Abstract: A method of establishing a communication channel between a network client and a computer server over a network is described. The network client may be configured to communicate with the computer server over the network and to communicate with a token manager. The token manager may be configured with a parent digital certificate that is associated with the token manager. The token manager or network client generates a credential from the parent digital certificate, and transmits the credential to the computer server. The credential may be associated with the computer server. The network client may establish the communications channel with the computer server in accordance with an outcome of a determination of validity of the credential by, the computer server.

Abstract: Techniques are described for repairing some types of user account problems that interfere with granting a user access to a computer system and doing so during a process to authenticate the user in a way that does not require the user to re-enter authentication information or require the user to restart a communication session with the computer system. In response to a determination that a user's account has a problem during an authentication process, techniques are provided to enable a user to execute an appropriate process or processes to fix the user account, after which the authentication process continues. In this way, the correction to the user account may appear to be seamless to the user.

Abstract: A method and apparatus for performing secure Machine-to-Machine (M2M) provisioning and communication is disclosed. In particular a temporary private identifier, or provisional connectivity identification (PCID), for uniquely identifying machine-to-machine equipment (M2ME) is also disclosed. Additionally, methods and apparatus for use in validating, authenticating and provisioning a M2ME is also disclosed. The validation procedures disclosed include an autonomous, semi-autonomous, and remote validation are disclosed. The provisioning procedures include methods for re-provisioning the M2ME. Procedures for updating software, and detecting tampering with the M2ME are also disclosed.

Abstract: A system, method, apparatus, and computer readable storage medium provide the ability to deliver media content in a secure manner in a computer system. A storage repository stores media content and marketing assets for the media content. A server computer is coupled to the storage repository and enabled to provide access to the media content and marketing assets via a website accessible on the Internet worldwide to a user. A digital advertising publicity repository (DAPR) enables an administrator to define first access rights for the user to access the website and second access rights for the user to access the DAPR.

Abstract: This is directed to providing access to content stored on a local cloud. In particular, a device can direct a librarian service overseeing the operation of a local cloud to provide another device with access to content stored on the local cloud. The librarian service can generate credentials for the other device, and provide the credentials to the other device. Using the credentials, the other device can connect directly to the local cloud and access the content. In addition, the local cloud can validate the credentials of the other before providing access to the content. The credentials can include, for example, a key to install or load on the device. The librarian may not require, however, the user to create credentials or register with the librarian before being permitted to access the content on the local cloud.

Abstract: A resource request method and system. The method includes receiving by resource server software application, session key life data. The resource server software application receives from a requester, an authentication request, a session ID, and an address associated with the requestor. The resource server software application transmits the session ID and a request for groups associated with the request. The resource server software application receives group IDs. The resource server software application generates a session key associated with the requester. The resource server software application calculates a specified lifetime associated with the session key. The resource server software application stores the session key, the session ID, the address, the group IDs, and the specified lifetime. The resource server software application transmits to the requester, the session key.

Abstract: Described are methods and mechanisms for controlling data access to a service provider. The method includes receiving an instruction at a proxy from a service provider to initiate a session and the instruction. The instruction includes service provider authentication data. The method further includes initiating the session at the proxy responsive to the received instruction. The session provides communication between the proxy and a customer device. The method additionally includes receiving a request for service from the customer device. The request includes customer identification data and customer transaction data. The method further includes producing protected data based on the service request, providing the protected data to a transaction buffer, and passing the protected data from the transaction buffer to the service provider.

Abstract: A method and apparatus is provided for consolidating cryptographic key updates, the consolidated update information enabling, for example, a returning member of a secure group who has been offline, to recover the current group key, at least in most cases. The unconsolidated key updates each comprise an encrypted key, corresponding to a node of a key hierarchy, that has been encrypted using a key which is a descendant of that node. The key updates are used to maintain a key tree with nodes in this tree corresponding to nodes in the key hierarchy. Each node of the key tree is used to store, for each encrypting key used in respect of the encrypted key associated with the node, the most up-to-date version of the encrypted key with any earlier versions being discarded. The key tree, or a subset of the tree, is then provided to group members.

Abstract: A method of controlling access to an interaction context of a multi-user application includes receiving and tracking over time login requests pertaining to one of a plurality of user accounts of a virtual application instance of the multi-user application, each login request including a login password and each user account including a user password. A login request for the user account is rejected when the login password fails to match the user password of the user account. Access to the user account is denied when a consecutive number of times a login request for the user account is rejected reaches a selected limit. The user is prompted to change the user password of the user account and given limited access to the user account to do so when the user password is a permanent password and a cumulative number of rejected login requests for the user account reaches a selected threshold.

Abstract: An alias management and value transfer claim processing system is disclosed. A sending entity initiates value transfer identifying a recipient entity using an alias that is unregistered with the system. The value transfer is authorized, but not settled until the recipient entity registers with the system and claims the value transfer. The registered alias can be used for subsequent value transfers.

Abstract: Embodiments disclosed herein provide a system, method, and computer program product for establishing a secure network connection between a client and a server. The client may send a connection request over a public network to the server. The server may prepare a response containing a controller and session-specific credentials. The controller may be selected to configure a tunneling protocol on the client. After being downloaded to the client, the controller configures the tunneling protocol and establishes a secure network connection with the server without user intervention. The session-specific credentials are valid until the secure network connection between the client and the server is severed.

Abstract: A method for revocable token identifiers may be employed in a shared storage environment. An access server may generate access tokens and include revocable token identifiers previously obtained from storage devices. When clients present access tokens to storage devices during storage requests, storage devices may check the validity of access tokens by verifying that the revocable token identifiers were previously issued to the access server. An access server may request that the storage device revoke revocable token identifiers. Storage devices may deny any future storage requests including revoked token identifiers. Additionally, an access token may include instructions specifying operations for a storage device to perform in conjunction with a storage request. A trusted server may issue grantor tokens granting permissions for access servers to use when issuing access tokens. An access server may then include such a grantor token in access tokens that it generates and issues to clients.

Abstract: A mechanism for mutual authorization of a secondary resource in a grid of resource computers is provided. When a primary resource attempts to offload a grid computing job to a secondary resource, the primary resource sends a proxy certificate request to the user machine. Responsive to a proxy certificate request, the user machine performs authorization with the secondary resource. If authorization with the secondary resource is successful, the user machine generates and returns a valid proxy certificate. The primary resource then performs mutual authentication with the secondary resource. If the authorization with the secondary resource fails, the user machine generates and returns an invalid proxy certificate. Mutual authentication between the primary resource and the secondary resource will fail due to the invalid proxy certificate. The primary resource then selects another secondary resource and repeats the process until a resource is found that passes the mutual authorization with the user machine.

Abstract: In a communication session in which data flows with encrypted data packets pass through a monitoring intermediary for data traffic control. The encrypted data packets include SPIs (Secured Parameter Indexes) which are used to identify SAs (Security Associations) for data decryption. During the initial signaling process for the communication session, the nodes seeking the communication session include the SPIs in the signaling messages and send the signaling messages through the monitoring intermediary which in turn matches the SPIs of the signaling messages with the corresponding SPIs extracted from the data packets. In enforcing data traffic control, the monitoring intermediary allows data flows to pass through if comparison matches in the SPIs are found. Otherwise, the data flows are rejected.

Abstract: Systems and methods for providing an interface to communicate policy information from a policy server to a policy enforcement point are presented. An external policy server is used to implement and provide various policies to a policy enforcement point for enforcement on subscriber sessions and traffic flows of a mobile subscriber. A policy enforcement point can request instructions from the policy server using an access-request message and receive from the policy server unsolicited instructions with a change-of-authorization message. Policies for application to a subscriber session or traffic flow are included in the message from a policy server to the policy enforcement point. Other messages such as a disconnect message are used to terminate a subscriber session.

Abstract: Whitelists are automatically shared between users and/or domains without compromising user/domain privacy. Potential trust partners with whom to share whitelist data are automatically identified. A handshaking procedure is carried out to confirm the trust relationship and verify the partner's identity. Once a trust partner is confirmed, the parties can exchange acceptance criteria specifying the types of whitelist data they want to receive. Each party can provide the other with the appropriate entries from its own whitelist. The parties keep each other updated, as their own whitelists change.

Abstract: An information processing system in which information transfers between communication devices through a network is limited within a prescribed range by registering unique information obtainable within the prescribed range into each device and permitting information transfer between devices which share common unique information, where the unique information is formed by a pair of public and secret unique information, a bridge device is controlled such that, upon receiving a proxy check request from a reception device, whether a transmission device is another bridge device or not is judged when the public unique information registered by the reception device is registered in the bridge device and one public unique information registered in the bridge device is registered by the transmission device. Then, the secret unique information registered by the reception device is transmitted to the transmission device when the transmission device is not another bridge device.

Abstract: A computer implemented method of identity management for application access. The method includes identifying access enabling information for users. The access enabling information related to users of a first enterprise network to enable the users to access applications on a second enterprise network. The method includes obtaining the identified access enabling information from the first enterprise network, and storing the access enabling information in an identity data store. The method also includes provisioning the access enabling information from the identity data store to one or more applications on the second enterprise network to enable the users of the first enterprise network to access the one or more applications on the second enterprise network.

Abstract: A system and method which generates a single use password based on a challenge/response protocol. A box manager module executing within a security appliance identifies a public key (P) and salt value (S) associated with an administrator's smart card and generates a random nonce (N). The box manager transmits a challenge comprising the following elements: <SHA1(N), BM_ID, P[N, BM_ID], S>. Upon receiving the challenge, the administration card decrypts P[N, BM_ID] using the private key contained within the card and computes SHA1(N). The administration card then compares its computed values with the received values from the box manager. If the values match, then to the administration card returns a response comprising the following elements: HMAC_N[user, SHA1 (password, S)], where HMAC_N represents the SHA1 keyed hash message authentication check of the response elements using the nonce N as the key.

Abstract: A method is presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions.

Abstract: A method for managing the computer systems of a private network from a remote physical location in a manner that does not require the installation of agents on the computer systems of the private network, or the reconfiguration of the firewall of the private network to permit access into the private network.

Abstract: Security provisions are described which determine whether or not executable content is likely to perform undesirable actions. The security provisions assess that an executable content item poses an acceptable risk when it conforms to an allow list of predetermined patterns of permissible behavior. The security provisions find exemplary use in the context of an instant messaging environment, where participants can consume and propagate executable content in the course of conducting a communication session. Supplemental rules are described which prevent malicious code from subverting the allow list design paradigm.

Abstract: An identification tag for authenticating a product is associated with the product and has authentication data transmissible to a reader device. The authentication data include source data including a tag identifier that uniquely identifies the identification tag and a signature value that is a result of a private key encryption of a representation of the source data, where the private key encryption uses a private key of a public key encryption method.

Abstract: A system and method for providing an authentication code across a network for use in authentication of documents, such as printed lottery tickets. The system includes document-printing terminals that include a key that is used in a mathematical function with the bet information for a specific-game entry to generate a document code that is sent to a central server. The central server stores the received document code and then generates an authentication code for the document desired to be printed at the terminal, and sends the authentication code back to the terminal for printing on the issued document. The authentication code can be a further mathematical processing of the document code. Verification of the document occurs from comparison of the authentication code on the document and stored authentication and/or document codes at the server.

Abstract: One or more media is provided for performing a method of operating an electronic locking mechanism. Initially, a request from a requesting mobile device is received at a computing device via a sensing device. The request includes an identifier utilized in an initial validation sequence having the following steps: identifying a device identity according to the identifier, transmitting the device identity with a request that a message be communicated to a target mobile device, and determining validation data. Upon receiving the request, a communications network identifies the target mobile device, based on the device identity, and communicates a message with validation data therein. The mobile device conveys authentication information to the computing device, where the authentication information is based on the validation data.

Abstract: A manufacturing entity provides a blinded signature to a secure device and associates a time with the blinded signature. If a signing key is compromised, the manufacturing entity provides a time of the compromise and the time associated with the blinded signature to the replacement authority.

Abstract: Methods and apparatus for providing an application credential for an application running on a device. In one embodiment, a method provides an application credential to an application running on a device, wherein the application credential is used by the application to authenticate to a data server. The method comprises receiving a request to generate the application credential, wherein the request includes an application identifier. The method also comprises generating the application credential using the application identifier and a master credential associated with the device.

Abstract: A system and method for generating a limited use login credential associated with an account maintained by an institution, where the credential facilitates secure access to the account.

Abstract: Access to some aspect of a service may be limited until a user has invested in performing some amount of computation. Legitimate users typically have excess cycles on their machines, which can be used to perform computation at little or no cost to the user. By contrast, computation is expensive for for-profit internet abusers (e.g., spammers). These abusers typically use all of their computing resources to run “bots” that carry out their schemes, so computation increases the abuser's cost by forcing him or her to acquire new computing resources or to rent computer time. Thus, the providers of free services (e.g., web mail services, blogging sites, etc.), can allow newly registered users to use some limited form of the service upon registration. However, in order to make more extensive use of the service, the user can be asked to prove his legitimacy by investing in some amount of computation.

Abstract: The present disclosure is directed to authenticating a mobile device and a user of the mobile device to receive patient data from a clinical information system of a medical facility. In some implementations, methods include receiving a logon request, the logon request comprising credentials and at least one technical factor, accessing a validation database based on the at least one technical factor, determining that the mobile device is an authorized mobile device based on information provided by the validation database and the at least one technical factor, validating the credentials to ensure that the user is authorized to access patient data provided by the clinical information system, and then, upon determining that the user is authorized to access patient data: establishing a session to communicate patient data between the mobile device and the clinical information system, the data managements system processing the patient data communicated during the session.

Abstract: Methods and apparatus are provided for role-based shared access control to a protected system using reusable user identifiers while maintaining individual accountability. Role-based access control is provided for a protected system by receiving a request from an end user to access a given protected system; determining a role of the end user for the access to the given protected system; receiving a privileged reusable user identifier and password for the given protected system and role; and providing the privileged reusable user identifier and password to the given protected system on behalf of the end user. Role-based access control is also provided for a protected system by receiving a request to verify an end user requesting access to a given protected system; determining a role of the end user for the access to the given protected system; and providing a privileged reusable user identifier and password for the given protected system and role.

Abstract: A system, method, and server computer configured to authenticate a consumer device. The consumer device is authenticated via a mobile gateway using challenge-response authentication. If the consumer device is successfully authenticated, a secure channel is established between the consumer device and a first entity. The secure channel allows for secure communication between the consumer device and the first entity.

Abstract: A system for portable storage of information with Internet storage and restore, including a portable memory device, the portable memory device being thumb-sized or smaller and readily attachable to computers, a server, at least one database in communication with the server including password information pertaining to each of a plurality of users, at least one user computer in communication with the server via the Internet, an interface providing each of the plurality of users with access to the server via the Internet, software executing on the server for receiving user-identifying data via the interface pertaining to a particular user, software executing on the server for retrieving password information associated with the particular user from the database, software executing on the server for transferring a copy of the retrieved encrypted password information from the database to the portable memory device via the user computer.

Abstract: Computer-implemented system and methods for authenticating the identity of a person, for example a customer (1) of an E-Commerce web site (15). The web site or other verification “client” (110) contacts a verification engine (10, 100) (“Authentex”), which may be implemented as a web server (604). The verification engine (10), in turn, has limited access to a plurality of independent, third-party secure databases (21, 112) which are maintained by Trusted Validators (3, 610, 620, etc), which are entities such as banks that have a pre-existing relationship with customer (FIG. 4), and due to that relationship, acquire and maintain “out-of-wallet” data (4) that may be useful to authenticate the identity of the customer. That confidential customer data—held by the third-party “Trusted Validators”—is not disclosed.

Abstract: An ID bridge service system manages a type and assurance of identity information required for provision of service by an application service system and a type and assurance of identity information managed by plural authentication service systems, and is provided with a selecting measure that selects an authentication service system that manages identity information corresponding to the identity information required for the provision of the service by the application service system out of the plural authentication service systems when a request for authentication is received from the application service system and a requesting measure that requests the selected authentication service system to authenticate.

Abstract: An authentication server generates a security token to be used by a client for accessing multiple service providers by obtaining a secret key for each specified service provider, generating a saltbase, generating a salt for each service providers using the saltbase, the secret key, and a hashing algorithm, generating a session key that includes the salt, assigning an order to each of the generated salts, and arranging the salts based on the orders, generating a presalt for each provider using the salt for each previous provider, generating a postsalt for each of the specified service providers using the salt for each following provider, generating a blob for each of the specified service providers using the saltbase, the respective presalt, and the respective postsalt, inserting the generated blobs for the specified service providers in the security token, and providing the generated security token to the client workstation.

Abstract: A system and method for storing identifying information and telephone numbers associated with individuals, and cross-referencing said information so as to link a first individual to other referee individuals capable of identifying the first individual as a result of a telephone conversation. When a relying party wishes to confirm the identity of a contracting party, the system is contacted and, using identifying information pertaining to said contracting party, identifies the set of referee individuals capable of identifying said contracting party, contacts a referee selected at random from the set, and places the contracting party in telephonic communication with the referee. At the conclusion of said telephonic communication, said system invites the referee to state the name of the first individual; by comparing the voice sample with a stored voice sample, the apparatus then provides identity confirmation to said relying party.

Abstract: A client apparatus transmits environmental information acquired from an environmental information acquisition device as well as a biometric authentication information matching result to a server apparatus. The server apparatus verifies the validity of the environmental information such as a luminance as well as the validity of the biometric authentication information matching result. If an environment is problematic, the server apparatus notifies the client apparatus that the environmental information is problematic. The client apparatus overcomes the problem of the environment such as the luminance based on the notification from the server apparatus and then retries a biometric authentication. The possibility of re-failure due to the environmental problem can be reduced during a retry of the biometric authentication.

Abstract: Methods and systems are provided for a low cost Internet base station (LCIB) to grant a client device temporary access to a wireless network. In an embodiment, an LCIB receives a request from a client device. The request includes a feature code, an access code, and a client-device identifier. The feature code in the request indicates that the client device is requesting temporary access to the wireless network. Upon detecting the feature code in the request, the LCIB compares the access code in the request with a stored access code. If the access code from the request matches the stored access code, the LCIB grants the client device access to the wireless network on a temporary basis. Alternatively, if the access code from the request does not match the stored access code, the LCIB denies the client device access to the wireless network.

Abstract: Techniques for virtual private network (VPN) access are provided. A dynamic determination, in response to privileges, is made as to whether a principal and a device of a principal are to receive a thin client virtual private network (VPN) installation for a thin client VPN session between the principal and a remote site or whether a clientless VPN session is appropriate. Dynamic switching between the clientless VPN session and thin client VPN session is permissible when the principal supplies the appropriate credentials for such a switch.

Abstract: The present invention provides a password recovery system that re-supplies a password to only the legitimate user of the password. The password recovery system includes a memory card with CPU and a mobile phone. When a password needs to be recovered, a phone call is made, to the mobile phone, from a telephone connected to a phone line whose phone number is registered in advance into the memory card with CPU. The mobile phone then obtains the telephone number of the phone line via a caller's telephone number notifying service. It is judged whether the obtained telephone number and the registered phone number are the same, and when they are the same, the password stored in the memory card with CPU will be re-supplied so that the user can recover it.

Abstract: A system and method for processing a request by a first control service using a first control specification language, and a second control service using a second control specification language includes steps of: receiving the request from a requestor; providing the request to the first and second control services; receiving a decision on the request from each of the first and second control services; and comparing the decisions. The first control specification language is an access control policy.

Abstract: Techniques for managing security contexts may be described. An apparatus may comprise a processor and a security management module. The security management module may form a merged security context for multiple concurrent threads, with one of the threads depending on more than one preceding operation from other threads. Other embodiments are described and claimed.

Abstract: An agent architecture may be provided with base functionality that allows it to run without executing any applications. The base application need not have any modules. When functionality is desired, modules may be added. The agent may receive policies and procedures from a controller, and executes the modules based on the policies and procedures. It may then return and report information. This allows a system to be designed that doesn't have to be recompiled upon changes to individual tasks or applications, which greatly eases development of new tasks and applications.

Abstract: Login credit is monitored over a credit time period. Continuous invalid login attempts decrease the login credit for the duration of the credit time period. Login credit accumulates with time. If the login credit is less than a credit threshold, login processing is precluded. A common invalid login notification for presentation to a user is generated if login processing is precluded or if login processing indicates that the login credentials are invalid.

Abstract: The present invention automatically signs or logs a user in to access secured features within a software application without prompting manual intervention when a user starts the software application having secured features. When the software application is started and an automatic sign-in condition is enabled, the software application transitions to a signed-in or logged-in state as long as security criteria are met. As a result, unnecessary and repetitive steps are avoided when signing-in. The automatic sign-in condition may be enabled through initial system setup, from a prompt to enter a credential, or through a service options menu. The present invention improves network efficiency by limiting network transmissions to an as needed basis. The automatic sign-in condition is capable of roaming to other computers within a network, thereby following mobile users.

Abstract: CAPTCHA (Completely Automated Public Test to tell Computers and Humans Apart) data generation methods for use in a server and related management systems are provided. First, the server determines a first data set according to at least one first data corresponding to an operation to be performed, wherein the first data represents a sensitive data corresponding to the operation. Then, the server generates a group of CAPTCHA data corresponding to the first data set according to the first data.

Abstract: A method includes receiving by an OpenID network device a user log in; logging in, by the OpenID network device, the user to an OpenID account; receiving, by the OpenID network device and from a third party service provider network device, a request to authenticate the user and a request to receive user data associated with the user; providing, by the OpenID network device, a user interface to an end device to allow the user to confirm his/her sign-in to the third party service provider network device and release of the user data; receiving, by the OpenID network device, a confirmation with regard to the user's sign-in to the third party service provider network device and release of the user data; and sending, by the OpenID network device and to the third party service provider network device, a message indicating that the user is authenticated and the user data.

Abstract: A security system is provided including providing a device including: storing a security rule for operation of the device when an event occurs; and implementing the security rule upon the occurrence of the event to allow non-obtrusive user access to the device.

Abstract: In a system in which an information processing apparatus and a peripheral are connected to each other. Initially, the information processing apparatus transmits, to the peripheral, a request to use a service provided by the peripheral. The peripheral determines whether to grant use permission to the received request, and notifies the information processing apparatus which has transmitted the request of the determination result. The peripheral stores information associated with the information processing apparatus to which use permission is granted in response to the request. The information processing apparatus then receives, from the peripheral, a response to the request.