Management Patents (Class 726/6)
  • Patent number: 8020193
    Abstract: Computer implemented methods (200) for protecting web based applications (110, 114) from Cross Site Request Forgery (CSRF) attacks. The methods involve (204) classifying each resource offered by a web server application as a CSRF-protected resource or a not-CSRF-protected resource. The methods also involve (214, . . . , 222) performing a user authentication, (224) initializing an authentication-token, and (226) initializing a CSRF protection secret that is used to validate CSRF protection parameters contained in resource identifiers for the resources. The methods further involve (228) performing a server-side rewriting process (300) to add the CSRF protection parameter to the resource identifiers for the resources and/or (230) performing a client-side rewriting process to add the CSRF protection parameter to a resource identifier for a second resource (e.g., a resource created at a client computer (102)).
    Type: Grant
    Filed: October 20, 2008
    Date of Patent: September 13, 2011
    Assignee: International Business Machines Corporation
    Inventors: Sumeer K. Bhola, Todd E. Kaplinger, Michael Steiner
  • Patent number: 8019845
    Abstract: A computer implemented method, data processing system, and computer program product for automatically aggregating entities via a profile-driven management. A profile is created, wherein the profile includes a set of search criteria comprising one or more server attributes. A list of attributes of each server in the data processing system is obtained. Servers in the plurality of servers whose attributes meet the set of search criteria specified in the profile are then grouped to form a profile group. Once the servers are grouped into a profile, an administrative action may be performed on all of the servers in the profile group simultaneously.
    Type: Grant
    Filed: June 5, 2006
    Date of Patent: September 13, 2011
    Assignee: International Business Machines Corporation
    Inventors: Rhonda L. Childress, Itzhack Goldberg, Lorraine M. Herger, Ziv Rafalovich, Ramakrishnan Rajamony, Eric Van Hensbergen, Martin J. Tross
  • Patent number: 8020196
    Abstract: Standardized transmission of digital data with trusted and untrusted connections by translating non-native requests and or non-native responses to and from a normalized format or to a format needed for processing the request and or response configured in hub and spoke, star, direct, peer to peer or hybrid connections. Encryption is provided at multiple layers to establish non-repudiation for a security service that integrates external security applications into a single service.
    Type: Grant
    Filed: July 18, 2009
    Date of Patent: September 13, 2011
    Inventors: William M. Randle, Randall E. Orkis
  • Patent number: 8020195
    Abstract: Systems and methods for login a user into a computing system are shown and described. The method can include receiving a request for an anonymous user login, creating an identifying tag responsive to the received request, creating a user account incorporating the identifying tag, and providing to the computing system the created user account to log into the computing system.
    Type: Grant
    Filed: March 30, 2007
    Date of Patent: September 13, 2011
    Assignee: Citrix Systems, Inc.
    Inventors: Simon Frost, David Williams
  • Publication number: 20110219437
    Abstract: A system, method, and computer program product are provided to facilitate changing authentication information in an environment having two or more configuration items. Establishing a connection between the configuration items may require matching authentication information corresponding to the first configuration item with authentication information transmitted from the second configuration item. The system may include a repository storing at least one predetermined attribute corresponding to a configuration item, and a relation between the configuration item and another configuration item. The attribute and/or the relation may be updated by discovery that detects information regarding configuration items. In response to a request to change authentication information corresponding to the first configuration item, and based on the relation, an identification unit may identify a second configuration item influenced by the change.
    Type: Application
    Filed: March 6, 2010
    Publication date: September 8, 2011
    Applicant: International Business Machines Corporation
    Inventor: Akira Ohkado
  • Publication number: 20110219438
    Abstract: Methods and apparatus are provided for improving both node-based and message-based security in a fibre channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fibre channel network entities into a fibre channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fibre channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.
    Type: Application
    Filed: May 13, 2011
    Publication date: September 8, 2011
    Applicant: CISCO TECHNOLOGY, INC.
    Inventors: Fabio R. Maino, Marco Di Benedetto, Claudio Desanti
  • Patent number: 8015598
    Abstract: A computerized method of providing access to a secure resource includes, to each of a plurality of authorized users, providing a link to the secure resource. Each link includes a unique password embedded therein and each unique password relates to a particular user identification (userID) and personal identification number (PIN). The method also includes receiving a request to access the resource using a link having a password embedded therein, which request originates at a web browser. The method further includes directing the browser to a login screen and receiving via the login screen a userID and PIN. The method also includes determining whether the userID and PIN relate to one another and to the password and allowing or denying access to the resource in accordance with the determination.
    Type: Grant
    Filed: November 17, 2008
    Date of Patent: September 6, 2011
    Assignee: Arcot Systems, Inc.
    Inventor: Geoffrey Hird
  • Patent number: 8015597
    Abstract: Issuing and disseminating a data about a credential includes having an entity issue authenticated data indicating that the credential has been revoked, causing the authenticated data to be stored in a first card of a first user, utilizing the first card for transferring the authenticated data to a first door, having the first door store information about the authenticated data, and having the first door rely on information about the authenticated data to deny access to the credential. The authenticated data may be authenticated by a digital signature and the first door may verify the digital signature. The digital signature may be a public-key digital signature. The public key for the digital signature may be associated with the credential. The digital signature may be a private-key digital signature. The credential and the first card may both belong to the first user.
    Type: Grant
    Filed: July 16, 2004
    Date of Patent: September 6, 2011
    Assignee: CoreStreet, Ltd.
    Inventors: Phil Libin, Silvio Micali, David Engberg, Alex Sinelnikov
  • Patent number: 8015393
    Abstract: A data processing device comprises a storage unit adapted to store an initial value of a pair of a public key and a private key and a communication unit adapted to execute communication with an external device with use of the initial value of the pair of the public key and the private key stored in the storage unit, thereby enabling encryption communication without generating the pair of the public key and the private key.
    Type: Grant
    Filed: April 8, 2005
    Date of Patent: September 6, 2011
    Assignee: Canon Kabushiki Kaisha
    Inventor: Nobuaki Fukasawa
  • Patent number: 8015116
    Abstract: A method for managing access to application software contained on a computer system or network. The computer system utilizes an authentication component that is configured to receive a unique user account identifier and to generate an authentication passkey by using an identifying data element, typically called a “password”. The identifying data elements are collected from one or more input devices and used as an encryption key for the user account identifier. The generated authentication passkey is used in an authentication transaction associated with the application software instead of the identifying data element thereby reducing data security risks if the identifying data element alone were discovered due to other unknowns including the encryption elements.
    Type: Grant
    Filed: January 20, 2006
    Date of Patent: September 6, 2011
    Assignee: Newport Scientific Research LLC
    Inventor: Jeffrey L. Crandell
  • Patent number: 8015596
    Abstract: A personal credential store that aggregates a number of physical credential stores beneath an application programming interface (API) and offers tag-based credential look-up. The API of the disclosed system runs on the user's client system, and effectively hides the underlying credential store types from applications using it. The tags used to look up credentials through the API may advantageously include or consist of unique identifiers indicating the functional purpose of the desired credential. The types of physical credential store aggregated together under the disclosed API may include a local credential store, a network-resident private credential store that may be shared across multiple client systems operated by a single user, and a network-resident shareable credential store, that may be used by processes acting on behalf of the user, and/or shared by multiple users.
    Type: Grant
    Filed: June 28, 2004
    Date of Patent: September 6, 2011
    Assignee: International Business Machines Corporation
    Inventor: John C. Wray
  • Patent number: 8010997
    Abstract: The present embodiments extend to methods, systems, and computer program products for enforcing device settings for mobile devices. Generally, a computer system enforces appropriate mobile device settings (e.g., policy and/or configuration settings) prior to permitting a mobile device to access maintained data. The computer system receives a request from a mobile device. The computer system determines that current mobile device settings are not appropriate for accessing the maintained data. The computer system sends device settings, representing a new mobile device configuration that is appropriate for accessing the maintained data, to the mobile device. The computer system receives an indication that the mobile device is configured in accordance with the device settings. The computer system permits the mobile device to access the maintained data in response to receiving the indication that the mobile device is configured in accordance with the device settings.
    Type: Grant
    Filed: June 30, 2005
    Date of Patent: August 30, 2011
    Assignee: Microsoft Corporation
    Inventors: David P. Limont, John Allen Atwood, Massimiliano Ciccotosto, Omar Aftab, Patrick Tousignant, Selvaraj Nalliah, Zhidong Yang
  • Patent number: 8010999
    Abstract: According to a cable installation support and management system of the present invention, each worker downloads the operation information which supports operations on cables authorized for use onto the portable terminal carried by the worker, the operation information being associated in advance with cable identification information and provided by the server. Then, the worker reads the cable identification information about a cable from the cabling data card attached to the end of the cable using the reading device of the portable terminal. Based on the cable identification information, the worker acquires operation information about the appropriate cable from the downloaded operation information and displays the acquired operation information on the display device of the portable terminal. This allows the worker to perform necessary operations by referring to the operation information displayed on the display device.
    Type: Grant
    Filed: January 2, 2008
    Date of Patent: August 30, 2011
    Assignee: Hitachi Plant Technologies, Ltd.
    Inventors: Hirotaka Fujita, Sozo Sakata, Kou Fukui
  • Patent number: 8011000
    Abstract: A user-configurable firewall and method in which a user-changeable security setting for a client computer is maintained by an access server through which a user accesses the public network. The user-changeable security setting can be used to specify which outside computers or network devices may access the client computer and what type of access to the client computer is allowed. If an attempt to access the client computer is made, the user-configurable security setting is checked to determine if the attempted access is allowed by the current security setting. If the attempted access is allowed by the current security setting, access is allowed to the client computer; otherwise, access is not allowed. If the user changes the user-configurable security setting, the changes to the user-configurable security setting are provided to the access server.
    Type: Grant
    Filed: December 13, 2004
    Date of Patent: August 30, 2011
    Assignee: AOL Inc.
    Inventor: Joseph G. Barrett
  • Publication number: 20110209064
    Abstract: The system and method described herein may identify one or more virtual desktop extensions available in a cloud computing environment and launch virtual machine instances to host the available virtual desktop extensions in the cloud. For example, a virtual desktop extension manager may receive a virtual desktop extension request from a client desktop and determine whether authentication credentials for the client desktop indicate that the client desktop has access to the requested virtual desktop extension. In response to authenticating the client desktop, the virtual desktop extension manager may then launch a virtual machine instance to host the virtual desktop extension in the cloud and provide the client desktop with information for locally controlling the virtual desktop extension remotely hosted in the cloud.
    Type: Application
    Filed: February 24, 2010
    Publication date: August 25, 2011
    Applicant: Novell, Inc.
    Inventors: Michael Jorgensen, Michael Fairbanks, Jason Allen Sabin, Nathaniel Brent Kranendonk, Kal A. Larsen
  • Patent number: 8006290
    Abstract: A system and method for ratifying policies are provided. A method for ratifying a policy in a policy-based decision system comprises: determining if a new policy interacts with an existing policy in the policy-based decision system; and ratifying the new policy to exist in the policy-based decision system.
    Type: Grant
    Filed: January 12, 2006
    Date of Patent: August 23, 2011
    Assignee: International Business Machines Corporation
    Inventors: Dakshi Agrawal, Seraphin B. Calo, James R. Giles, Kang-Won Lee, Mukesh K. Mohania, Dinesh Verma, Jorge Lobo
  • Patent number: 8005967
    Abstract: A system and method for policy negotiation in a web services platform includes a client node and a provider server that transmits policy alternatives to the client node. The client node selects at least one policy from the policy alternatives and transmit the selected policy to the provider server. The provider server verifies the client's policy selection based on the policy alternatives and communicates over a network with the node based on the selected policy.
    Type: Grant
    Filed: March 7, 2008
    Date of Patent: August 23, 2011
    Assignee: Software AG, Inc.
    Inventor: Prasad Yendluri
  • Patent number: 8006280
    Abstract: Improved system and approaches for decentralized key generation are disclosed. The keys that can be generated include both public keys and private keys. The public keys are arbitrary strings that embed or encode access restrictions. The access restrictions are used to enforce access control policies. The public keys are used to encrypt some or all portions of files. The private keys can be generated to decrypt the portions of the files that have been encrypted with the public keys. By generating keys in a decentralized manner, not only are key distribution burdens substantially eliminated but also off-line access to encrypted files is facilitated.
    Type: Grant
    Filed: September 17, 2002
    Date of Patent: August 23, 2011
    Inventors: Hal S. Hildebrand, Denis Jacques Paul Garcia
  • Patent number: 8006295
    Abstract: The subject disclosure pertains to a domain identification system, comprising a principal that has a key and a mnemonically meaningless identifier, the mnemonically meaningless identifier is used to identify the component in a networked environment. The mnemonically meaningless identifier can be bound to the public key by a binding. The component may be part of a neighborhood of components, and each member component knows the members' binding.
    Type: Grant
    Filed: June 28, 2007
    Date of Patent: August 23, 2011
    Assignee: Microsoft Corporation
    Inventors: Carl M. Ellison, Paul J. Leach, Butler W. Lampson, Melissa W. Dunn, Ravindra N. Pandya, Charles W. Kaufman
  • Patent number: 8006291
    Abstract: Systems and methods for authenticating electronic transactions are provided. The authentication methods employ a combination of security features and communication channels. These security features can be based, for example, on unique knowledge of the person being authenticated, a unique thing that the person has, unique personal features and attributes of the person, the ability of the person to respond, and to do so in a fashion that a machine cannot, and so forth. Methods for enrolling the person prior to authentication are also provided, as well as systems for enrollment and authentication.
    Type: Grant
    Filed: May 13, 2008
    Date of Patent: August 23, 2011
    Assignee: Veritrix, Inc.
    Inventors: Paul Headley, Kevin Collins
  • Patent number: 8006299
    Abstract: Methods, apparatus, and systems are disclosed for, among other things, passphrase input using secure delay, passphrase input with characteristic shape display, user authentication with non-repeated selection of elements with a displayed set of elements, document authentication with embedding of a digital signature stamp within a graphical representation of the electronic document wherein the stamp comprises digits of a digital signature, and sub-hash computation using secure delay.
    Type: Grant
    Filed: March 19, 2007
    Date of Patent: August 23, 2011
    Assignee: Bolique Applications Ltd., L.L.C.
    Inventor: Edwin A. Suominen
  • Publication number: 20110202767
    Abstract: The invention provides a method and apparatus for pseudonym generation and authentication. The method comprises the steps of: transmitting a user identity IDuser to a Personal Identity Manager (PIM); receiving a set of public parameters and a prime pseudonym Pprime corresponding to the ID user from the PIM; and selecting at least two random parameters, and generating a sub-pseudonym Ppseu with the at least two random numbers, the set of public parameters, and the prime pseudonym Pprime.
    Type: Application
    Filed: October 13, 2009
    Publication date: August 18, 2011
    Applicant: KONINKLIJKE PHILPS ELECTRONICS N.V.
    Inventors: Li Hui, Jin Qu
  • Publication number: 20110202978
    Abstract: The present invention facilitates access to a restricted service related to secure transactions via a network. The present invention allows a user to select a minimum security level of authentication for its own login to a restricted service. The user's selected minimum security level of authentication may be registered in an authentication method system, so that the user must use the selected minimum security level for authentication in order to gain access to the restricted service. Alternatively, the user may specify that the selected minimum security level for authentication may be over-turned by the user, or optionally re-set to a new authentication method depending on the needs of the user. As such, the present invention allows the user the flexibility to select its own authentication method for accessing a restricted service.
    Type: Application
    Filed: April 22, 2011
    Publication date: August 18, 2011
    Applicant: American Express Travel Related Services Company, Inc.
    Inventors: James M. Foley, Rick D. Johnson, Anant Nambiar
  • Publication number: 20110202981
    Abstract: It is intended to achieve a user authentication system capable of forcibly presenting a content to a user. Provided is a content presentation-type authentication system designed to allow a client to perform a content presentation-type user authentication in which user authentication is performed in such a manner that a plurality of pattern elements arranged in a given pattern are presented as a presentation pattern to a user who intends to be authenticated, and a one-time password derivation rule is used as a password of the user and applied to certain ones of the pattern elements located at specific positions in the presentation pattern to create a one-time password, and a content is forcibly presented to the user in connection with the user authentication.
    Type: Application
    Filed: December 30, 2010
    Publication date: August 18, 2011
    Inventors: Shigetomo Tamai, Toru Takano, Shigeo Akutsu
  • Publication number: 20110202976
    Abstract: A secondary Ethernet-like wireless communication system overlapped by a dominant Ethernet-like wireless communication system, and including radio access and communication for activation, association, and authentication of a wireless device in the secondary Ethernet-like wireless communication system. An automated private service activation (APSA) port is used for accepting access and communication requests of a wireless device seeking activation, association and authentication in the secondary Ethernet-like wireless communication system. The APSA port provides an access and communication channel for radiating signals at a level exceeding a signal level of the access and communication channel only within limited spatial constraints. In addition the APSA port provides space for receiving the wireless device for activation and communication in the secondary Ethernet-like wireless communication system.
    Type: Application
    Filed: January 10, 2011
    Publication date: August 18, 2011
    Inventors: ALBERT T. CHOW, Richard Henry Erving, Robert Raymond Miller, II, Christopher W. Rice, Jesse Eugene Russell, Wenchu Ying
  • Publication number: 20110202982
    Abstract: The invention provides methods and systems for management of image-based password accounts. A password management account may be accessed by a user undergoing image-based authentication. The invention may allow a user to manage parameters relating to image-based authentication. The invention may also allow a user to manage authentication at one or more web site.
    Type: Application
    Filed: September 17, 2008
    Publication date: August 18, 2011
    Applicant: Vidoop, LLC
    Inventors: Samuel Wayne Alexander, Scott A. Blonquist, Koesmanto Leka Bong, Joson Allyn Grlicky, Adam Paul Kert, Steven L. Osborn, James Luke Sontag, Benjamin Joel Stover
  • Patent number: 8001376
    Abstract: A tamperproof ClientID system to uniquely identify a client machine is invoked upon connection of a client application to a backend. Upon initial connection, the backend issues a unique ClientID containing a checksum. The client application prepares at least two different scrambled versions of the ClientID and stores them in respective predetermined locations on the client machine. Upon subsequent connection to the backend, the client application retrieves and unscrambles the values at the two locations, verifies the checksums and compares the values. If the checksums are both correct and the values match, the ClientID value is sent to the backend, otherwise the client application sends an error code.
    Type: Grant
    Filed: February 3, 2009
    Date of Patent: August 16, 2011
    Assignee: Cambridge Interactive Development Corp.
    Inventor: Daniil Utin
  • Patent number: 8001585
    Abstract: A method for registering user identification data in an application service provider data repository is provided, where the application service provider provides web services for a plurality of customers, each customer having a plurality of users with respective user identification data. The method includes receiving user identification data from one of the users through a website associated with one of the plurality of customers, retrieving customer identification data based on a uniform resource locator assigned to the website, concatenating the user identification data and customer identification data to create a user key, and registering a user account within the data repository based on the created user key.
    Type: Grant
    Filed: December 10, 2007
    Date of Patent: August 16, 2011
    Assignee: MasterCard International Incorporated
    Inventors: Peter P. Hogan, James Hood, Sekhar Nadella
  • Patent number: 8001019
    Abstract: Methods, systems, and computer program products manage access to and update warehouse data associated with one or multiple online data systems. A security role is established for each user of warehouse operation functions associated with the online data system. A method involves examining warehouse data and updating a status of warehouse operations, detecting a security role of a current user accessing the data system, and rendering warehouse operation functions and the status via an interface. The method further involves receiving a selection of one of the warehouse operation functions, determining whether the security role of the current user authorizes access to the warehouse operation function selected, and prohibiting access to the warehouse operation function selected in response to determining the security role does not authorize access to the selected warehouse operation function.
    Type: Grant
    Filed: October 24, 2005
    Date of Patent: August 16, 2011
    Assignee: The Boeing Company
    Inventors: Raymond Joseph Phelan, Douglas William Meyer, Gary Anthony Tonhouse, Patrick Lyle Sullivan
  • Publication number: 20110196731
    Abstract: Systems and method are provided for ensuring secure and validated coupon generation and distribution, and the prevention of fraudulent coupon printing. A Uniform Resource Locator (URL) is provided to a consumer, where the URL points to a dynamic coupon webpage presentable to the consumer, and where the URL includes a link identifier indicative of a coupon contained on the dynamic coupon webpage to be printed. The URL may include a member identifier (MID) that uniquely identifies the consumer and provides security regarding the printing of the coupon by limiting the number of prints that the consumer can make of the coupon. Furthermore, a token may be utilized in conjunction with the MID for additional security regarding the printing of the coupon by preventing the printing of the coupon if the token is invalid or expired.
    Type: Application
    Filed: February 11, 2010
    Publication date: August 11, 2011
    Inventors: William Christie, Jeffery Beliveau, Henri Lellouche
  • Publication number: 20110197269
    Abstract: The present teachings provide and method and system for a split medium mail for customer communications. The present application relates to techniques and equipment used to create a single page summary communication included in a mailpiece to be mailed to a customer. The single page summary contains information necessary to access a full version of the customer communication by way of secure web access.
    Type: Application
    Filed: February 10, 2010
    Publication date: August 11, 2011
    Applicant: Bowe Bell + Howell Company
    Inventor: Michael J. Maselli
  • Publication number: 20110197065
    Abstract: A mechanism for securely transmitting credentials to instantiated virtual machines is provided. A central server is used to turn on a virtual machine. When the virtual machine is turned on, the central server sends it a secret text string. The virtual machine requests the credentials from the central server by transmitting the secret string and its instance ID. The central server validates the secret string and source IP to determine whether they are authentic. Once verified, the central server transmits the credentials to the virtual machine in a secure channel and invalidates the secret string. The credentials can now be used to authenticate API calls.
    Type: Application
    Filed: February 5, 2010
    Publication date: August 11, 2011
    Inventors: Sean Alexander STAUTH, Sewook WEE
  • Publication number: 20110197268
    Abstract: Techniques are described herein for generating CAPTCHAs that include overlapped characters, projections on virtual three-dimensional (3D) surfaces, and/or virtual 3D objects. A CAPTCHA is a type of challenge-response test that a content provider may present to users for authorizing the users to access content that the content provider hosts. For example, when a user attempts to access content, a CAPTCHA may be generated in accordance with one or more of the techniques described herein and provided to the user. The user may be asked to identify characters that overlap in the CAPTCHA, characters that are projected on a virtual 3D surface, and/or a designated virtual 3D object, so that the user may be authorized to access the content. The user may enter the characters and/or select the designated virtual 3D object that is identified in the CAPTCHA using an input device, such as a keyboard, touch screen, pointing device, etc.
    Type: Application
    Filed: February 5, 2010
    Publication date: August 11, 2011
    Applicant: YAHOO! INC.
    Inventors: Shanmugasundaram Ravikumar, Anirban Dasgupta, Kunal Punera, Achint Oommen Thomas
  • Patent number: 7996884
    Abstract: An arrangement for providing data in the context of security management for a franking system has a remote data center at which a list of data sets is stored the data sets containing security information as well as information regarding associated security policies, appertaining at least to security measures and the location of their storage in the franking system. A method for server-controlled security management of performable services in an electronic system includes the steps of receiving a request for a desired service, determining a security feature to be selected and generating a data set corresponding thereto, selecting a logical channel and transferring to data set via that channel establishing the service end, and waiting for receipt of a further service request or for the ending of the communication connection.
    Type: Grant
    Filed: March 9, 2005
    Date of Patent: August 9, 2011
    Assignee: Francotyp-Postalia AG & Co. KG
    Inventors: Gerrit Bleumer, Clemens Heinrich, Dirk Rosenau
  • Patent number: 7996486
    Abstract: A digital rights management (DRM) “bureau” server can be used in many different ways. In one example, a system distributes the storage of rights and/or the rights management decision making process between a DRM client and a DRM server, in order to overcome the shortcomings inherent in exclusively client-side or exclusively server-side DRM systems. In another example, a system manages rights to content on behalf of plural publishers.
    Type: Grant
    Filed: August 18, 2005
    Date of Patent: August 9, 2011
    Assignee: SealedMedia Limited
    Inventor: Martin Richard Lambert
  • Patent number: 7996883
    Abstract: Delegating resource management to customers in a technology outsourcing environment includes providing the customer with a secured user interface (e.g., HTML pages) for selecting one or more parameters (e.g., User Ids, application name and version, etc.) associated with a resource management task (e.g., password management). The parameters are used to automatically perform the task using a centralized identity management system and repository for storing and updating data, such as data associated with customers, User Ids, environments, applications and application versions. Such a system and method enables the delegation of resource management tasks across multiple environments hosting disparate hardware and software platforms, including multiple versions of applications.
    Type: Grant
    Filed: December 9, 2004
    Date of Patent: August 9, 2011
    Assignee: International Business Machines Corporation
    Inventors: Arthur Chin, Milind Parikh, Parmeet Chaddha
  • Patent number: 7996885
    Abstract: Methods, systems, and program products for a client application provide child passwords mapped to a parent password authorized for login to a secure network resource server. A child user logs in to the client application by entering the child password. When a child user properly requests a secure resource from the secure network resource server, the client application uses the authorized parent password to login to the secure server and retrieve a secure resource without communicating the child password to the secure server. The child user login session is administered by the local application pursuant to access rules or limitation parameters associated with the child password. Child passwords may be set to expire. The client application may also monitor secure server access by a child user; monitored use may also be reported, and an access rule or password limitation parameter may be revised in response to monitoring and use reporting.
    Type: Grant
    Filed: April 19, 2007
    Date of Patent: August 9, 2011
    Assignee: International Business Machines Corporation
    Inventors: Peeyush Jaiswal, Naveen Narayan
  • Patent number: 7996682
    Abstract: Techniques are described herein for securely prompting a user to confirm sensitive operations, input sensitive information or the like. The techniques include receiving or intercepting calls from applications to prompting routines. When a call to a prompting routine is received or intercepted a hint may be provided to the user to switch to a secure desktop. When the user switches from the user desktop to the secure desktop the particular prompt is displayed. The input to the prompt is received on the secure desktop and verified to have been provided by the user. The user input or a representation of the input is then returned to the application running on the user desktop. Using these techniques, interception of prompting messages by malware does not result in sensitive information being revealed. Furthermore, spoofing of new messages by malware does not lead to the dismissal of critical prompting.
    Type: Grant
    Filed: October 17, 2005
    Date of Patent: August 9, 2011
    Assignee: Microsoft Corporation
    Inventors: Klaus U. Schutz, Matthew W. Thomlinson, Scott A. Field
  • Patent number: 7996886
    Abstract: A system and method for providing persistence in a secure network access by using a client certificate sent by a client device to maintain the identity of a target. A security handshake is performed with a client device to establish a secure session. A target is determined. A client certificate is associated with the target. During subsequent secure sessions, the client certificate is used to maintain persistent communications between the client and a target. A session ID can be used in combination with the client certificate, by identifying the target based on the session ID or the client certificate, depending on which one is available in a client message.
    Type: Grant
    Filed: September 19, 2008
    Date of Patent: August 9, 2011
    Assignee: F5 Networks, Inc.
    Inventors: John R. Hughes, Richard Roderick Masters, Robert G. Gilde
  • Patent number: 7996881
    Abstract: Techniques are described for repairing some types of user account problems that interfere with granting a user access to a computer system and doing so during a process to authenticate the user in a way that does not require the user to re-enter authentication information or require the user to restart a communication session with the computer system. In response to a determination that a user's account has a problem during an authentication process, techniques are provided to enable a user to execute an appropriate process or processes to fix the user account, after which the authentication process continues. In this way, the correction to the user account may appear to be seamless to the user.
    Type: Grant
    Filed: November 9, 2005
    Date of Patent: August 9, 2011
    Assignee: AOL Inc.
    Inventors: Philip W. Flack, Yan Cheng, Zhihong Zhang, Matthew Nguyen
  • Patent number: 7996680
    Abstract: In one embodiment a secure computer system comprises a processor and a memory module including logic instructions stored on a computer readable medium which. When executed by the processor, the logic instructions configure the processor to receive, in a secure computing environment, a portion of a data log from an application operating outside the secure computing environment, and when the portion of the data log exceeds a size threshold, to assign a timestamp to the portion of the data log, assign an identifier to the portion of the data log, create a digital signature load block comprising the portion of the data log, the timestamp, and the identifier, and store the digital signature load block in a memory module.
    Type: Grant
    Filed: September 27, 2006
    Date of Patent: August 9, 2011
    Assignee: Hewlett-Packard Development Company, L.P.
    Inventors: Jeff Kalibjian, Susan Langford, Vladimir Libershteyn, Larry Hines, Steve Wierenga
  • Patent number: 7996664
    Abstract: Aspects of a method and system for improved communication network setup may comprise receiving authentication enablement information from a configurator station comprising indication of a current state of a configurator timing window. In response to input at a client station to communicate authentication response information to the configurator station, receiving at the client station, configuration information and/or status information resulting from input at the client station. Other aspects of the invention may comprise responding to input at a configurator station to transmit authentication enablement information comprising indication of a current state of a configurator timing window, receiving authentication response information from the client station based on the transmitted authentication enablement information, and transmitting to the client station configuration information and/or status information from the configurator station based on the received authentication response information.
    Type: Grant
    Filed: August 18, 2005
    Date of Patent: August 9, 2011
    Assignee: Broadcom Corporation
    Inventors: Henry S. Ptasinki, Ted Edward Carter, Manoj Thawani, Manas Deb, Jeff Vadasz, Mahesh Iyer, David L. Cohen
  • Publication number: 20110191835
    Abstract: An apparatus and method for identity reuse operable in a communications system, the method comprising selecting an identity value for a device; registering the device onto a network with the selected identity value; determining if the registration of the device is successful; and establishing a communication session for the device and deregistering the selected identity value upon termination of the communication session if the registration is successful, or determining whether to try a different identity value if the registration is not successful. In one aspect, the apparatus and method further comprising waiting a predetermined time period before either re-registering with the selected identity value or registering with the different identity value.
    Type: Application
    Filed: September 16, 2010
    Publication date: August 4, 2011
    Applicant: QUALCOMM INCORPORATED
    Inventors: Philip Michael Hawkes, Anand Palanigounder
  • Publication number: 20110187497
    Abstract: A method of a mobile device comparing an applied gesture on a touch screen of a mobile device with a remotely stored security gesture is disclosed. In one embodiment, a method of a mobile device includes determining that an applied gesture on a touch screen of a mobile device in a locked state is associated with a user-defined gesture, comparing the applied gesture on the touch screen of the mobile device with a designated security gesture stored in a remote computer server, and unlocking the mobile device when the applied gesture on the touch screen of the mobile device in a dormant state matches the designated security gesture stored in the remote computer server.
    Type: Application
    Filed: April 11, 2011
    Publication date: August 4, 2011
    Inventor: DAVID H. CHIN
  • Publication number: 20110191834
    Abstract: A method for maintaining domain access of a virtual machine is described. According to one embodiment, a generation of a new computer account password by an operating system is identified. The new computer account password is copied to an auxiliary storage location. An existing computer account password is replaced with the new computer account password when it is determined that a file system of the computer has been restored to a previous state. The copying of the new computer account password may be performed in response to the generation of the new computer account password. The replacing of the existing computer account password may be performed in response to the restoring of file system to the previous state.
    Type: Application
    Filed: February 1, 2010
    Publication date: August 4, 2011
    Applicant: VMware, Inc.
    Inventors: Vikas SINGH, Ashish K. HANWADIKAR, Robert F. DEUEL, Shiqi Charlie SUN, Hui LI
  • Publication number: 20110191837
    Abstract: A method of authenticating a device and a user comprises receiving a user input, generating a first key from the user input, performing a physical measurement of the device, obtaining helper data for the device, computing a second key from the physical measurement and the helper data, and performing an operation using the first and second keys. In a preferred embodiment, the method comprises performing a defined function on the first and second keys to obtain a third key. Additionally security can be provided by the step of receiving a user input comprising performing a biometric measurement of the user and the step of generating a first key from the user input comprises obtaining helper data for the user and computing the first key from the biometric measurement and the user helper data.
    Type: Application
    Filed: September 21, 2009
    Publication date: August 4, 2011
    Applicant: KONINKLIJKE PHILIPS ELECTRONICS N.V.
    Inventors: Jorge Guajardo Merchan, Milan Petkovic
  • Publication number: 20110191836
    Abstract: An apparatus for real-time management of a plurality of security components (SCs) connected to a network. The apparatus comprises a network interface for communication with the plurality of SCs connected to the network; a permanent storage unit for storing at least logon information to each of the plurality of SCs; a security component management unit (SCMU) having a plurality of integration point components (IPCs) enabled to identify the plurality of SCs connected to the network; a temporal storage unit for storing at least data collected from the plurality of SCs in the form of information units, each of the information units has a predefined limited lifetime after which such information unit is voided, thereby rendering the apparatus stateless; and a processing unit for carrying out at least one process designated to perform a specific generic task irrespective of a physical manifestation of each of the plurality of SCs.
    Type: Application
    Filed: January 28, 2011
    Publication date: August 4, 2011
    Applicant: INDENI, LTD.
    Inventor: Yonadav Leitersdorf
  • Patent number: 7992195
    Abstract: The invention allows a reliable and efficient identity management that can, with full interoperability, accommodate to various requirements of participants. For that a method and system are presented for providing an identity-related information about a user to a requesting entity. The method comprises a location-request step initiated by the requesting entity for requesting from a client application a location information that corresponds to a location entity possessing the identity-related information, a redirecting step for connecting the client application to the location entity in order to instruct the location entity to transfer the identity-related information to the requesting entity, and an acquiring step for obtaining the identity-related information.
    Type: Grant
    Filed: March 26, 2003
    Date of Patent: August 2, 2011
    Assignee: International Business Machines Corporation
    Inventors: Birgit Pfitzmann, Michael Waidner
  • Patent number: 7992215
    Abstract: The invention described herein is generally directed to a method and apparatus for creating and retrieving audio data. In one implementation the invention comprises an annotation system configured to record, store, and retrieve media. The annotation system contains a set of client-processing devices configured to capture media for subsequent playback. Each client-processing device typically contains a record button to initiate the capture and is configured upon performing the capture operation to trigger an association of a unique ID with the media. The client-processing devices are further configured to upload the media and a unique ID to a server for purposes of storage. The server obtains the media and unique ID for subsequent retrieval and provides the media and the unique ID to at least one client-processing device from the set of client processing devices.
    Type: Grant
    Filed: April 8, 2009
    Date of Patent: August 2, 2011
    Assignee: Trio Systems, LLC
    Inventor: Alan Bartholomew
  • Patent number: 7992208
    Abstract: An estimate of a portion of network traffic that is nonconforming to a communication transmission control protocol is used to signal that a distributed denial of service attack may be occurring. Traffic flows are aggregated and packets are intentionally dropped from the flow aggregate in accordance with an assigned perturbation signature. The flow aggregates are observed to determine if the rate of arrival of packets that have a one-to-one transmission correspondence with the dropped packets are similarly responsive to the perturbation signature. By assigning orthogonal perturbation signatures to different routers, multiple routers may perform the test on the aggregate and the results of the test will be correctly ascertained at each router. Nonconforming aggregates may be redefined to finer granularity to determine the node on the network that is under attack, which may then take mitigating action.
    Type: Grant
    Filed: September 19, 2006
    Date of Patent: August 2, 2011
    Assignee: University of Maryland
    Inventors: Mehdi Kalantari Khandani, Mark A. Shayman