused. The invention also relates to an appropriately configured electrical field device.

Abstract: A computer implemented method, data processing system, and computer program product for logical management and provisioning of business applications within the framework of an identity management system. The illustrative embodiments providing an interface layer to map respective attributes, permissions, and resource accounts in a data repository needed to represent access to business applications via a managed service in the identity management system. The illustrative embodiments define user entitlements on a user account associated with the managed service. The illustrative embodiments provision user access to the business applications via the managed service in the identity management system upon user request.

Abstract: A method for performing at least one evolution operation in a dynamic, evolutive community of devices in a network comprising at least a first device. The method comprises a step of sending at least one message over the network from the first device to a second device, wherein the first device continues the method without acknowledgement of the at least one message from the second device. The method is suitable for execution on clockless devices. A device for performing the method is also claimed.

Abstract: An authentication configurator may define a LDAP security group for LDAP authentication, wherein the LDAP security group is associated with rights. It may define a native security group for native authentication users, wherein the native authentication group has at least one right not present in the LDAP security group, and define customer-specified LDAP chains. It may configure an LDAP authentication web application and a native authentication web application, wherein the LDAP authentication web application and the native authentication web application each connect to a service management database, and the LDAP authentication web application uses the customer-specified LDAP chains. A first Uniform Resource Locator (URL) for LDAP authentication to access the LDAP authentication web application and a second URL for native authentication to access the native authentication web application may also be configured.

Abstract: A system that includes a memory to store registration information for a particular application hosted by a particular user device, where the registration information includes context information regarding the particular user device and an integrity code based on credentials associated with the particular application.

Abstract: Secure access control system in banking or similar operations includes, at least a server (1) or host element in communication with a banking environment (5), a biometric device (2), a client element (3) and the communication elements (4) between the server element (1) and the client element (3), the elements being configured in such a way that an “applet” component built into the server element (1) initiates the control process (41) requesting the authentication (42) of the biometric device (2), performing the authentication by a certificate of the biometric device. T biometric device requests the biometric data (43), the data being verified by comparison with the biometric data recorded in a prior process and generating a password (OTP) which is sent to the server element (1) for validation, the banking environment (5) being informed thereof and responding with the user customized environment (49) if the authentication is positive, the environment being displayed in the client element (3).

Abstract: A software object is positioned in structures, such as a functional structure, location structure and order structure, where each structure consists of a hierarchy of software objects. In each structure the software object inherits security from other software objects in the hierarchy. Since the software object is inserted into multiple hierarchical structures the security of the software object is inherited from software objects in multiple hierarchical structures. The user authority to interact with a software object is, in addition to the identity of the user logged in, dependent on the inherited security of the software object. As a software object is inserted, deleted and moved in a hierarchical structure the security of the software object changes.

Abstract: A method of operating a security system includes accessing a database and obtaining a user PIN. A normal keypad is defined in which a plurality of alphanumeric characters are displayed in defined normal positions. A scrambled keypad is also defined including the PIN so that at least some of a plurality of alphanumeric characters are displayed on the scrambled keypad in positions which are different to the positions in which they would be displayed in the defined normal keypad. In addition, for each of the alphanumeric characters of the PIN the alphanumeric character which is normally displayed in the normal keypad in the position in which the alphanumeric characters of the PIN are displayed in the scrambled keypad is determined thereby to arrive at a scrambled PIN Data defining the scrambled keypad is then transmitted to a user over a first communications network.

Abstract: An arrangement for authenticating a transaction between a user's mobile device and an entity such as a corporate server is disclosed. The user's universal integrated circuit card (UICC) is adapted to generate a time-dependent authentication code which is dependent on a time value and which is usable to authenticate the transaction only during a predetermined period. A time verification processor verifies a time value to ensure that the time-dependent authentication code was generated based on the correct time value. The time value is based on the UTC time obtained from UTC clock. The verified time is used to generate a “one-time” password (authentication code) by the authentication code calculator of the UICC. This is used to authenticate a transaction with the corporate network.

Abstract: An apparatus, system method and computer program product configured to transmit data over a broadcast network. The data is encrypted and decoded using a decryption key available to terminals in combination with a digital rights object. A media guide is broadcast to the terminals. Information from the media guide is also stored by a request handling means in order to ensure that information, such as pricing information, broadcast to the terminals is synchronized with information used to register a terminal as a subscriber. A request is sent from a terminal to the broadcast network through a second network. Authentication information identifying the terminal may be included in the request without manual input from a user of the terminal. Authentication information is extracted from a component or added to the message by a component of the second network. The digital rights object is then sent to the terminal via the second network.

Abstract: A password manager may receive a password, and a false password generator may generate at least one false password, based on the password. A false password selector may store the at least one false password together with the password. A password handler may receive a login attempt that includes the at least one false password, and an attack detector may determine that the login attempt is potentially unauthorized, based on the receipt of the at least one false password.

Abstract: A system and methods for identity management and authentication are provided herein. The present invention employs shadow domains to prove entity membership in an identity management system where responsibility for trust relationships is devolved to the user. The present invention additionally teaches doubly signed certificate transmission for authentication of assertions made by third parties in the identity management network.

Abstract: Systems and methods consistent with the present invention encode a list so users of the list may make inquiries to the coded list without the entire content of the list being revealed to the users. Once each item in the list has been encoded by an encoder, a bit array with high and low values may be used to represent the items in the list. The bit array may be embodied in a validation system for allowing users to query the list to determine whether an inquiry item is on the list. The validation system determines which bits to check by executing the same coding process executed by the encoder. If all the bits are high, then the inquiry item is determined to be part of the list, if at least one of the bits is low, then the inquiry item is determined not to be part of the original list.

Abstract: Digits are randomly distributed into any number of a first group of sets. A type and frequency of a user input action, such as clicking a computer mouse, is associated with each set. Next, all the digits from each set are randomly distributed into a second group of sets. Each of the second group of sets may contain at most a single digit from one of the first group of sets, but may contain any number of digits total. A user input action, is also associated with each set in the second group. To input a particular digit in the password, the user selects one set of the first group of sets that contains the correct digit and selects one set of the second group of sets that also contains the same digit. Selection may occur by mouse clicking, key pressing or touching a screen. Once all digits of the password have been selected in this manner, the software determines the correct digits of the password by comparing the user selections for each digit in the password.

Abstract: In a gaming environment, a method of periodically downloading dynamically generated executable modules at random intervals that perform system configuration integrity checks in a secure and verifiable manner is disclosed. The dynamically generated executable modules are created on a server machine and are themselves signed using industry standard PKI techniques, and contain randomly chosen subset from a repertoire of proven hashing and encryption algorithms that are executed on the system to be checked to create a unique signature of the state of that system. The dynamically generated executable module returns the signature to the server machine from which it was downloaded and deletes itself from the system being checked. The next time such an executable module is downloaded, it will contain a different randomly chosen subset of hashing and encryption algorithms.